Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
5
Helpful
21
Replies

STNC Alerts - specifically PSIRTs not up-to-date

graham.kirtley
Level 1
Level 1

‎08-19-2016 02:24 AM

Hi,

When looking at the Alerts data I note that the PSIRTs listed as being applicable to my networks/devices does not appear to be up-to-date; the latest PSIRTs listed being from 23 March 2016, whereas there are others that are applicable but are not shown?

I now have doubts as to the accuracy and reliability of of SNTC to provide the assurance in this area, as it states is should do.

Can someone please confirm:

  • What the timeline should be for any issued alert (PSIRT) to be shown as applicable within SNTC?
  • Are Alerts only listed from what is included within the periodic Software Security Advisory Bundled Publications?

Labels:
0 Helpful
21 Replies 21

Chris Camplejohn
Cisco Employee
Cisco Employee

‎08-19-2016 04:47 AM

Only High & Critical SIR Advisories are available in SNTC for IOS, IOS-XE, NX-OS, IOS XR, and ASA.  Some advisories are delayed in automation when not all the vulnerability information is available for automation.  If there is a specific one you expect to be present that meets this criteria, please share it here.

0 Helpful

graham.kirtley
Level 1
Level 1
In response to Chris Camplejohn

‎08-23-2016 01:31 AM

Hi Chris, this is the alert http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

And yes, we do indeed have many instances of a product deployed that is impacted by this alert.

0 Helpful

Chris Camplejohn
Cisco Employee
Cisco Employee
In response to graham.kirtley

‎08-23-2016 04:26 AM

The automation for this one was just completed yesterday and it should show in the portal in the coming days.

0 Helpful

graham.kirtley
Level 1
Level 1
In response to Chris Camplejohn

‎08-30-2016 01:49 AM

HI Chris, I note that this specific PSIRT is still not showing via SNTC.

As it is now two weeks since the threat advisory was issued and no visibility via SNTC, it is questionable what benefit the Alerts section provides; in fact given such a delay with a high CVSS scoring alert, it could be viewed that a false sense of security is being projected.

0 Helpful

Chris Camplejohn
Cisco Employee
Cisco Employee
In response to graham.kirtley

‎08-31-2016 10:18 AM

I am checking with the engineering team to see why this PSIRT isn't showing in the portal.  Will report back as soon as I know more information.

0 Helpful

Sandy Breeze
Level 1
Level 1
In response to Chris Camplejohn

‎03-21-2017 03:42 AM

I've noticed this too.

How frequently does SNTC grab PSIRTS?

How frequently does it correlate PSIRTS to inventory items?  

Thanks

Sandy

0 Helpful

graham.kirtley
Level 1
Level 1
In response to Sandy Breeze

‎03-21-2017 04:07 AM

Hi Sandy,

Alas I never received any update/answer to this.

IMO it should be at the same time-frame that any life-cycle (EoS, EoL) events are reported through the portal.

Given that it is an automated system I would have expected that critical/high PSIRT's would be reported within about 4 hours, and all others reported within 24 hours of being released.

Rgds,

Graham

0 Helpful

Sandy Breeze
Level 1
Level 1
In response to graham.kirtley

‎03-21-2017 04:17 AM

Hi Graham,

You would have thought they're available pretty quickly...  But I've noticed CVE-2017-3881 is still not showing, which was published on 17th March @16:00 and got a CVSS score of 9.8 (critical)!

If there is someone from smartservices on list, can you confirm?

Thanks!

Sandy

0 Helpful

graham.kirtley
Level 1
Level 1
In response to Sandy Breeze

‎03-21-2017 04:32 AM

Hi Sandy,

Not that it assists you much, but I can see that 9 of my customer/inventories are reporting this specific PSIRT.

There are a number of Cisco staff who occasionally respond/reply to posts on this forum. 

0 Helpful

Chris Camplejohn
Cisco Employee
Cisco Employee
In response to Sandy Breeze

‎03-21-2017 07:11 AM

The automation for that CVE was done on Friday.  It did not have the traditional advance notice within Cisco, so the automation will always lag for those.  I'm not sure of the timing of the sync & processing in SNTC, so hopefully someone else can confirm.  But I can confirm that this one has automation available.  It also may evolve over the coming days as the details on the advisory get clarified.

0 Helpful

jumin
Cisco Employee
Cisco Employee
In response to Sandy Breeze

‎03-21-2017 09:13 AM

Hey graham.kirtley and Sandy Breeze,

Apologies for the delay in response to the original post, it seems it was missed.  For future reference and to receive quicker assistance, please start a separate post for issues with different companies and attach links to related posts as desired.

There are a couple things that need to happen for PSIRTs to be processed and identified by the SNTC Portal for a company's devices.  Device info, such as coverage and alert information are pulled as a part of inventory upload processing.  At the high level: inventory processing = device profiling + validation + coverage/contract info + alert info.  Thus, to ensure as accurate info for alerts and PSIRTs on the portal, there must be a regular schedule for collecting and uploading done by the CSPC that processes completely and correctly.

There is also a sync up that must occur in the backend but typically PSIRTs can be identified by the Portal after completion of a successful upload within 24 hours of the release date of the alert.  However, there is a possibility of association issues even after successful inventory processing.  Such as currently, there is an issue with generating and viewing reports, which could interfere with what PSIRTs are visible currently.  This is being looked at with high priority and I will let you know when this particular issue is fixed.

Thanks,

Justin

0 Helpful

Sandy Breeze
Level 1
Level 1
In response to jumin

‎03-21-2017 11:03 AM

Hi Jumin,

Thanks for the explanation.  I'll keep an eye out for the fixed reporting

Sandy

0 Helpful

Sandy Breeze
Level 1
Level 1
In response to jumin

‎03-28-2017 06:50 AM

Hi Justin,

Any news on when the PSIRT visibility issues will be fixed?  We're not seeing any CVE's for 2017 at all... 

PM me if you need any more info from our collector

Thanks

Sandy

0 Helpful

jumin
Cisco Employee
Cisco Employee
In response to Sandy Breeze

‎03-29-2017 08:47 AM

Hey Sandy Breeze,

Can you PM me the company and inventory names in question?  Please use the method below to PM me proprietary info.

https://supportforums.cisco.com/blog/13237466/how-send-private-message-sntc-community

Thanks,

Justin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents