Vulnerability scoring is designed to create a prioritized order of remediation.
Unlike the Common Vulnerability Scoring System (CVSS) and other static scoring methods, Cisco Vulnerability Management provides the context required to understand the true level of risk that vulnerabilities pose to an organization.
Cisco Vulnerability Management ingests, aggregates, and processes billions of pieces of data from internal and external sources, including more than 15 threat and exploit intelligence feeds. Cisco Vulnerability Management then automates the analysis of this data using proven data science algorithms to deliver an accurate, quantifiable Cisco Security Risk Score for every vulnerability.
The risk score takes into account events happening in real-time, in the wild, for each vulnerability. The score then provides an estimate of the likelihood of exploitation to deliver a rank ordering of the probability of exploitation using that particular attack vector.
For network vulnerabilities, the score is based on CVE and starts with a normalized CVSS score from the National Vulnerability Database. Cisco Vulnerability Management's vulnerability scoring algorithms then assess a wide variety of factors in addition to this score, such as ease of exploitation, active breaches, and popularity as a target, and this is layered onto that base score to compile a Cisco Security Risk Score.
Vulnerabilities in Cisco Vulnerability Management scored on a 100 point scale divided into thirds:
Green 0-33
Amber 34-66
Red 67-100
Note: If you manually override this score, the vulnerability will no longer be updated dynamically. This change cannot be reverted to display the Cisco Security Risk Score, and the change will be logged for audit purposes.
Application scores are based on the risk score from the scanner or a base CWE score if the scanner score is not available (known as an inferred score). If neither are available, then this will be recorded as an “informational” or zero-rated vulnerability.
The flow chart below provides a simplified view of how a vulnerability score is assessed.
Comments
Please sign in to leave a comment.