Open in app

Sign in

Write

Sign in

Security End of Life (SEoL)— Where am I exposed?

Casey Reid a.k.a Packet Chaos
5 min readApr 26, 2023

--

On April 25th, Tenable announced a new way to detect and communicate End of vendor support for software and hardware security updates.

Tenable Research has redefined its strategy on how we detect and communicate the end of vendor support for hardware and software security updates. Our new Security End-of-Life Plugin program leverages our industry leadership and extensive customer telemetry to create a single holistic framework that covers all SEoL definitions…

The blog post goes on to explain that the benefits of creating a holistic framework for SEoL definitions are:

  • Standardizing the way Tenable finds out about SEoL products
  • Standardizing how Tenable creates plugins to detect them
  • Standardizing how Tenable communicates the severity of those detections to their customers
  • An increase in Tenable coverage for SEoL software/hardware products

Please read the Tenable blog to get more insight into these changes.

https://www.tenable.com/blog/what-security-leaders-need-to-know-about-security-end-of-life-how-tenable-is-leading-the-way

A Visibility Challenge

The dashboards shown below and highlighted in the article are immediate ways to show visibility to this problem. I would make these one of my default dashboards immediately. This can help drive action and report success from the top.

Software End of Life Summary Dashboard
Bar chart for product Family

Vulnerability Fatigue

Vulnerability Fatigue is a rather common issue Vulnerability Analysts and System Engineers experience when they are overwhelmed with data points. Paralysis through analysis is another way I’ve heard it described.

While dashboards are useful, they can often be missed by those who are performing the remediation tasks and don’t facilitate “Vulnerability Routing”; getting the right vulnerabilities to those who can take action.

The Solution

If you have read any of my past articles this month you would think I’m obsessed with Tagging. So it shouldn’t come as a surprise that Tagging your assets with SEoL violations is my go-to solution.

Tagging SEoL Assets

Asset grouping or Tagging is the first step in vulnerability routing; after all the work needs to be performed on an asset. The next step is vulnerability prioritization; this is typically driven by CVSS score or more maturely VPR. In this case, SEoL plugins are going to drive what findings get routed to what individuals.

While tagging primarily is for asset grouping, in cases like SEoL software it is extremely useful to decorate the asset with this information to provide greater visibility, take a look:

Screenshot from Tenable Vulnerability Management(Tenable.io)

The Asset above has a number of tags used to decorate the asset for greater visibility. Each tag has it’s own value for driving specific visibility to those who own the asset; our “End of Life” tags are at the bottom.

To get a different viewpoint of how to use this data you can bring it in to the Tenable One Platform. Doing so unlocks a bunch more visibility including providing a risk score over the assets that have a End of Life violation; shown below:

Screenshot from Tenable One

Streamlining Visibility through Automation

Each plugin that detects Security End of Life software has the text “SEoL” in the plugin name. This makes tagging assets on this data as easy as a text search against the plugin name.

Tagging on SEoL in Plugin name

Navi is called the Swiss army knife for Tenable Vulnerability Management formally Tenable.io for a reason, it unlocks access to the gold in Tenable’s data.

Navi’s built in tagging functionality allows for us to search a key word in the plugin name. Before the below command will work you need to enter your API keys and run a navi update command.

navi tag --c "My tag category" --v "My tag value" --name "string to search"

Docker for the Win

In order to make this a simple as possible and reduce dependencies I wrapped a few navi commands into a docker container. The container downloads the data, tags the assets and is destroyed when finished.

docker run -d -e access_key="your Access Key" -e secret_key="your secret Key" packetchaos/seol

The results will show up in Tenable Vulnerability Management(Tenable.io) a few minutes after the script finishes. Two tags will be created, shown below.

The Code

If you’re curious as to how this works under the hood, take a look at the below script. This is what is wrapped into the docker container.

from os import system as cmd
import sys
import time
start = time.time()

access_key = str(sys.argv[1])
secret_key = str(sys.argv[2])

url = "https://cloud.tenable.com"

# Replace 'access_key and secret_key with your keys
cmd('navi keys --a "{}" --s "{}"'.format(access_key, secret_key))

# Update the navi database for tagging on vulns
cmd('navi update full')


def grab_headers():
    return {'Content-type': 'application/json', 'user-agent': 'Navi-SS-Scan_tags', 'X-ApiKeys': 'accessKey=' + access_key + ';secretKey=' + secret_key}


# Tag assets based on Unsupported software

cmd('navi tag --c "End of Life" --v "Unsupported" --name "Unsupported"')

# Tag assets based on Security End of Life

cmd('navi tag --c "End of Life" --v "Security End of Life" --name "SEoL"')


finish = time.time()

total = finish - start
mins = total/60

print("The Script took {} seconds or {} minutes".format(total, mins))
Automation
Python
Tenable
Docker
Navi

--

--

Casey Reid a.k.a Packet Chaos
Casey Reid a.k.a Packet Chaos

Written by Casey Reid a.k.a Packet Chaos

66 Followers
29 Following

I'm a perpetually curious avid learner and athletic hacker/tinker who dabbles in python development, tenable integrations, philosophy, and writing

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams