Vulnerability Assessment as a Service provided by SPHINX
Within a large and complex network environment, such as healthcare infrastructures, hundreds, if not thousands heterogeneous network-enabled entities (devices and services) enter or leave the network. These entities, apart from largely widening the management surface of the underlying infrastructure, also bring several vulnerabilities in multiple layers. This is due to several reasons.
Firstly, these entities cannot be efficiently managed and maintained, since the administration has been traditionally been delivered solely by humans, coping to make do with such large amounts of endpoints.
Secondly, some of these entities are proprietary devices, such as diagnostic imaging devices, provided with software, or operating systems with well-known vulnerabilities (Windows NT, Windows XP) that are difficult or impossible to update or change.
Finally, all devices and services are operated by humans, who do not necessarily have thorough knowledge of cybersecurity-related best practices and thus being susceptible to attacks, such as social engineering, or phishing, etc.
Taking the above into consideration, it is obvious that all entities within a network must be continuously monitored and assessed in terms of vulnerability, by an automated service, requiring little to none, human interaction. In this respect, Vulnerability Assessment as a Service (VAaaS) will continuously monitor existing network-enabled entities within the SPHINX network and assess them on their vulnerability status. Each assessment will produce a detailed machine-readable report and a vulnerability score, based on the standardized vulnerability scoring system CVSS (First, n.d.). These reports will be distributed to several of the SPHINX components, such as the Situational Awareness component.
The VAaaS component pays a rather significant role in the SPHINX environment since it acts as an input for several internal components, such as the Decision Support System (DSS), the Real-time Cyber Risk Assessment (RCRA). More details and leads regarding such interdependencies can be found at the SPHINX’s Technical Architecture description.
VAaaS performs two basic functionalities that are of great importance to the SPHINX environment, and its internal components. Namely, i) it assesses all SPHINX devices and services against known vulnerabilities, in near-real-time ii) it produces detailed reports of its findings and scores the results based on the CVSS (First, n.d.) v3 scoring system, and propagates those reports to the corresponding components that need them.
The VAaaS component is a mini ecosystem of microservices that combined provide unique functionality. Nevertheless, much like other SPHINX components, VAaaS relies on some other internal SPHINX components to perform its designated tasks.
More information about VAaaS can be found at Deliverable 3.3 that is publicly available here.