Positive Technologies: MaxPatrol VM (Vulnerability Management)

The main articles are:

• Security Information and Event Management (SIEM)
• Fraud Detection System

2024

MaxPatrol VM - 2.7 with Smart Asset Search

Positive Technologies has released an updated version of the MaxPatrol VM vulnerability management system - 2.7. The company announced this on November 8, 2024. Thanks to the function of smart search for information on assets using artificial intelligence, users can create common text requests without using the PDQL language. In this version of MaxPatrol VM, Positive Technologies has optimized the operation of PDQL requests, which is especially noticeable on large installations that contain more than 10,000 assets. The system performance has been increased several times, so now the speed of work during inventory and search for vulnerabilities, including trend ones, has become higher.

MaxPatrol VM 2.7 users will be able to use the beta version of Smart Asset Search to identify the required groups, sort nodes by discovered vulnerabilities, and perform other queries. This function will reduce the entry threshold for the work of specialists with the system and reduce the cognitive burden on information security specialists. An early search was performed through the PDQL syntax, now common queries can be entered in text format in Russian, select the appropriate query and start filtering. You can enable the smart search function when updating in the installer. Learning the syntax of the PDQL language remains relevant for more complex queries, for example, to identify accounts that have changed their password in the last month.

In this version of MaxPatrol VM, we have expanded the capabilities of the system and implemented smart search for information on assets thanks to AI functions. Our goal is to continuously move towards automating processes, improving product performance and performance. Therefore, if earlier, to start work, a specialist could spend several days learning the PDQL language, now infrastructure analysis using simple queries can be started immediately after the system is implemented, - said Pavel Popov, leader of the Positive Technologies vulnerability management product practice.

In this version of MaxPatrol VM, MaxPatrol Host Compliance Control (HCC) 1.7 also added support for a number of standards (VK WorkMail, MongoDB, Logstash, Alt Linux). This will allow you to verify that the key security requirements for this software, databases, and devices are met. A tool has appeared to monitor the state of PostgreSQL and the system itself, which will help you quickly respond to possible failures. MaxPatrol VM 2.7 is also compatible with current versions of Debian 11 and 12.

Inclusion of Russian software in the compatibility catalog

MaxPatrol VM is included in the compatibility catalog of Russian software. The developer announced this on September 16, 2024.

The domestic software compatibility catalog allows companies to find the most suitable domestic solutions for their needs as a replacement for foreign ones. This facilitates the process of import substitution to state institutions, subjects of critical information infrastructure (CII).

According to experts, about 40% of foreign software has not yet been replaced in KII facilities, which will be prohibited from using since 2025. According to a study by Positive Technologies, in 2023 the public sector became the most popular target of cybercriminals: it accounted for 15% of the total number of successful cyber attacks, while 24% of incidents were implemented as a result of exploiting vulnerabilities. In 2024, this trend continues: according to the results of the first quarter, in almost every third successful attack on the public sector, attackers resorted to exploiting security flaws. In such conditions, organizations need to competently build vulnerability management in order to reduce the likelihood of criminals entering the infrastructure.

MaxPatrol VM is included in the compatibility catalog of Russian software in the section "Information Security Process Automation Tools."

The MaxPatrol VM system is capable of completely replacing foreign products, "said Pavel Popov, leader in vulnerability management products, Positive Technologies. - MaxPatrol VM provides a complete vulnerability management cycle and provides information information about vulnerabilities, including trending [1], data that are reported to the system within 12 hours. The capabilities of the system will allow owners of KII, state institutions, to switch from foreign solutions to Russian an analogue.

The compatibility catalog of Russian software is available on the website of the register of domestic software.

Integration with Netopia Firewall Compliance

Netopia has developed the Vulnerability Control module as part of the Netopia Firewall Compliance solution, which allows you to prioritize vulnerabilities based on availability by potential attackers, as well as determine available hosts for potentially compromised assets. The developer announced this on July 26, 2024.

Firewall Compliance receives all the necessary information on assets and vulnerabilities through integration with Positive Technologies' MaxPatrol VM and MaxPatrol 8 products.

