Fixes and Top Fix Groups

Fixes

The fixes view on the Explore page will show all available fixes for the vulnerabilities/assets being displayed. Fixes are sorted by the number of associated vulnerabilities:

Each Fix displays all of the related CVEs and each of the assets affected by those CVEs. We also include diagnosis (a brief description of the vulnerability), consequence (what a successful exploit could result in or allow an attacker to do), and solution (how, specifically, to remediate the vulnerability), based on vendor data.

Users can filter by risk score and threat vectors to display the highest risk items and view the number of assets and vulnerabilities that would be involved in the remediation. 


Top Fixes

For each risk group, Cisco Vulnerability Management provides Top Fixes. Each Top Fix is a group of up to 3 fixes, which fall within the top 10 largest risk reductions for that Risk Meter. The Top Fix view for a Risk Meter contains its current Risk Score, along with the lower score that the Risk Meter would move to after remediating all vulnerabilities in a specific Fix Group. These are sorted by largest risk reduction, left to right, with a button on the right side to move to the second page of Top Fixes.

In the example above, remediating the vulnerabilities for all 3 listed Fixes will reduce the current risk score of 880 by 9 points, down to a new score of 871.

All of the Top Fix Groups (not just the one currently displayed) can be exported in this view by clicking the "Export CSV" button or you can also create a ticket to send out the fix information to the remediation owner (if you have a ticketing connector set up).

Top Fixes Best Practices

Top Fixes are very valuable for quickly reducing overall risk. They are based on a pretty simple mathematical calculation that looks at the possible risk reduction to the average risk meter score achieved through applying up to 3 fixes. The calculation depends on two things: 

1. There are a good number of assets that have the same vulnerabilities in the Risk Meter.

2. A score reduction can be found with three or less fixes applied. 

Top Fixes is good for:

• Providing remediation teams a place to focus efforts, particularly early on, and achieve quick wins in risk reduction
• Grouping fixes together in a way that will achieve the biggest risk reduction for the remediation efforts

Top Fixes is not good for:

• Remediating "legacy” devices with lots of vulnerabilities
• Risk Meters with dissimilar machines and operating systems
• Finding quick wins when there are more than three vulnerabilities at the same score level on many of the assets

As customers mature and take care of the highest-level vulnerabilities, top fixes become less and less useful because most vulnerabilities in Cisco Vulnerability Management are scored in the 30-40 range. Therefore, when a customer has most assets remediated to reflect a lower score, Top Fixes will find few and fewer recommended fixes.  In addition to using Top Fixes, we recommend that Cisco Vulnerability Management admin teams train their staff to look at vulnerabilities by risk score from the Explore view, and remediate any vulnerabilities that are out of risk appetite.

Why are there no Top Fixes?

When no individual fixes would change the overall score of a Risk Meter, no "Top Fixes" are populated. A message that appears which states: "There are no fixes for the vulnerabilities in this group of assets which would lower the group's score."

There are many reasons why you many not see any top fixes, but here are some examples:

• If your risk meter is vulnerability-based, and none of the vulnerabilities contained in the risk meter are the highest vulnerability on the asset, there will be no opportunity for risk reduction because the vulnerabilities that would affect the score were excluded. Risk Meter scores are an average of asset scores and assets are only scored on the highest vulnerability on the asset.
• If you have a vulnerability-based risk meter focusing only on vulnerabilities scored at 100, even if you remediate those highest-scored vulnerabilities on the assets, the remaining vulnerabilities will still result in a risk meter score of 1000.
• If all assets in the risk meter have so many high scored vulnerabilities on them that it would take more than 3 fixes to achieve a risk reduction, no fixes will be displayed. We show you fix groups that contain up to three fixes only so as to provide manageable achievable risk reductions. In this scenario, go to the explore view for the risk meter, sort or filter on the highest vulnerabilities, and then look at the associated fixes.
• If your risk meter has no data, contains only inactive assets, or only contains assets scored at 0, the risk meter score will always be 0 and no top fixes will change that.