Given the number of cyberattacks facing companies these days, fixing vulnerabilities has become one of the biggest challenges. According to the US-CERT Vulnerability database, 18376 new security vulnerabilities were detected in 2021, which surpasses the 2020 record of 18351. But more than half of them (57%) could have been prevented by being identified and fixed on time. Another example to support the importance of the problem is that only 16% of executives are prepared to deal with cyber threats.
Thus, identifying, assessing, and remediating new endpoint vulnerabilities is crucial in implementing a successful security strategy. Microsoft Threat and Vulnerability Management (TVM) helps organizations with these. It discovers the vulnerabilities that exist on the onboarded endpoints, and errors in the configuration in real-time with sensors and gives recommendations that you can follow to secure your endpoints.
In this blog, we will cover TVM’s functionality and how it helps you increase the security of your IT system by identifying vulnerable applications and software.
What is Microsoft TVM?
Microsoft TVM is one of the security pillars of Microsoft Defender for Endpoint, which aims to identify vulnerabilities and misconfigurations in real-time and prioritize them based on the threat landscape.
It is cloud-powered and fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base. Microsoft TVM is a game changer – it helps bridge the gap between security operations, Security Administration, and ID administration.
- Real-time discovery. Vulnerabilities discovery is the first step in TVM. Microsoft Defender for Endpoint constantly collects and transmits all the information about the endpoint (OS, the installed applications and behavior of the device) to the cloud using the built-in sensors in Windows 10/11.
Real-time discovery functionality means:
- Real-time device inventory – Devices onboarded to Defender for Endpoint automatically report and push vulnerability and security configuration data to the dashboard.
- Visibility into software and vulnerabilities – Optics into the organization’s software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
- Application runtime context – Visibility on application usage patterns for better prioritization and decision-making.
- Configuration posture – Visibility into organizational security configuration or misconfigurations. Issues are reported on the dashboard with actionable security recommendations.
2. Intelligence-driven prioritization. TVM provides insights that help users to prioritize security tasks and focus on the most urgent ones. Furthermore, users receive security recommendations based on the dynamic threat and business context:
- Emerging attacks in the wild – Microsoft threat intelligence determines emerging threats around the world. Based on this data, it prioritizes the security recommendations to focus on currently exploited vulnerabilities with the highest risk.
- Pinpointing active breaches – Microsoft Defender for Endpoint knows what attacks are currently happening in your organization. TVM processes this data in order to prioritize security recommendations.
- Protecting high-value assets – as it is a Microsoft solution, there is a deep integration with Microsoft Information Protection, that enables identifying of confidential data or business-critical applications.
3. Seamless remediation involves security and IT administrators. The security admins track and manage vulnerabilities, while the IT admins are responsible for patching.
Threat & Vulnerability Management Dashboard:
gives a high-level view on the security of the organization, including the exposure score, Microsoft Secure Score, and device exposure distribution. To access the TVM dashboard go to security.microsoft.com. On the pane go to Endpoints -> Vulnerability management -> Dashboard.
is a metric that reflects the overall exposure of the endpoints across the organization. The lower the score the better. The exposure score is broken down into levels:
- 0–29: low exposure score.
- 30–69: medium exposure score.
- 70–100: high exposure score.
There are many factors that have an impact on the exposure score, such as the number of weaknesses discovered on your devices, the likelihood of a device getting breached, and the value of the device to the organization. On the exposure score pane, you can see the dynamic of the score, which is changing all the time due to newly released CVE’s and taken actions.
Microsoft Secure Score
reflects the collective security configuration state of the endpoints across 6 categories:
- Operating system
- Security controls
- Device exposure distribution
The higher the score, the more your endpoints are protected against cyber threats. Microsoft Secure Score is calculated based on the configuration discovery assessment on all endpoints of the organization which is compared to benchmarks maintained by Microsoft – recommended configurations from applications vendors and internal research team in Microsoft. The dashboard also provides configuration score trend over time, so you can track how the score evolves over time.
Device exposure distribution
demonstrates how many devices are exposed based on their exposure level. Selecting a section in the doughnut chart you can see the list of devices affected, their exposure and risk level, domain, OS platform, Windows version, health state, when it was last updated and tag.
Threats and vulnerabilities identified in your company are mapped to security recommendations and prioritized by their impact. Following prioritized security recommendations, you can reduce your exposure score and increase your configuration score.
