Understanding Vulnerability, Asset and Risk Meter Scoring

In this help article, we will break down the 3 main components of scoring within the UI. Understanding these scoring concepts for vulnerabilities, assets and risk meters will help you to navigate and use the Cisco Vulnerability Management Platform more effectively!

Component 1: Vulnerability Scoring

Within Cisco Vulnerability Management , vulnerabilities from your various scanning vendors are brought in during connector runs and normalized based on the CVE ID, CWE ID or the WASC identifier. 

For network vulnerabilities, Cisco Vulnerability Management will look at the CVSS base score for the CVE. We then look at the 20+ threat and exploit feeds we have to understand the volume and velocity of attacks against that CVE, if there is malware available, if it is easy to exploit, whether it is actively being exploited in the wild, etc. All of these details help derive the Kenna Vulnerability Score.

For application vulnerabilities, scores are based on the risk score from the scanner or a base CWE score if scanner score is not available.

Vulnerabilities get a score from 0-100 and are broken out into thirds:

Green 0-33

Amber 34-66

Red 67-100


Component 2: Asset Scoring

When Cisco Vulnerability Management derives the score for an asset, we look at the highest scored vulnerability present on the asset. Cisco Vulnerability Management uses a methodology that an asset is as at risk as its highest vulnerability. This is an important concept to understand because the asset score is NOT an average based on all the vulnerabilities that are present. As you remediate vulnerabilities on an asset, if you remediate vulnerabilities that are not the highest scored vulnerabilities, the asset score will not change. 

Assets get a score from 0-1000 and are broken out into thirds rounded to the nearest 10:

Green 0-330

Amber 340-660

Red 670-1000

The way the default asset score is calculated is to look at the highest scored vulnerability and multiply it by the asset priority. Asset Priority is set to 10 by default but is adjustable per asset. For more information regarding Asset Priority, please see the below article or discuss with your CX team.

https://help.kennasecurity.com/hc/en-us/articles/360000862303-Asset-Prioritization-In-Kenna

 

Highest Vuln Score

X

Asset Priority

=

Default Asset Score

100

X

10

=

1000

80

X

10

=

800

100

X

7

=

700

70

X

6

=

420

 

Internal vs External IP Scoring

In addition to the default asset score that was discussed above, Cisco Vulnerability Management also applies a 200 point increase in score if the asset has an External IP Address. The reason for this is because external facing assets represent a higher risk. Cisco Vulnerability Management , by default, considers any asset with an IP other than a 10.*, 172.16.0.0 -172.31.255.255 and 192.168.* to be an External asset. You will see a score increase of 200 points if the asset is considered external. The highest score will still be 1000 for assets. 

*Please note that this external 200 point bump can be disabled for those customers who use publicly routable IP space internally. Please discuss with your CX team member for more information.*

 

Highest Vuln Score

X

Asset Priority

=

Default Asset Score

External IP?

+

Final Asset Score

100

X

10

=

1000

yes

200

1000

80

X

10

=

800

no

0

800

100

X

7

=

700

yes

200

900

70

X

6

=

420

yes

200

620

 

Component 3: Risk Meter Score

The last component of scoring is the Risk Meter Score. This score is calculated by taking the average of all of the active, non-zero scored assets within the group. Risk Meters can get a score between 0-1000 and are broken out into thirds rounded to the nearest 10:

Green 0-330

Amber 340-660

Red 670-1000

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.