Vulnerability scoring is designed to create a prioritized order of remediation.
Unlike the Common Vulnerability Scoring System (CVSS) and other static scoring methods, Cisco Vulnerability Management provides the context required to understand the true level of risk that vulnerabilities pose to an organization.
Cisco Vulnerability Management ingests, aggregates, and processes billions of pieces of data from internal and external sources, including more than 15 threat and exploit intelligence feeds. Cisco Vulnerability Management then automates the analysis of this data using proven data science algorithms to deliver an accurate, quantifiable risk score for every vulnerability.
The Kenna risk score takes into account events happening in real-time, in the wild, for each vulnerability. The score then provides an estimate of the likelihood of exploitation to deliver a rank ordering of the probability of exploitation using that particular attack vector.
For network vulnerabilities, the score is based upon CVE and starts with a normalized CVSS score from the National Vulnerability Database. Kenna's vulnerability scoring algorithms then assess a wide variety of factors in addition to this score, such as ease of exploitation, active breaches, and popularity as a target, etc and this is layered onto that base score to compile a Kenna risk score.
Vulnerabilities in Cisco Vulnerability Management scored on a 100 point scale divided into thirds:
Application scores are based on the risk score from the scanner or a base CWE score if the scanner score is not available (known as an inferred score). If neither are available, then this will be recorded as an “informational” or zero-rated vulnerability.
The flow chart below provides a simplified view of how a vulnerability score is assessed.