Skip to main content

Introduction

IBM Concert uses generative AI to help you understand your organization's risk posture by looking at critical indicators, or dimensions, across your application landscape. It ingests data contained in imported SBOM files or automated ingestion jobs from third-party tools and services to map your application components, environments, and access points. Then, it ingests data from imported vulnerability scans and assessments to calculate a risk score. To expedite remediation, Concert provides automation tools to generate tickets in Jira, GitHub or ServiceNow based on its findings.

The Equifax Vulnerability Debacle

In 2017, Equifax (an American consumer credit reporting agency) suffered a catastrophic data breach exposing sensitive information of 147 million people. The breach exploited a known vulnerability (CVE-2017-5638) in Apache Struts, which had a patch available for months before the attack. Equifax's security team knew about the vulnerability but failed to patch affected systems. The attackers maintained access for 76 days, extracting names, Social Security numbers, birth dates, addresses, and credit card numbers.

A vulnerability management tool like IBM Concert could have prevented this disaster by:

  • Automatically discovering and inventorying all assets running Apache Struts
  • Continuously scanning for the CVE-2017-5638 vulnerability
  • Prioritizing this critical vulnerability based on threat intelligence and application context knowledge
  • Creating accountable workflows to ensure patching occurred
  • Verifying patch implementation across all systems

The breach ultimately cost Equifax over $1.7 billion in settlements, remediation, and lost business, demonstrating how proper vulnerability management could have saved tremendous financial and reputational damage.

Lab Content

Welcome to the IBM Concert Vulnerability Dimension Lab. You will be going through several key exercises that will help you learn important skills around identifying and prioritizing Common Vulnerabilities and Exposures (CVEs) data. In this Lab, you will explore the following topics:

  • Set up a bidirectional integration with Instana
  • Set up the Concert integration with watsonx.ai and GitHub Issues
  • Using a Jenkins pipeline, you will:
    • build container images, push them to a container registry and deploy a sample application to a Kubernetes cluster
    • run vulnerability scans on a sample application
  • Review the results of the vulnerability scans in Concert and Instana
  • Create GitHub Issues using Concert Automation Rules
  • Patch one vulnerability and verify the remediation in Concert and Instana

The lab should be executed in the numbered order that you see on the left side of the screen, in the navigation pane, as sections likely depend on work completed in prior sections.