HPE Private Cloud AIAI Assistants and AgentsAI Proving GroundHPE AI and DataApplied AIAI & DataHPENVIDIA
Blog4 minute read

Part 5: Transforming IT Operations: A Patch & Vulnerability Prioritization Agent

Learn how WWT, HPE and NVIDIA are helping IT teams easily optimize their data center device patching efforts.

In this blog

Note: This is the fifth in a series of posts exploring how AI agents can support IT Operations teams. In this fifth post, we examine the challenge security teams face in identifying the most critical systems in their environments that require security attention.

Explore the series: 

Part 1: Transforming IT Operations with Large Language Models 

Part 2: Transforming IT Operations - A Daily Ops Summary Agent 

Part 3: Transforming IT Operations - An Incident Knowledge Assistant 

Part 4: Transforming IT Operations - An Intelligent Resource Optimizer

 The Context

For any piece of computing equipment to do useful work, multiple pieces of software must be installed on it. These pieces of software work together to provide particular functions. Webservers, databases and e-mail systems, for example, all play specific roles in an enterprise data center. Each piece of software installed on these machines has a specific version, and those versions change over time as vendors release new features, fix bugs or address security vulnerabilities.

To do their jobs, enterprise systems may have dozens of pieces of software installed on them, each at a particular version. Versions are usually selected to be compatible with each other and to provide the features needed for the device to fulfill its function. 

 The Challenge

The number of unique pieces of software that a typical operations team needs to keep track of can easily reach into the thousands. Not only are there specific libraries or packages from a given vendor, but there may also be multiple versions of that given component across different devices. This can quickly increase the number of unique pieces of software present across the entire data center, and the number of actively running software components at any moment can reach into the hundreds of thousands.

Each version of each piece of software may also present unique security vulnerabilities. To ensure the integrity of their operations, IT teams must constantly be aware of which systems are exposed to which vulnerabilities and address them via software patching. Given the large number of unique software components and the many systems they can be installed on, it's not possible to keep every system patched to the latest software version at all times. Security groups need a way to assess the environment holistically and prioritize their patching efforts.

 The remedy

What's needed is a way to assess, across all devices and the various software packages in their many versions, the aggregate vulnerability exposures, the severity of each individual vulnerability, and how to prioritize them, factoring in all this information. Since vulnerabilities and patches are identified and released by software vendors daily, this assessment also needs to be quick and easy to repeat.

We built the Patch Vulnerability & Prioritization Agent to do just that. It starts by reading the catalog of all systems in the environment and inspecting the software components and their specific versions installed on each machine. For each software version, it searches publicly available Common Vulnerabilities and Exposures (CVE) databases to identify known issues that may be present for that component and version.

If the agent finds that a particular component has a known CVE, it inspects the Common Vulnerability Scoring System (CVSS) score for that CVE, which indicates the severity of the vulnerability if exploited by a bad actor.

Finally, the Patch Vulnerability & Prioritization Agent inspects which enterprise applications the machine in question supports and considers the specified business-criticality of those applications. Using the number of CVEs at play on the device, the CVSS scores of those CVEs and the criticality of the applications that would be affected if the machine were compromised, the agent automatically places the device into one of three categories: patch now (near-term), patch soon (mid-term) and patch later (long-term).

For any given machine, the operator is provided with a list of the specific CVEs that apply to the machine, along with their related CVSS scores. The agent also provides a summarized risk assessment for each individual data center device, along with mitigation recommendations and priority actions.

 Conclusion

The Patch Vulnerability & Prioritization Agent enables IT teams to manage their patching efforts more intelligently. By taking advantage of the analysis it provides, an extremely burdensome ongoing maintenance workload can become more manageable. 

We're excited to demonstrate the prioritization agent to you, running live in our AI Proving Ground. It was developed using the NVIDIA NeMo™ Agent Toolkit and relies on models deployed as NVIDIA NIM™. We deployed the solution into an HPE Private Cloud AI cluster — an HPE and NVIDIA co-engineered, turnkey AI Factory solution and part of the NVIDIA AI Computing by HPE portfolio — where it is hosted with easy access via wwt.com.

Follow HPE and NVIDIA on wwt.com now to stay informed on all of our progress!  

Technologies