Hello,
What are some strategies you used for vulnerability scanning in your organisation ?
Background
The question is how do you priorities VM ?
Do you based on CVE score and then address with the asset owners?
Hi jsoon1,
Use Remediation Projects - I have a problem with some aspects of them, but they’re the best solution unless you want to start getting creative with API etc.
With a Remediation Project you can create a query, such as where the CVSS 9+ and the owner is ‘IT Support’. You can name this RP ‘Critical - IT Support’, and give permission to that Remediation Project to the IT Support team. You can then create additional RP’s using different criteria (lower CVSS, age of the vuln, use categories\tags and so on).
Hopefully this helps - reply back if you have any other questions and check the Remediation Project section of the Product Guide.
If you haven’t already done so, I recommend using the built-in custom tagging or asset groups to keep track of who owns which assets or groups so that you can create reports and projects more easily.
As a background, I’ve worked with several(of the largest) vulnerability management solutions each with their own various dynamic risk rating systems. I generally fall back to system criticality as the primary prioritization metric, then CVE severity, which is sometimes interchangeable depending on risk, and finally, consider the product’s risk rating as a tertiary and supplemental metric. I use a combination of the dashboards(scoped to the specific assets) for executive reporting or meetings, a raw CSV export from the report console as a working file for the owners, the “Top 25” reports narrowed to specific assets(by owners), and, finally, remediation projects(following report distribution or meetings) to track and validate the team’s progress with remediation.