I am trying to build better procedures for remediation of vulnerabilities. I would like to build a policy or framework that can be used throughout the team so that we can at a glance with IVM look at which vulns to remediate first.
I had planned on building filters and tags based on CVSS3 criteria such as if it is publicly exploitable, can be exploited remotely, etc assign it an urgent status that needs to be remediated with n days, etc, but upon reading more of the IVM documentation I think the R7 team have already done this by way of the risk score.
We are currently using the Real Risk Strategy with a max score of 1000, but within that I wanted to know if there are bands I could use to establish priority.
For example, a score of between 900 and 1000 would be urgent, 700 - 900 critical, etc. I would like to link this with our dashboards and reporting to start showing more contextual metrics so that management can see a more realistic snapshot of how we are doing in our efforts.
Does anyone do something similar or have a suggestion on how best to use IVM and the data it contains to prioritize?
I would agree the calculated risk score under the Real Risk Strategy already does a great job prioritizing vulnerabilities and the [severity] field can be helpful when trying to establish priority bands.
[severity]: The textual representation of the severity of the vulnerability, which is based on the severity score. The severity can be any of the following values: ‘Critical’, ‘Severe’, or 'Moderate’
However, I do believe there is value in further prioritizing remediations/vulnerabilities around criteria that fits the ORGs particular risk model.
- Production Assets
- Internet Facing
- CISA KEV
- Vulns w/ Exploits
- Vulns w/ Malware Kits
One suggestion is to identify the “best” solutions, aggregate the total risk_score for each, and define buckets like the examples above to further prioritize.
Thanks for your reply. I had thought about the idea of classifying systems similarly to how you had above. And with regard to creating buckets, that was also a though, although I wasn’t quite sure how to accurately rate based on score, considering how a high score and critical severity don’t automatically equal a vulnerability that we need to jump on right away.
Based on all the factors and in the interest of creating a policy/ procedure that isn’t overly complex, I think I will create groupings that will give us a good starting point whereby we can address each in a timeframe that is actionable.
Below is a sample filter I am playing with that will give is a list of vulns/ systems that we should take action and aim to have remediated within two weeks or fewer. I’d like to know your thoughts.
NOTE: I am presuming here that skill level maps an attack complexity of Low within the CVSS ranking.
vulnerability.severity = 'critical' && vulnerability.categories IN ['remote execution', 'exploited in the wild'] && vulnerability.skillLevel = 'novice'
Looks reasonable to me if that’s your focus.
How do you approach your prioritisation?