MaxPatrol VM - 2.5 with the ability to analyze the security of the web and Docker containers from one console

Positive Technologies released an updated version of vulnerabilities the MaxPatrol VM management system - 2.5. The updated product was able to analyze the security of web applications and identify vulnerabilities in the ON tool running. containerization Docker vulnerabilities Information are delivered within 12 hours. In addition, users will be able to add their own security requirements to the Host Compliance Control (HCC) module. The developer announced this on June 13, 2024.

In this version of the product, at least five times the speed of infrastructure scanning has increased due to an increase in the maximum possible number of simultaneously scanned nodes - from 4 to 20.

Scanning for vulnerabilities in Docker containers and analyzing the security of web applications are among the most anticipated features of MaxPatrol VM. Traditional protections can find a vulnerability in the application, but do not find anything suspicious in the same application that runs in the Docker container. Now MaxPatrol VM finds even more vulnerabilities both on the perimeter and in key systems within the network, "said Anton Kiselev, Head of Vulnerability Management Product Development, Positive Technologies.

According to the statistics of the NCCC for 2023, the exploitation of vulnerabilities on the perimeter ranks second among the vectors of intruders entering the infrastructure of companies. The greatest threat here is posed by unresolved web vulnerabilities (more than 50% of APT attacks are in the "perimeter vulnerability" vector). If the network equipment is usually updated by administrators and controlled by next-generation firewall (NGFW) products, then support for web services after their creation is often outsourced, and their protection is provided by the web application firewall (WAF) class tools. Given this trend, the developers of MaxPatrol VM have added the ability to analyze the security of web applications to the system version 2.5. The system analyzes information about vulnerabilities, prioritizes them, including identifying trend ones and gives recommendations for their elimination. If the patch cannot be installed in a timely manner, then based on data on trend vulnerabilities, additional rules for WAF can be written to stop an attacker on the network.

With MaxPatrol VM 2.5, you can check the exploitability of vulnerabilities, analyze the structure of the site and determine the possibility of code injection (code implementation, SQL XXS, XPath implementation), identify vulnerabilities in configurations, application logic and undocumented capabilities.

According to our estimates, attacks on companies' web resources in 2023 accounted for more than a quarter of the total number of attacks on organizations. We predict an increase in attacks on organizations' web resources, especially in those companies that provide online services and collect large amounts of customer data. Therefore, we believe that vulnerability analysis of web resources should be embedded in the overall vulnerability management process. The task of MaxPatrol VM is to make clients invulnerable to attacks through vulnerabilities 1-day on the perimeter, as well as in key and target systems, "said Mikhail Kozlov, head of infrastructure analysis and vulnerability detection products, Positive Technologies.

The updated version of MaxPatrol VM identifies information security risks associated with vulnerabilities in software that runs from Docker containers. Containerization allows applications to run in isolation within a single virtual machine and provides flexibility to scale services, but requires a separate process to analyze and fix vulnerabilities in source images that differs from the standard process. To protect the runtime of applications in Kubernetes clusters, to control access to the API (admission control), as well as to search for vulnerabilities at the stage of assembly, publishing and sending images (CI/CD), it is recommended to pay attention to a specialized PT Container Security product designed to build integrated protection for full-cycle container environments. And MaxPatrol VM will help identify flaws in the already deployed infrastructure.

MaxPatrol VM 2.5 allows users to add their own requirements and standards to the system. It provides the collection of the necessary data and indicates in which places non-compliance with the specified requirements was detected. To do this, the MaxPatrol NSS module is used, which helps to determine the optimal level of compliance with information security standards and control the security of IT systems taking into account changes in the infrastructure.

The ability of the Linux-based version to scan Windows

The updated MaxPatrol VM on the base Linux can scan. Windows This was Positive Technologies reported on March 25, 2024.

Additional features of MaxPatrol VM 2.1 are aimed at automating data updates and improving scanning efficiency.

This vulnerability storage feature in MaxPatrol VM 2.1 has accelerated its delivery. Now you can use the API to adapt the system to specific scanning tasks, analyze legacy versions of Windows using a collector installed on Linux, and configure a flexible schedule to run jobs.

