The Asset Priority value in Cisco Vulnerability Management is used to incorporate risk appetite, for any individual asset, into the Cisco Vulnerability Management scoring methodology. The Asset Score is a product of the highest vulnerability on the asset and the asset's priority setting.
Lowering the Priority value for an asset reduces the level of vulnerability that needs to be remediated before an asset turns green, as shown in the following table.
in this table, an Asset with a Priority setting of 6 would never appear as red in Cisco Vulnerability Management and would only need to have vulnerabilities 60 and above fixed before it was green.
NOTE: From an audit/governance perspective, Cisco recommends that any changes to the Asset Priority values be well defined in a documented methodology and set up in Cisco Vulnerability Management to be changed using an automated process. If you choose to set priorities lower than 4, be prepared to justify why it is within risk appetite to fix nothing on those Assets.
Define a Methodology
To determine which assets you might adjust with a different priority, you must first ensure that the right metadata exists to support the identification of those assets.
Example
- tag:"DMZ*"
- os:("*Windows*") AND -os:("*Server*")
- tag:"Development" vs tag:"Testing" vs tag:"Production"
- tag:"PCI" or tag:"NPPI"
The methodology can be as simple as a 2-point scale:
- External = 10
- Internal = 8
Or the methodology can also use more complex rules:
- If DMZ or PCI or NPPI, then 10
- If Production but not DMZ or PCI or NPPI, then 9
- If Windows and not Production or DMZ or PCI or NPPI, then 8
- If not Windows and not Production or DMZ or PCI or NPPI, then 7
It is helpful to create risk meters with queries that represent the different priority levels to ensure you have the right metadata in Cisco Vulnerability Management.
Change and maintain the Priority Values
Using the risk meters, you can manually monitor the priority of the assets and make adjustments as new assets come into Cisco Vulnerability Management with the default Priority of 10.
Example query:
-os:"*Windows*" AND -tag:("Production" OR "DMZ*" OR "PCI" OR "NPPI") AND -priority:7
This query would return all the assets that meet the criteria to have a Priority of 7 (based on the methodology) but are currently set at some other value (notice the -priority:7 in the query). To reset the priority, select all the assets (click the link to get more than just the first page), then click Set Priority and select the desired value (7 in this example).
Once you have risk meters set up, you can manually adjust them as needed or schedule a script to automatically make the adjustments using the API. Ruby code that already does this can be found on the Samples GitHub site.
Note: The scripts have been tested and customers are actively using them but are not considered a supported part of Cisco Vulnerability Management.
Comments
Please sign in to leave a comment.