Exploits, exploits, exploits!

With nearly 100 new CVEs published every day, it’s more important than ever to properly track and prioritize what to fix. This month we shipped several key features to expose additional CVEs in your environment and make sure you’re always working on the most important vulnerabilities first.

Flag and track CVEs with known exploits

To find the most critical CVEs impacting your business, it’s important to go beyond operating system packages. Mondoo now detects CVEs in Firefox and Chrome so you can secure your most important assets: employee workstations. These workstations often contain the keys to the kingdom, from application source code to VPN access into production resources. Now you can detect some of the most frequently exploited vulnerabilities, stopping the hacker kill chain before damage is done.

Mondoo gives you the information you need to prioritize fixes: Improved CVE and advisory page designs and new exploitability data highlight the highest-risk vulnerabilities.

A new icon flags CVEs found in CISA's Known Exploited Vulnerabilities Catalog. Now you can track the patching status of these critical issues across your fleet.

EPSS data

After you finish patching actively exploited vulnerabilities in your environment, what comes next? What if you could identify vulnerabilities with a high likelihood of being exploited in the wild in the near future? That's the focus of the Exploit Prediction Scoring System (EPSS). CVE pages now include EPSS data so you can see how likely a vulnerability is to be exploited soon, along with the risk if that occurs. Use this additional data to inform your prioritization: Spend your precious time patching the right systems before attackers hit.

Fine-grained compliance control

Take control of the compliance data you collect and present to your auditor with new scoping and exceptions capabilities in Compliance Hub.

Scoping in compliance

New scoping in Compliance Hub gives you fine-grained management of which controls you report to your auditor. Is your auditor not requesting a particular control even though it's part of the compliance framework? Select the control in Compliance Hub and mark it out of scope. With scoping, you decide what to include in your audit without setting exceptions (which would appear in audit report PDFs).

Exceptions for individual checks in a compliance framework

Need more time to remediate findings for your audit? Now you can set exceptions on individual checks. Snooze a check if you're not ready to comply with it. Add an explanation to communicate the reason for the delay, work to be done, or compensating controls.

Scan Azure however you prefer

No matter how you want to scan your Azure infrastructure, Mondoo has your back with expanded authentication and scanning capabilities for Azure subscriptions.

More Azure authentication methods

Previously, running cnspec scan azure only loaded authentication credentials from the Azure CLI. Now, scans can also load credentials from shell environment variables, workload identity, and managed identity, in addition to the CLI configuration.

Easily scan Azure VMs, instances, or disks

Use new Azure capabilities to scan running VMs, instances, or disks without deploying or managing agents.

Scan snapshots of your VMs to perform agentless scans without impact to your running workloads:

cnspec scan azure compute snapshot <snapshot-name> --client-id <id> --tenant-id <id> --client-secret <value>

Scan snapshots outside your current resource group using the fully qualified Azure resource ID:

cnspec scan azure compute snapshot "/subscriptions/subId/resourceGroups/my-rg/providers/Microsoft.Compute/snapshots/test-debian-snap" --client-id <id> --tenant-id <id>--client-secret <secret>

Scan disks on running VMs with automatic running disk cloning:

cnspec scan azure compute disk <disk-id> --client-id <id> --tenant-id <id> --client-secret <value> 

Not concerned about the impact to running workloads? Scan VMs directly without managing agent deploys:

cnspec azure compute instance <instance-name> --client-id <id> --tenant-id

Expanded asset inventory

You can’t fix what you don’t understand. This month we exposed even more configuration information about assets, so you can quickly understand and resolve failures in your environment.

Each OS asset now includes:

• Cloud
• Hardware manufacturer
• Hardware model
• Serial number or service tag

This enables you to quickly track down assets.

Need more than just basic overview information? Asset inventory packs for Linux, macOS, and Windows include additional data queries such as:

• Running processes
• System uptime
• Hardware configurations
• SSH settings
• Scheduled tasks
• And more!

We’ve also updated existing queries to expose more information on installed packages, services, and other juicy details.

The latest policies

It wouldn’t be a busy month at Mondoo without loads of new content to keep your systems secure. This month we shipped over 100 updates to our various AWS, GCP, and Azure policies to deliver better results and improved output. Now more than ever, you can quickly track down failures that put your organization at risk.

In typical Mondoo fashion, we weren’t satisfied to give you just bug fixes and performance improvements; we managed to slip in entirely new policies as well.

