The Asset Priority value in Cisco Vulnerability Management is used to incorporate risk appetite, for any individual asset, into the Kenna scoring methodology. The Asset Score is a product of the highest vulnerability on the asset and the asset's priority setting.
Lowering the Priority value for an asset reduces the level of vulnerability that needs to be remediated before an asset "goes-to-green" as show below.
Following this diagram, an Asset with a Priority setting of 6 would never appear as red in Cisco Vulnerability Management and would only need to have vulnerabilities 60 and above fixed before it was green.
NOTE: From an audit/governance perspective it is recommended that any changes to the Asset Priority values be well defined in a documented methodology and set up in Cisco Vulnerability Management to be changed via an automated processes. If you choose to set priorities lower than 4, be prepared to justify why it is within risk appetite to fix nothing on those Assets.
Defining a Methodology
In order to determine which assets you might adjust with a different priority, you must first ensure that the right meta-data exists to support the identification of those assets.
- os:("*Windows*") AND -os:("*Server*")
- tag:"Development" vs tag:"Testing" vs tag:"Production"
- tag:"PCI" or tag:"NPPI"
The methodology can be as simple as a 2 point scale:
- External = 10
- Internal = 8
It can also use more complex rules:
- If DMZ or PCI or NPPI, then 10
- If Production but not DMZ or PCI or NPPI, then 9
- If Windows and not Production or DMZ or PCI or NPPI, then 8
- If not Windows and not Production or DMZ or PCI or NPPI, then 7
It is helpful to create risk meters with queries that represent the different priority levels to ensure you have the right meta data in Cisco Vulnerability Management.
Changing and maintaining the Priority Values
Using the risk meters you can manually monitor the priority of the assets and make adjustments as new assets come into Cisco Vulnerability Management with the default Priority of 10.
Example query: -os:"*Windows*" AND -tag:("Production" OR "DMZ*" OR "PCI" OR "NPPI") AND -priority:7
This would show all the assets that meet the criteria to have a Priority of 7 (based on the methodology) but are currently set at some other value (notice the -priority:7 in the query). To reset the priority select all the assets (click the link to get more than just the first page), then click priority and select the desired value (7 in this example).
Once you have risk meters set up, you can manually adjust as needed or schedule a script to automatically make the adjustments via the API. Ruby code that already does this can be found on our Samples GitHub site. NOTE: Scripts have been tested and are actively being used by customers but are not considered a supported part of Cisco Vulnerability Management.