As an Vul-Man. working in a company with 2500 assets, which risk value (10 Mio, 20 Mio, 50 Mio) would form an acceptable baseline in the report I will present to management? How can I establish a baseline for 1000 assets? I see there’s a risk score increase of around 15,000 to 20,000 for one Microsoft Asset after each MS-Patch Tuesday. I don’t have any other measurement values. Does anybody have any ideas about this?
You’ll have to provide more details about what exactly you are looking for. Everyone’s “baseline” will be different based on different criteria in each organization, from my perspective.
“Imagine you are a CISO looking at a risk score. What range of risk scores would classify the overall risk as “low,” “medium,” or “high”? When you look at the CVSS vulnerability metric, there’s a range that helps everyone classify risks. But how can I create a classification for the total risk score I see on the Rapid7 InsightVM homepage? I have 1000 assets; if a risk score of 10,000 is good for each asset, then should I say that a total risk score of 10 million is good for an organization with 1000 assets? Each asset has its own unique vulnerabilities, but I want to create a baseline, a metric, and all I have is an increase of 15 to 20 thousand risk values on each asset after every MS Patch Tuesday. I need another parameter, just like the NVD vulnerability metric.”
From your description, it seems you are using the asset risk score to measure against. This may be difficult to show improvement over time as that score is going to go up and down over time. (as you have mentioned with each patch tuesday). Also, it won’t always show what areas to focus on first. For example, say you have 2 assets both with a total risk score of 1000. Asset 1 has one vulnerability that has known exploit code written for it. Asset 2 has 4 low vulnerability findings, each with a risk score of 250. Going by the assets total risk score - they both have equal scoring, but if you focus on the individual vulnerability risk score - you close the higher risk vulnerabilities first.
To do that, I usually start with goals and sla’s, something like :
Remediate 100% of vulnerabilities where vulnerability.riskScoreReal >= 800 && vulnerability.exploits IS NOT NULL within 25 days of discovery
25 days maybe to short - but start with a high number, if you can maintain that goal over the course of a few months, decrease it.
This way, management discussions are more around removing that critical risk from the environment over time - and maybe the improvement is something like decreased the number of days to remediated from 100 to 25 in X months - something like that.
Thank you for summing up what I was going to suggest, as this is the “Easiest” path forward. Looking at just the risk score can be misleading depending on the time of month/your patching window, and also not take into effect the criticality of the vulns or how long the vulns have existed for. Agree with this write-up 100%!
Thank you for your Answer Steve. I can make better progress in this way. It would not be possible to make a metric in the way I thought before, and it would not be an approach that better analyses the problems in the systems.