According to Kommersant, despite the departure of Microsoft from Russia and the requirements of the Decree of the President of the Russian Federation dated 30.03.2022 No. 166, the share of Windows in the infrastructure of private companies still reaches 99%, and state - 50%. It is important for these companies to remain protected during the import substitution period. Therefore, MaxPatrol VM 2.1 has a collector for Linux that allows you to scan Windows (even outdated versions) in audit and pentest modes. At the moment, MaxPatrol VM 2.1 is the only domestic product that has such an opportunity.

MaxPatrol VM 2.1 also implements an updated storage model: automatic information updates are carried out directly through PT Management and Configuration without using other components. This allowed several times to increase the speed of delivery of information about vulnerabilities, including trending ones.

The updated MaxPatrol VM performs an accelerated scan, the scan speed will be proportional to the number of collectors added. When you create or modify an activity, if you select multiple collectors, the subtasks are distributed among them. The more collectors there are, the less load will have to be on each of them.

In addition, the product has expanded the parameters for launching tasks for scanning. Now in MaxPatrol VM, you can set the date, time, and frequency as a Cron string, which is a worldwide time format that allows you to set a value for tasks. If it becomes necessary to temporarily unload the network, the task for scanning can be paused; this is another benefit of the updated version. When restarted, the analysis will begin with those assets on which it was suspended. The function is available in the interface and through the request to the API. The open program interface can be used for other tasks: this will allow you to safely improve the product and customize it for specific needs.

{{quote "Since MaxPatrol VM began to receive information about trend vulnerabilities in 12 hours, we have provided our users with information about more than 120 of them. This helps companies be one step ahead of the attackers, "said Pavel Popov, leader of Positive Technologies vulnerability management products. - Our ongoing task is to expand the capabilities of MaxPatrol VM, moving towards automation, improving scanning efficiency and optimizing workflows. With the release of this version, the product has become even more convenient: tasks are launched strictly on schedule and suspended without losing progress, and the scan time is reduced by connecting several collectors. }}

The implementation of the MaxPatrol EDR agent is another significant update. Product sharing will help reduce the burden on the MaxPatrol VM network scanner, reduce re-scan latency, and provide prompt feedback on vulnerability fixes. This, among other things, will allow you to receive up-to-date information from devices of remote employees who are not always connected to the company's network during scanning. The MaxPatrol EDR agent will automatically analyze as soon as the devices appear on the network and forward the results to the MaxPatrol VM.

2023

Identify an average of more than 700 trend vulnerabilities in a single pilot

Positive Technologies on July 13, 2023 presented the results of an analysis of pilot projects for the implementation of MaxPatrol VM conducted in government agencies, financial institutions, industrial and other companies from the beginning of 2022 to February 2023. During the study, on average, more than 700 trend vulnerabilities were identified on one pilot project. The results of the implementation showed that in most organizations errors in the prioritization of assets are allowed, there is no regular update of data about them, and in a third of companies there are expired vulnerabilities.

MaxPatrol VM is a system that provides a complete cycle of vulnerability management, from detection to control over their elimination. MaxPatrol VM delivers information about trend vulnerabilities in 12 hours, which allows you to quickly respond to new threats and minimize risks.

One of the main problems identified during the pilot projects is the insufficient classification of assets, that is, their division by the level of significance for the organization participating in the project. 80% of projects had assets whose importance level was not determined - this increases the risk of leaving important systems without proper protection. Positive Technologies experts recommend starting the vulnerability management process by evaluating and classifying assets to highlight the most significant of them and ensure their priority protection.

About a quarter of companies have built a process of prioritizing the identified vulnerabilities without taking into account the importance of the assets on which they were discovered, - said Positive Technologies analyst Ekaterina Semykina. - 76% of projects did not take into account the level of vulnerability hazard when forming elimination policies, and 59% did not consider the presence of a public exploit. We advise you to pay attention, among other things, to the popularity of the vulnerability among cybercriminals - its trend. Often, recently published vulnerabilities for which security updates have not yet been released are gaining popularity. However, vulnerabilities of past years can also be trending - according to our data, they continue to be relevant and are actively used by attackers. Such vulnerabilities should be fixed in the first place, since attackers often use them in chains of attacks, and for many of them there is a public exploit.

