Investigate Vulnerabilities through OpenVAS Logs & Logz.io Cloud SIEM

-With open source in our roots, we’re always excited about integrations with tools like OpenVAS, a popular open source vulnerability scanner that Greenbone Networks has maintained since 2009. If you’re not currently using OpenVAS, you can find the project here. This integration is with Logz.io Cloud SIEM, our security offering based on the ELK Stack, which is fully instrumented to detect and investigate security threats. Logz.io Cloud SIEM uses OpenVAS logs to gain a high-level overview of security vulnerabilities that OpenVAS has detected, quickly prioritize them, and ultimately investigate them.

OpenVAS contains more than 50,000 vulnerability tests with a community constantly updating its feed to adapt to the ever-evolving security landscape. Tests include authenticated testing, unauthenticated testing, and various internet and industrial protocols.

Up and Running with OpenVAS and Logz.io

The first step is to send OpenVAS logs and logging data within to Logz.io. One of the great things about being based on open source is that teams can get started with popular technologies like Filebeat.

The first step is to download the Logz.io public certificate to your certificate authority folder:

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/TrustExternalCARoot_and_USERTrustRSAAAACA.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Next, add your configuration file by hitting the Configuration wizard on the Filebeat for macOS/Linux log shipping page. Remember, you must be logged into Logz.io.

Make sure the configuration will look at wherever you will keep the downloaded report from OpenVAS. After that, move the configuration file to /etc/filebeat/filebeat.yml.

Once you’ve configured Filebeat, begin shipping your OpenVAS logs. You’ll need to download your scan results as a .CSV to the appropriate destination configured in the filebeat.yml. From there, Logz.io will ingest each line, parse them, and send them to Kibana for display.

Analyzing OpenVAS Logs in Logz.io

Before investigating the data, it’s best to familiarize yourself with the parsed information within the log to better know what sort of insights to seek out. After opening the log below, you’ll see some of the fields you can expect to find inside OpenVAS logs:

OpenVAS Logs Fields with Logz.io

Once familiar with the data, you can create visualizations that break down the log fields in different ways. For example, below is a simple donut visual that breaks down the vulnerabilities by severity:

Donut visualization in Logz.io Cloud SIEM for OpenVAS Logs

The sky’s the limit when it comes to analyzing data in Kibana. You can slice and dice the data in a million different ways to better understand your security vulnerabilities.

That being said, Logz.io’s Cloud SIEM team has done most of that work already.

Enrich OpenVAS Logs with Rules and Dashboards with Cloud SIEM

DevOps and security teams use Cloud SIEM to get an out-of-the-box bird’s-eye view of their security posture. Concurrently, they get the option to drill-down into specific events if necessary.

From the get-go, all you need to do is ship the logs to Cloud SIEM. Subsequently, Logz.io pre-built dashboards and rules will visualize—thereby adding value—to that data by honing in on what matters most.

Let’s begin by looking at the dashboard we’ve built to summarize OpenVAS scan results.

‘Scan Summary’ Dashboard

After sending OpenVAS log data to your Logz.io Cloud SIEM account, your ‘OpenVAS – Scan Summary’ dashboard will automatically populate. This visualizes the breakdown of your recent scan’s results.

‘Scan Summary’ Dashboard in OpenVAS

This dashboard gives a quick overview of results by severity, host, solutions, and Common Vulnerability and Exposures (CVE). Like all of our dashboards, there is a list of relevant logs at the bottom for those who want to investigate further.

For example, by clicking around in the visuals in the dashboard above, I can narrow my results down to high severity vulnerabilities with a known workaround—this seems like a good place to start my remediation efforts. I’m left with the following vulnerabilities:

Vulnerabilities detected by OpenVAS

The ‘Solution’ field contains the workaround. By opening up the logs, I find a deeper analysis of vulnerabilities such as their impact, cause, and identification method.

Digging into OpenVAS Security Events with Logz.io Cloud SIEM

The scan summary dashboard grants a general overview and drill-down into the most interesting results. Still, it may not be clear to everyone which results should be the most interesting.

This is why we’ve built rules to automatically sift out critical security events in your environment. When the conditions in these rules are met, Logz.io sends a configurable alert to Slack, Gmail, PagerDuty, and/or other endpoints. Below are a few examples of OpenVAS rules:

OpenVAS Rules in Logz.io Cloud SIEM

These rules are meant to help guide your attention on the most significant OpenVAS findings so you don’t have to figure it out for yourself.

To make it easier to analyze triggered rules, we’ve built an ‘Events Summary’ dashboard to visualize and investigate events and prioritize remediation efforts. This dashboard is great for those who are new to investigating their OpenVAS findings, or just want to quickly focus on the most critical vulnerabilities first.

Logz.io Cloud SIEM’s ‘Events Summary’ dashboard for OpenVAS

Wrapping Up

Of course, the full value of a solution like Logz.io Cloud SIEM does not sit with a single integration. Rather, the ability to consolidate security events from across security tooling, clouds, and microservices is what makes Cloud SIEM powerful.

If you’re like most DevOps organizations, you have more security tooling than a vulnerability scanner like OpenVAS. With Cloud SIEM, you can bring together other security-related findings from tools like HashiVault, Palo Alto Networks, Check Point, and many more. Click here to learn more about additional integrations.