Managing Risk-Based SLAs

You can use a Service Level Agreement (SLA) to set a risk tolerance based on your organization's appetite for risk. There are two types of SLAs to choose from:

  • Dynamic - allows the SLA due date to be updated automatically when the Cisco Security Risk Score changes between risk categories: low, medium, high. Scores typically need to change by 20 points to graduate from low to medium risk, and end users have the capability to define due date buckets based on custom score ranges for their environment. Note that if you have configured custom ranges for setting due dates, those ranges will be used instead of the default ranges.

    Choosing the dynamic SLA option does not affect any dues dates that were manually set, including those that were set using the API. On the details page for a vulnerability, you can see which due dates were updated and the source of the update.

    Note that the dynamic SLA feature is not automatically applied to existing SLAs. If you want to use the dynamic SLAs functionality, you must edit your existing SLAs and select the Dynamic SLAs option.

  • Standard - the SLA due date will not change once it has been set.
  • Persistent due date allows your organization to retain a due date across assets within a group. For example, if you are in an environment where due dates need to be consistent regardless of underlying assets.
    Note: You cannot combine a persistent due date SLA with a Dynamic or matrix SLA.

Benefits of using Dynamic SLAs

  • Implement SLA Policies once: Customers can define their SLA policies once, with the assurance that the due dates of vulnerabilities will automatically be updated if there is a change in the vulnerability risk score that necessitates a change in the due date, given the established policies.
  • Regulate when due dates are modified: Due dates will be recalculated based on changes to risk scoring and prioritization corresponding to the risk profiles defined by the customer. Customers can set their own thresholds for asset and vulnerability severity to maintain control over when a due date should be adjusted.
  • Remediate Risk Efficiently: Cisco Vulnerability Management prioritizes the vulnerabilities that, if remediated, will have the greatest impact on your risk score reduction. With established SLA policies and updated risk scores, automatic due date adjustments ensure that remediation teams focus on the most critical risks.

Prerequisite:

You must be a customer administrator to create, update, or delete SLAs.

Important to Note

  • Existing SLAs do not require risk tolerance.
  • If you haven’t set up SLAs previously, you will be prompted to set a risk tolerance. This is a one-time configuration that you can modify. When you set a risk tolerance it is for your entire organization and cannot be set on a per SLA basis.
  • A due date will not change once it has been set unless you select the Dynamic SLAs option when you create or edit the SLA. When you select this option, the SLA due date will automatically update when the Cisco Security Risk Score changes.
  • After you have enabled dynamic SLAs for a policy, if you change a setting (such as days) in the policy, then the due date may update even without a score change. For example, if you have set a risk score of 90 with 50 days to remediate the vulnerabilities, but then you enable dynamic SLAs and change the days settings for the risk score of 90 to 10 days, then the due date will be recalculated appropriately.
  • If you use dynamic SLAs and you haven’t manually set an Asset Priority, Cisco Vulnerability Management assigns a value of 10 to any assets.
  • When you reset an SLA, the original manually assigned due date for the vulnerability will be removed overnight and a new due date will be assigned based on the vulnerability's associated SLA policy.
  • You don’t have to update any of your existing risk meters. When you set up an SLA you choose which existing risk meters to associate with it. For example, if you have risk meters for Windows Servers, you can create an SLA and associate those Windows Servers risk meters to it.

Create a new SLA

For information about changing existing SLAs for your organization, refer to the "Edit an SLA" section below.

1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.

Screen Shot 2020-04-22 at 3.56.35 PM.png

2. In the Service Level Agreement window, click Setup SLAs.

SLA-Start.png

Important: If you already have SLAs, you will not see the wizard. Instead, you will see an SLA Preferences option that you can click to edit your SLA preferences.

SLA-List-of-Already-Created.png

3. In the Setup SLAs pop-up, you can select your risk tolerance from these three options.

Option Definition
Benchmark Plan to meet the mean time to remediate benchmark.
Faster than peers Plan to remediate 50% faster than peers.
Faster than attackers Plan to remediate as early as a vulnerability is likely to be exploited.

Setup-SLAs-Risk-Tolerance.png

 

Note: Depending on the option you select, Cisco Vulnerability Management’s suggested SLA provides a guideline based on your Vulnerability Score and Asset Priority factors.

4. Click Next.

5. Select a Due Date Basis for your SLA. 
Note: When you set a Due Date basis it is for your entire organization and cannot be set on a per SLA basis.