During the MaxPatrol VM implementation pilot projects, trend vulnerabilities were found in 36% of high-value assets, an average of four vulnerabilities per asset. Most often they were found in Windows components and other Microsoft products.

Another problem identified was the irrelevance of information about assets. In 75% of companies, asset data was not updated on time - because of this, scans were skipped and some vulnerabilities were not discovered. Positive Technologies recommends regular asset inventories to keep information up to date and ensure timely detection and resolution of vulnerabilities.

As a Positive Technologies study showed, most companies make mistakes in prioritizing vulnerabilities, that is, they do not take into account the importance of assets and the level of danger of vulnerabilities when forming elimination policies. This can lead to the skipping of the most dangerous vulnerabilities for the infrastructure.

In all organizations studied, the minimum time to eliminate vulnerabilities turned out to be longer than the time after which attackers begin to exploit vulnerabilities in attacks. Experts recommend setting a minimum time frame for eliminating vulnerabilities on assets of high importance, especially when trend and critical vulnerabilities are detected.

The results of the pilot projects also revealed serious problems associated with the late elimination of shortcomings in information systems. Every third company violated its vulnerability remediation policy, with about 30% of high-value assets containing an average of seven expired trend vulnerabilities. According to experts, non-compliance by information security experts with the given deadlines makes it easier for attackers. Companies need to allocate resources to timely elimination of vulnerabilities, make this process regular and controlled.

MaxPatrol VM 2.0 with NSS module

The updated version of the MaxPatrol VM (2.0) system received a host compliance control (NSS) module for automated verification of network nodes for compliance with security standards, as well as functions that allow taking into account FSTEC recommendations on prioritizing vulnerabilities. The system provides a full cycle of vulnerability management (VM) and receives information about new trend vulnerabilities within 12 hours. Positive Technologies announced this on June 29, 2023.

One of the important features of this version of MaxPatrol VM is the emergence of HCC functionality. The added module will help companies improve infrastructure security through automated compliance controls. If the requirements of the standard were met at the node and then stopped, the HCC will allow you to determine when this happened and why, as well as provide recommendations on how to fix the problem.

The HCC verdicts, combined with the asset management technology used in MaxPatrol VM, provide instant data on the level of IT infrastructure compliance with cybersecurity standards. This information can be monitored over time, and a rescan of the infrastructure is not required. For comparison: in previous generation systems (vulnerability scanners), this task took from several hours to several days. In addition, in MaxPatrol VM 2.0, we have added additional parameters for prioritizing infrastructure requirements, "said Yuri Shkodin, Deputy Director of the Positive Technologies Security Expert Center (PT Expert Security Center, PT ESC).

The HCC module allows you to check IT infrastructure for compliance with standards cyber security taking into account the requirements of PT Essentials, for example, to - Linux systems (including domestic,, operating systems ALT Linux Astra Linux""), RED OS network devices, Cisco Windows Desktop and,,, Windows Server Docker as well as VMware to. databases Oracle PT Essentials standards are developed by Positive Technologies experts taking into account the conditions for ensuring effective cybersecurity.

MaxPatrol VM 2.0 takes into account the recommendations from the FSTEC methodology for prioritizing vulnerabilities - based on their level of danger (basic and time metrics, as well as the impact on the functioning of information systems). One of the main qualities of MaxPatrol VM is the rapid delivery of information about trend vulnerabilities.

According to our estimates, it takes an attacker on average 24 hours to create an exploit for a trend vulnerability. When the exploit is ready, the trend vulnerability reduces the company's hacking time by an average of 45 minutes. It is important to get ahead of the attacker. Therefore, our task is to deliver information about such shortcomings to the system within 12 hours. Users receive an examination along with recommendations for eliminating vulnerabilities, - said Anna Tsybina, manager for development and promotion of MaxPatrol VM, Positive Technologies.

