Cisco Vulnerability Management uses asset level scoring, yet in many organizations vulnerability remediation and patching work is distributed across multiple teams (Infrastructure vs Application). In these cases, Risk Meters can divide the vulnerabilities between those teams for remediation, yet the scoring remains at the asset level.
This poses some challenges related to risk reporting at the asset level. For example:
- Asset Group = host1, host2, host3, host4
- Vulnerabilities on each asset in the group: v_score100, v_score80, v_score70, v_score60
Infrastructure team: Risk Meter includes all assets / v_score100, v_score70
Application team: Risk Meter includes all assets / v_score80, v_score60
The Risk Meter score for both teams will be 1000 even though the Application team's highest vulnerability is 80. Even if the Application team fixes all 80 vulnerabilities, the scores will not drop until the Infrastructure team fixes the 100 level vulnerabilities. For more information, refer to Asset Scoring in Cisco Vulnerability Management.
With that understanding here are some general guidelines when using vulnerability based risk meters:
- Always have an overall risk meter that shows the health of the assets with all vulnerabilities included (the ALL meter). Overall risk and identification of under-performing remediation teams using the vulnerability based meters will be judged at this level. It is important to ensure that the ALL meter is clearly tied to a set of remediation meters that account for all assets and all vulnerabilities of the ALL meter, or score changes will not align (r1, r2, r3 = r1+r2+r3).
- Use a 'dual task list' method for the remediation team. They should pull from top fixes that come up for their meter but should also pull from an additional "high risk meter" (vulnerability_score:>66) with the goal of getting that risk meter to 0. This 2nd risk meter serves several purposes:
- It creates a finite list of items that the remediation team can work on which will result in a green 0 when they finish. This ensures that teams can prove they are doing their part to decrease risk.
- It makes it visually easier in the dashboard for the overall asset owner to discern why risk might or might not be dropping.
- The high-scored risk meter focuses teams only on the highest vulnerabilities. This helps teams to work on the highest vulnerabilities first, but might not be the most efficient way to reduce the overall risk meter score because risk reduction calculations in Top Fixes consider not only the vulnerability score, but how many assets that the vulnerability affects. Therefore, Top Fixes might not be accurate in vulnerability based meters but will still reflect high value remediation items.
- Periodic review of top fixes on the ALL meter is recommended because this is where score reduction calculations will be most accurate.
- Evaluation of remediation teams using Cisco Vulnerability Management should focus on overall reduction of vulnerability count on their risk meters and reduction of high vulnerability counts, rather than relying on asset based graphs in the reports.
Comments
Please sign in to leave a comment.