CIS Microsoft 365 Benchmark 3.0 policy

If you’re using Microsoft 365, be sure to check out the all updated CIS Microsoft 365 benchmark 3.0. This new CIS benchmark release includes 24 new security recommendations along with a massive refactoring of the previous recommendations and remediation steps. Learn more about everything this update has to offer in our Microsoft 365 CIS Benchmark 3.0: What You Need to Know blog post.

Email Security policy

Not using Microsoft 365 but still need to secure your email services? Make sure to check out our all-new Email Security policy. It includes 15 security recommendations to keep your email secure and flowing to top email providers that have recently strengthened their requirements. This new policy pairs perfectly with our new Mondoo-hosted continuous domain scanning. Learn more about domain scanning and this policy in our Continuous Domain Health Checking and Compliance blog post.

‍

Customize to your heart's content

Need something more finely tailored to your needs? We have you covered! With enhancements to our MQL language, writing custom security and compliance policies is a breeze. And 20 new fields in AWS, Azure, Microsoft 365, and Terraform resources give you expanded data to query your infrastructure.

When writing policies, new helpers in the MQL language make getting the results you’re looking for simpler.

Quickly access data in a map

Use dot notation to access data in maps:

cnquery> {a: 1, b: 2, c:3}.a
[a]: 1

Check whether a time is within a range

See if time values fall within a range. This works with all timestamps:

cnquery> password.lastChangedDate.inRange(time.now-90*time.day, time.now)
[ok] value: true

Check whether a number is within a range

See if an integer value is within a range:

cnquery> 2.inRange(1,3)
[ok] value: true

Check strings against a list of values

Check a string value against a list of acceptable values:

cnquery> "PASS".in(["PASS","ALLOW","OK"])
[ok] value: true

Parse duration values

Work with duration values using a new duration helper:

cnquery> parse.duration("3d")
parse.parse.duration: 3 days

cnquery> parse.duration("7days")
parse.parse.duration: 7 days

Check the contents of maps

Check keys, values, and combinations of the two within maps:

{'a': 1, 'b': 2}.contains( key == 'b' )
{'a': 1, 'b': 2}.all( value > 0 )
{'a': 1, 'b': 2}.one( value != 1 )
{'a': 1, 'b': 2}.none( key == /d-f/ )

Semantic version parsing

Compare versions without the need for complex integer parsing:

cnquery> semver('1.9.0') < semver('1.10.0')
[ok] value: "1.9.0"

recurse helper for dicts

The recurse helper makes it easy to extract data from a dict structure made up of mixed value types. For example, suppose you need to retrieve all users from this JSON data structure:

{
 "users": [{ "name": "bob" }],
 "owners": {
   "admins": [{ "name": "joy", "isOwner": true }]
 }
}

Because of the varying data types, finding users in this structure is difficult with traditional mechanisms. You need to understand the data structure and know where to search.

recurse eliminates that difficulty:

jdata.recurse( name != empty )

[
 0: {
   name: "bob"
 }
 1: {
   isOwner: true
   name: "joy"
 }
]

You can then map the user names:

jdata.recurse( name != empty ).map(name)

[
 0: "bob"
 1: "joy"
]

Named arguments in functions

You can set a named argument in a function. This is useful in situations where you can only use one expression (such as with all or one). It also makes the code easier to understand, especially when nesting across multiple objects, as in this example:

users.all(user:
 groups.contains(group:
   user.uid == group.gid
 )
)

in helper for lists of strings

For lists of strings, you can use the in assertion, which is the inverse of contains:

"anya".in(["abel","amos","anya"])

An ideal use for in is to combine it with properties. For example, if you define a property named allowedCiphers, you can assert that a configured cipher is in that list:

sshd.config.ciphers.in( props.allowedCiphers )

Make it pretty

At Mondoo we pride ourselves on not just delivering top security recommendations, but also doing so in a visually pleasing way—because no one wants to use an ugly UI.

The asset page's Policy tab now includes overview information summarizing the policies and results for an asset.

If you’re accumulating a large number of spaces as you secure more and more of your infrastructure, now a space search makes it easy to find the space you need. The Spaces page for an organization also now includes pagination.

You can now change a policy's state directly from the Security Policies page. And you can enable, disable, or preview policies without having to find them in the Registry.

If you need something to brighten up your day a bit, switch Mondoo to a new light-mode UI!

And it's only January!

We hope you dive in and make the most of all the new features we added in January. At our current pace, you can tell we have a stellar 2024 ahead.

Mondoo customers rest easy with a thorough understanding of their security posture. They don't fear upcoming compliance audits because they know there are no surprises in store. They're also confident they're working on the right security priorities.

Are you still struggling to grasp the full picture of your organization's security and compliance standing?

‍