MaxPatrol VM 2.0 users also received about 80 of the most frequently used PDQL requests out of the box. This will simplify and speed up the work of operators, as it will remove the tasks of self-writing expressions from them.

2022: MaxPatrol VM 1.5

On August 12, 2022 , Positive Technologies announced the release of an updated version of the MaxPatrol VM vulnerability management system - 1.5. In the updated product, there are additional opportunities to control the vulnerability management process, as well as to automate the assignment of significance to assets - it will become easier to group and classify assets. Added templates to the report designer: for vulnerabilities, vulnerable nodes and components. In addition, a special package of filters with pre-configured requests has been released that will allow organizing work with vulnerabilities in accordance with the algorithm of the National Coordination Center for Computer Incidents (NCCC).

According to the company, in the updated version of the product, it is possible to automate the assignment of significance to IT assets based on the prescribed rules - policies. For example, you can assign a high level of significance to all domain controllers. Assigning significance to assets allows you to streamline work with them, pay attention to assets in time, the exploitation of vulnerabilities on which can cause the most harm to the organization.

When prioritizing vulnerabilities, it is necessary not only to assess their characteristics - is the vulnerability trending, is there an exploit in the public domain - but also to take into account where it is found, that is, how important the assets that it affects are for the company's business processes. In order for information security specialists to spend less time manually processing scan results, we implemented policies that automate various operations on assets and vulnerabilities. told Evgeny Polyan, MaxPatrol VM Development Manager, Positive Technologies

MaxPatrol VM has added additional ways to check the quality of planned vulnerability fixes and work with trend vulnerabilities. They allow you to control the VM process based on understandable metrics: the number of trend vulnerabilities on important assets, their lifetime in the system, the number of systems not covered by patch management, etc.

Vulnerability, asset, and vulnerable component reporting templates are now available in the product. You can independently configure upload data - by categories ON and nodes with vulnerabilities or by systems that have dropped out from the patch management process. These reports make it easier for IT and information security departments to work together.

MaxPatrol VM also has a special add-on package that optimizes work with the NCCC vulnerability management recommendations. Ready-made requests generated by Positive Technologies specialists will help automate the decision-making algorithm for updating critical software. To get an add-on, you need to contact technical support.

Before eliminating the vulnerability from the planned patch management process, you should not only go through the entire regulator algorithm, but also make sure that the vulnerability is not actively used in attackers' attacks. Such vulnerabilities may not have a maximum CVSS score. In MaxPatrol VM, you can quickly check for current and critical vulnerabilities on the network using the Trend Vulnerabilities widget.

It is necessary that a patch management policy is spelled out for all infrastructure assets. If it is not possible to update the software and set specific deadlines for eliminating vulnerabilities, then a decision is made to decommission the node or abandon the specific software. If these measures are not available and compensation measures are applied, then it is important not to lose sight of such assets and return to their renewal when it is possible and safe. In MaxPatrol VM, you can set a policy to exclude a vulnerability from the scheduled patch management process with a certain period or indefinitely. You can assemble monitoring widgets that will control this type of vulnerability. told Anastasia Zueva, product marketing manager at Positive Technologies

2021

Inclusion in the Register of Russian Software

The next generation vulnerability management system developed by Positive Technologies has been included in the list of products included in the unified register of Russian software. This was reported on June 28, 2021 by Positive Technologies. In accordance with the order of the Ministry of Digital Development of the Russian Federation, from May 27, 2021, the product is included in the software class, which includes the information security tools of the enterprise.

The MaxPatrol VM system allows you to build a full cycle of vulnerability management: from collecting information about IT assets, identifying and prioritizing vulnerabilities by their level of danger to monitoring their elimination. Building a continuous vulnerability management process will ensure real security of the company's infrastructure.