Every device is scored based on 3 factors in order to help users to focus on the right things at the right time:
- Threat: characteristics of the attack happening with the particular vulnerability.
- Breach likelihood: your company’s security posture and resilience against vulnerability.
- Business value: impact on the company’s assets and processes.
To access Security Recommendations, go to Vulnerability management -> Recommendations.
Security recommendations details
Let’s take a closer look at one of the recommendations (Update Microsoft Windows 10 (OS and built-in applications). After clicking on the recommendation, you’ll see the details of the recommendation, including:
- A description of the security recommendation
- Number of exposed devices and list of all endpoints
- Impact on exposure and secure scores
- List of vulnerabilities associated with the recommendation
- breakdown of CVEs based on the impact (critical, high, medium, low)
- Description of CVE
- Related threats
- Exposed OS
In the security recommendations menu, you also can:
- Open the software page to see the complete overview of the affected software, on which endpoints this software is installed, discovered CVEs for this software …
- Report inaccuracy
- Request remediation
- Exclude this recommendation from the secure score.
It is important to remember that these recommendations are generic and based on best practices coming from the software vendor. Blindly following security recommendations can have an undesired effect on the endpoints. We recommend testing everything first before implementing changes across your company!
If you want to take action in order to mediate the vulnerability you request remediation. All the active remediation tasks you can find in Remediation (Vulnerability management -> Remediation) along with a progress bar that updates in real-time from endpoint sensors once the remediation action is taken.
With Microsoft Endpoint Manager integration (Intune), you can create a security task for the remediation in Microsoft Endpoint Manager console. In Microsoft Endpoint manager admin center-> Endpoint Security -> Security tasks you can see a newly created remediation request with a status Pending. As an MDM administrator, you can accept or reject it. In the case of accepting, you will see the ticket status in Remediation menu (Microsoft 365 Defender) Approved (MEM); in our case – the security task is still waiting to be approved.
Users often have third-party applications installed with or without the security department’s approval. This can create a security blind spot as you as a Security administrator must ensure that applications that are being installed by users are compliant with the company’s security policy to reduce the risks.
Software inventory provides users with insights on all applications* installed across all the endpoints in the company, including the application name, OS, vendor, number of associated weaknesses, threats, number of exposed devices and impact.
To go to Software inventory, click on Vulnerability management in the left menu of Microsoft 365 Defender and pick Software inventory.
Let’s take Internet Explorer as an example. The application is installed on 7 devices, 1 of them is exposed to 3 identified vulnerabilities. As the bug icon is red, there is an active threat related to at least one weakness. There is an active threat publicly available related to one or more weaknesses related to this software (check the Threats column and hover over the red bug icon).
To get more insights on the application click on Open software page. In the Overview section, you can see the total number of vulnerabilities and misconfigurations with the breakdown into Low, Medium, High and Critical vulnerabilities. In the Security recommendations section, you can see the recommendations to mitigate the weaknesses for this application. In most cases, updating the application will most likely fix the problem.
Pro Tip: To keep endpoints in your organizations secure and automatically update third-party applications to reduce the risk of breaches, use Scappman to manage application installation and updates.
In the Discovered vulnerabilities section, you will get a list of vulnerabilities for the application. As you can see, the priority should be to mitigate CVE-2021-26411 vulnerability because there is an active attack related to this vulnerability (the red bug icon).
In the Installed Devices section, you can see the devices that have Internet Explorer installed along with the version of the application.
*Applications without CPE (Common Platform Enumerator) code are not supported by TVM.
In Weaknesses Menu (Vulnerability Management -> Weaknesses) you can see a view of all vulnerabilities across the onboarded devices. As you can see from the example, 681 vulnerabilities were detected in the company (each vulnerability is identified by its CVE ID), 36 of them are exploitable and 17 – are critical. There is a lot of useful information, like CVSS score*, related software, age, exposed devices…
By clicking on one of the vulnerabilities, you get more details on it, such as vulnerability description and details (CVE, CVSS, Severity, published on), related software, threat insights, and exposed devices.
*CVSS score – Common Vulnerability Scoring System is a framework that provides a numerical (0-10) representation of severity of software vulnerabilities.
Event timeline is a news feed with newly introduced vulnerabilities that can affect your company along with the affected application/software, devices and type of the vulnerability.
To learn more about vulnerability management and TVM join our Microsoft Teams webinar “From zero-day to zero-trust: why TVM is essential part of the journey” on March 31 2022 (Thursday) at 11:00 am CET! Learn more here.