Setup-SLAs-NEW.png

6. Click Next.

7. For the What does this SLA apply to option, depending on your maturity and needs, you can choose to apply the option to All risk meters or to Specific risk meters.
Select-risk-meters - small.png

 

8. If you chose the Specific risk meters option, in the drop-down list, select any risk groups that you want to apply the SLA to.

9. In the What is the name of your SLA field, enter a name for your SLA that is easily identifiable.

10.  If you select the SLA matrix option, you can edit Cisco Vulnerability Management’s suggested SLAs by selecting the checkbox of the SLA you want to change and clicking the pencil icon. After you click the pencil, the days will become editable. To save your change, click the check mark that replaces the pencil. After you save the change, if the date that you changed to is not a Cisco Vulnerability Management suggested date, an asterisk (*) displays so you can quickly see that a change has been made to the date. If you do not click the check mark your change will not be saved.

Important: You cannot change the Vulnerability Score and Asset Priority ranges in the SLA Matrix. You must use the Single SLA option to set those custom ranges.

Important: Persistent due dates are not supported for matrix SLAs. Only single style SLAs support persistent due dates.
SLA-Matrix.png

11. If you select the Single SLA option, you can set a Vulnerability Score and Asset Priority.

Single-SLA.png

12. In the Dynamic SLAs section, select the Dynamic SLAs option if you want your SLA due date to automatically change if the Cisco Security Risk Score for a vulnerability changes.

13. Click Save and Close.

14. If you want to view the SLA that you just created, click the settings icon (Settings-icon.png), and select SLAs.

Resolving conflicts

If you encounter issues when you are enabling Dynamic SLAs and Persistent Due Dates, messages will display to help you resolve any conflicts.

Persistent Due Dates can only be enabled when both of the following requirements are true:

  • the policy type is Single SLA
  • the risk meters that you select to apply the policy to are not covered by an SLA policy that is enabled for Dynamic SLAs

Dynamic SLAs can only be enabled when the following requirement is true:

  • the risk meters that you select to apply the policy to are not covered by an SLA policy that is enabled for Persistent Due Dates

You can apply an SLA to multiple risk meters that use either Dynamic SLAs or Persistent Due Dates but not both simultaneously. If you are trying to apply an SLA to all risk meters, a message displays that tells you to either apply the SLA to select risk meters instead or adjust your existing SLA policies.

Adjust-existing-SLA-policy.png

If you are trying to apply an SLA to select risk groups, and conflicts exist, you can click Remove Dynamic SLA Groups to clear up to 50 conflicted risk groups. If there are more than 50 conflicts, the next batch of risk groups will display, and you can click Remove Dynamic SLA Groups again to clear them.

Remove-Dynamic-SLA-Groups-Button.png

If you are trying to apply an SLA to select risk groups, you are using persistent due dates, and conflicts exist, you can click Remove Persistent Due Date Groups to clear up to 50 conflicted risk groups. If there are more than 50 conflicts, the next batch of risk groups will display and you can click Remove Persistent Due Date Groups again to clear them.

Remove-Persistent-Due-Dates-Button.png

 

Edit an SLA

You can edit an SLA after you have created it. For example, you can change an SLA to be a Dynamic SLA.

1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.

2. In the SLAs table, click the pencil beside the SLA that you want to edit.

SLA-Edit.png

3. Make the changes.

4. Click Save and Close.

 

Edit your SLA Preferences

You can edit your SLA preferences after you have created an SLA.

1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.

2. In the SLAs table, click the SLA Preferences option.
SLA-List-of-Already-Created.png

3. In the SLA Preferences window, you can change the Risk Tolerance or Due Date basis. 
* If you want to change the Risk Tolerance, click the pencil icon, and make your changes. For example, you can change your tolerance from "Benchmark" to "Faster than your peers".

* If you want to change the Due Date Basis, click the pencil icon, and make your changes. For example, you can change your due date basis from "Discovery date" to "Created at".

4. Click Save and Close.

 

Delete an SLA

1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.

2. In the SLAs table, click the trash can icon beside the SLA that you want to delete.

SLA-Trash-Can.png

3. In the confirmation pop-up window, click Delete SLA.

SLA-Delete-Confirm2.png

View the Due Date Changes table for vulnerabilities that have had their due dates set manually

You can check the Due Date Changes table for vulnerability due dates that were changed manually. The table allows you to quickly see the asset that the vulnerability is associated with, the entity that set the date, and what the due date was changed to. Note that only administrators have access to the Due Date Changes table.

  1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.
  2. Beside the SLAs table, click the Due Date Changes option.

    SLA-Due-Date-Changes-button.png

The due date table displays. You can use the Search by list and the Search field to help you find what you’re looking for.
SLA-Due-Date-Table-Empty.png

Use the Due Date Changes Table to Reset the SLA for One Vulnerability

Administrators can manually reset an SLA for one vulnerability if it has had its due date set by a user or the API. When you reset an SLA, the original manually assigned due date for the vulnerability will be removed overnight and a new due date will be assigned based on the vulnerability's associated SLA policy. If the vulnerability is not associated with any SLA policy, then the due date will remain null unless it becomes associated with an SLA policy or gets a due date added by a user again.

Note: If your organization sets due dates based on a fix, and there is no fix available, a new due date is not set or calculated.

1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.

2. Beside the SLAs table, click the Due Date Changes option.
SLA-Due-Date-Changes-button.png

3. In the Due Date Changes table, select the vulnerability that you want to make changes to, and click the button in the Reset to SLA column.
SLA-Due-Date-Table-Full.png

4. In the Reset Due Date pop-up window, click Reset Due Date.
Reset-Due-Date-Single.png

Use the Due Date Changes Table to Bulk Reset the SLAs for Multiple Vulnerabilities

Administrators can manually bulk reset SLAs for vulnerabilities if the vulnerabilities have had their due dates set by a user or the API. When you reset an SLA, the original manually assigned due date for the vulnerability will be removed overnight and a new due date will be assigned based on the vulnerability's associated SLA policy.

Note: If your organization sets due dates based on a fix, and there is no fix available, a new due date is not set or calculated. 

1. From the Cisco Vulnerability Management UI, click the settings icon (Settings-icon.png) and select SLAs.

2. Beside the SLAs table, click the Due Date Changes option.
SLA-Due-Date-Changes-button.png

3. In the Due Date Changes table, select the vulnerabilities that you want to make changes to and click Bulk Reset.
Note: To select all vulnerabilities that have had their due dates changed not just the vulnerabilities that display on the screen, click the checkbox beside Vulnerability in the table header and then click the "Select all vulnerabilities across all pages" link below Vulnerability. The number of vulnerabilities that you are resetting displays in the Bulk Reset button.
SLA-Due-Date-Table-Bulk.png

4. In the Bulk Reset Due Date pop-up window, click Reset Due Dates.
Reset-Due-Date-Bulk.png

 

Use the Description Tab to Reset an SLA for a Vulnerability

Users can manually reset the SLA for a vulnerability. When you reset an SLA, the original manually assigned due date for the vulnerability will be removed overnight and a new due date will be assigned based on the vulnerability's associated SLA policy.

Note: If your organization sets due dates based on a fix, and there is no fix available, a new due date is not set or calculated. 

  1. On the VM Explore page, click the Vulnerabilities tab.
  2. Click the vulnerability that you want to reset.
  3. On the Description tab, in the Due Date section, click Edit.
    SLA-Due-Date-Edit-Button.png
  4. Clear the field and click Save.
  5. In the Reset Due Date pop-up message, click Reset to SLA.
    Due-Date-Description-tab-reset-popup-user-clear.png
    Note:
    The vulnerability will be queued for processing.
    Vulnerability queued for processing.png

Use the Due Date Additional Field to Reset the SLA for a Vulnerability

You can use the Due Date Additional field to reset the SLA for a vulnerability so that it will be updated automatically if the Cisco Security Risk Score changes. When you reset an SLA, the original manually assigned due date for the vulnerability will be removed overnight and a new due date will be assigned based on the vulnerability's associated SLA policy. 

Note: If your organization sets due dates based on a fix, and there is no fix available, a new due date is not set or calculated.

  1. Select a vulnerability that you want to reset the SLA for.
  2. Click Edit.
  3. In the Additional Fields section, select the Due Date option.
    Additional-fields.png
  4. Click Continue.
  5. On the Edit Custom Fields pop-up page, click Reset to SLA.
    Edit-Custom-Fields.png

View how the due date for a vulnerability was set

The due date for vulnerabilities can be set by a user, the API, or a policy. 

  1. Click VM > Explore.
  2. Click the Vulnerabilities tab.
  3. Click the vulnerability that you want to view the due date for.
  4. Scroll down to the Due Date field. You can hover over the icon beside the date to see more information.

What set the date

Icon

User Set-by-user.png
API Set-by-API.png
Policy Set-by-SLA-policy.png
Connector Set-by-Connector.png

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.