In this help article, we will break down the 3 main components of scoring within the UI. Understanding these scoring concepts for vulnerabilities, assets and risk meters will help you to navigate and use the Cisco Vulnerability Management Platform more effectively!
Component 1: Vulnerability Scoring
Within Cisco Vulnerability Management , vulnerabilities from your various scanning vendors are brought in during connector runs and normalized based on the CVE ID, CWE ID or the WASC identifier.
For network vulnerabilities, Cisco Vulnerability Management will look at the CVSS base score for the CVE. We then look at the 20+ threat and exploit feeds we have to understand the volume and velocity of attacks against that CVE, if there is malware available, if it is easy to exploit, whether it is actively being exploited in the wild, etc. All of these details help derive the Kenna Vulnerability Score.
For application vulnerabilities, scores are based on the risk score from the scanner or a base CWE score if scanner score is not available.
Vulnerabilities get a score from 0-100 and are broken out into thirds:
Green 0-33
Amber 34-66
Red 67-100
Component 2: Asset Scoring
When Cisco Vulnerability Management derives the score for an asset, we look at the highest scored vulnerability present on the asset. Cisco Vulnerability Management uses a methodology that an asset is as at risk as its highest vulnerability. This is an important concept to understand because the asset score is NOT an average based on all the vulnerabilities that are present. As you remediate vulnerabilities on an asset, if you remediate vulnerabilities that are not the highest scored vulnerabilities, the asset score will not change.
Assets get a score from 0-1000 and are broken out into thirds rounded to the nearest 10:
Green 0-330
Amber 340-660
Red 670-1000
The way the default asset score is calculated is to look at the highest scored vulnerability and multiply it by the asset priority. Asset Priority is set to 10 by default but is adjustable per asset. For more information regarding Asset Priority, please see the below article or discuss with your CX team.
https://help.kennasecurity.com/hc/en-us/articles/360000862303-Asset-Prioritization-In-Kenna
Highest Vuln Score |
X |
Asset Priority |
= |
Default Asset Score |
100 |
X |
10 |
= |
1000 |
80 |
X |
10 |
= |
800 |
100 |
X |
7 |
= |
700 |
70 |
X |
6 |
= |
420 |
Internal vs External IP Scoring
In addition to the default asset score that was discussed above, Cisco Vulnerability Management also applies a 200 point increase in score if the asset has an External IP Address. The reason for this is because external facing assets represent a higher risk. Cisco Vulnerability Management , by default, considers any asset with an IP other than a 10.*, 172.16.0.0 -172.31.255.255 and 192.168.* to be an External asset. You will see a score increase of 200 points if the asset is considered external. The highest score will still be 1000 for assets.
*Please note that this external 200 point bump can be disabled for those customers who use publicly routable IP space internally. Please discuss with your CX team member for more information.*
Highest Vuln Score |
X |
Asset Priority |
= |
Default Asset Score |
External IP? |
+ |
Final Asset Score |
100 |
X |
10 |
= |
1000 |
yes |
200 |
1000 |
80 |
X |
10 |
= |
800 |
no |
0 |
800 |
100 |
X |
7 |
= |
700 |
yes |
200 |
900 |
70 |
X |
6 |
= |
420 |
yes |
200 |
620 |
Component 3: Risk Meter Score
The last component of scoring is the Risk Meter Score. This score is calculated by taking the average of all of the active, non-zero scored assets within the group. Risk Meters can get a score between 0-1000 and are broken out into thirds rounded to the nearest 10:
Green 0-330
Amber 340-660
Red 670-1000
Comments
Please sign in to leave a comment.