"According to our data, the share of hacking among the methods of attacks on the organization is growing compared to 2020. The growth of access markets in the company was noted. At the same time, state institutions remain the most popular target of the attackers, - said Anastasia Zueva, product marketing manager at Positive Technologies. - A special updatable set of trend vulnerabilities has been added to MaxPatrol VM. So information security specialists will be aware of new dangerous vulnerabilities that are most actively used by attackers, and will be able to quickly close them. "

Products entered in the register are recommended for purchase by government agencies and companies with a significant share of state participation.

MaxPatrol VM Announcement

On March 23, 2021, Positive Technologies introduced the MaxPatrol VM system. The solution points to the main threats to the most important IT assets of the organization, providing a targeted approach to combating vulnerabilities, taking into account the importance of assets.

MaxPatrol VM

According to the company, MaxPatrol VM allows you to build a full cycle of vulnerability management: from collecting information about IT assets, identifying and prioritizing vulnerabilities by their level of danger to controlling their elimination. The system reduces the burden on IT and information security departments by automating most routine processes, and optimizes the effectiveness of protection measures.

We sought to make it difficult and expensive for attackers to penetrate the network of companies. It was not possible to solve this problem using classic security analysis systems. After all, there are too many vulnerabilities, there are too few information security specialists (they do not have time to monitor all vulnerabilities) who want to fix vulnerabilities even less (therefore, even the important one remains ignored), and most importantly, the system built on traditional scanning principles does not see the entire infrastructure (this means that somewhere in the network there are easily accessible important nodes with a large number of holes that no one knows about). narrated by Andrey Voitenko, head of product marketing at Positive Technologies

According to a survey conducted by Positive Technologies, most of the time for information security specialists is spent on analyzing scan results (43%), checking for uyazvimostey̆ fixes (31%) and trying to convince IT specialists to install updates (48%). To optimize work with vulnerabilities, you need to clearly understand which of them are the most dangerous for the infrastructure, introduce rules for handling vulnerabilities and automate most routine processes.

MaxPatrol VM automates vulnerability management taking into account the level of significance of network components for business, allows you to obtain lists of the most current and dangerous vulnerabilities, as well as control the timeliness of their elimination. Building a continuous vulnerability management process will ensure real security of the company's infrastructure.

To solve the problem of full collection and identification of assets, we spent about nine years. We used the experience of our security analysis teams in the product - and know what vulnerabilities are exploited by offensive specialists, as well as the experience of the PT Expert Security Center (PT ESC) - and take into account information from investigations and monitoring about what vulnerabilities are used by groups to hack networks. told Maxim Filippov, Business Development Director of Positive Technologies in Russia

MaxPatrol VM includes information about trending and most dangerous vulnerabilities - those that need to be closed in the first place. The product informs about the vulnerabilities that are used in attacks. An information security specialist will not have to waste time reading external resources: information about updated dangerous vulnerabilities is already contained in the product, in the Trend Vulnerabilities widget. The list of vulnerabilities is regularly supplemented by Positive Technologies experts. This will help to conduct an emergency check of the company's significant assets on time.

MaxPatrol VM collects, updates, and stores complete information about the company's assets. Thus, users can detect vulnerabilities without additional scanning and respond to them faster - immediately proceed to fix or apply compensatory measures.

Even if the user fixes vulnerabilities well on one node, but does not know anything about the neighbor, then it is useless to talk about the real security of the company. Further, assets must be ranked by how dangerous vulnerabilities on them are for the organization as a whole. Assets of increased importance will be paid the most attention, and there should not be many such assets. To do this, MaxPatrol VM has Security Asset Management (SAM) asset management technology. It allows you to constantly receive up-to-date data by active and passive scanning, as well as from external sources. commented Evgeny Polyan, Product Development Manager for Positive Technologies MaxPatrol 10 Platform

The system allows you to set procedures for scanning and eliminating vulnerabilities based on how an asset affects the performance of important services for business, privacy and data integrity. MaxPatrol VM dashboards clearly demonstrate the work of IT and information security departments, help to control the security of the infrastructure and the timing of the elimination of vulnerabilities.

MaxPatrol VM supports integration with other Positive Technologies products - the MaxPatrol SIEM real-time incident detection system, the PT Network Attack Discovery deep traffic analysis system.