Normalization

When a vulnerability in your organization is discovered by multiple tools, each tool reports that vulnerability differently. Information such as the metadata and remediation instructions might vary from one tool to another. This can make managing vulnerabilities difficult — even though you're dealing with the same problem, you have several tools providing different information that might or might not be useful for your environment. You might also have a tool that reports several distinctly different findings for what is essentially the same vulnerability. With Resolve you can correlate these findings to point to the same master finding.

For example, you might use two tools to run scans on a set of web servers. Each tool has found multiple findings of the same type of SQL injection attack. These findings might be associated with different master findings in Resolve, one for each tool. Rather than maintain separate definitions, you can correlate all of these findings to one of the master findings to use going forward. Once this correlation is made, all other findings of the same type of SQL injection attack are automatically correlated for you. If needed, you can modify the details in the correlated master finding to contain the most useful information relevant to your security needs.

Vulnerability compression

Vulnerability tools often report large numbers of itemized vulnerability findings. Such large data sets can be difficult to understand and navigate. You would not want to open millions of individual tickets for each reported vulnerability. Correlation helps you group vulnerability data to reduce the overhead of managing such a large data set.

When multiple reported vulnerabilities are correlated to the same asset and master finding variation, Resolve maintains one unique finding for these vulnerabilities. The finding is never duplicated and can be easily tracked through the remediation process. The finding is supplemented with information about all the known unique instances of the vulnerability.

Take the example of unlocked doors as described in The vulnerability data model. A vulnerability (unlocked door) is reported several times on the same asset (your house) but is presented in Resolve as a single finding:

Deduplicating results

When a vulnerability in your organization is discovered by multiple tools, it can result in duplicate vulnerabilities being tracked. This leads to extra vulnerabilities bloating the vulnerability data set. The amount of duplicates can vary significantly based on the types of tools used and how much the data sources overlap.

Resolve can remove or consolidate duplicate results in a few ways. One is vulnerability compression, which groups and tracks a vulnerability appearing multiple times on the same asset as a single finding. Resolve can also identify if one or more correlated instances are actually the same instance by comparing instance properties and fields. If this happens, duplicate instances are automatically marked and grouped under a parent instance.

Unlike instances, findings are always considered unique and cannot be duplicated. To continue with the prior analogy, if you find another door on a house that already has a finding of "Unlocked door," the additional door would not change the finding. The additional door would just be another instance reported.

Enrichment

Enrichment refers to the addition of valuable data based on the correlation process. This can include asset information, such as pre-existing context about an asset or information automatically discovered through an external integration. Enrichment also extends to threat information, such as known existing exploits for the specified vulnerability.

Asset enrichment is automatic based on asset correlation. When a new finding is added, Resolve determines if the finding asset already exists in the database based on the network topology and matching asset properties.