Learn all about Security Posture Rating
Configuration and Usage
SPR (Security Posture Rating)
SPR is the main KPI driving the Vulnerability Management (VM) program through your Vulcan Platform. It helps you track the progress of the VM program towards its risk-management goal, prioritize remediation resources, and identify strategic risk pitfalls. The SPR helps you understand the overall security posture status and the security status of the various business units (business groups).
This means that the SPR value (in %) is the percentage of scanned assets complying with a defined threshold for maximum risk. Any asset that doesn’t contain any vulnerability over a certain predefined threshold is complying with the risk appetite of the organization.
As a KPI, the SPR measures the percentages of assets that are risk-compliant, within all scanned assets only.
How is the SPR calculated?
Once we have all the pieces in place, the calculation is simple:
Calculate risk scores for all assets - maximal risk of the vulnerability instances that affect the assets
Count the number of assets with risk scores below the SPR threshold
Calculate the percentage of these out of the entire relevant asset population, excluding unscanned assets
SPR KPI is measured and calculated for the entire environment, as well as for each Business Group configured in the platform.
What assets are excluded from the SPR calculation?
Vulcan allows you to ingest CMDB or other asset repository data into the platform to enrich your vulnerability information with business context. A side effect of that ingestion is a plethora of CMDB data which is not necessarily relevant to remediation and does not appear in Vulnerability Assessment scanner data.
Thus, the SPR calculation does not take into account assets for which there is no Vulnerability Assessment data. This means that the asset population that the KPI is measured against is only assets that are scanned by a scanner and could potentially have vulnerabilities discovered on them, even if at any moment they were scanned and found to have 0 vulnerabilities affecting them.
What is a secure asset?
An asset is considered secure when its risk score is below the organizational risk compliance threshold that you have set.
What is an atomic risk?
Atomic risk is the risk of a vulnerability instance based on the technical risk, threats, and asset impact (tags). The KPI is calculated based on the atomic risk for vulnerabilities on a given asset.
What is Risk mass?
Risk mass is the sum of all the calculated atomic risks of all vulnerability instances at a given time.
What is the "SPR Vulcan community average"?
The Vulcan community average displays the average SPR found in the Vulcan customers community. We calculate a simple average to provide you with benchmark information and help you improve your security posture. The SPR KPI is a benchmark reference to how other environments are maintaining an acceptable attack surface level that complies with the risk policy.
Define the SPR threshold
To define your organizational security posture threshold:
Go to Settings > Risk
Set the threshold (an atomic risk score)
Note: Only assets with (atomic) risk scores below this threshold, exclusively, will be complying with your security posture policy
Any asset with a risk score smaller than the configured threshold (80 in the example above) will be considered secure (below your risk threshold). This means that a vulnerability-free asset that has a risk score above 69 will be considered secure (compliant). However, an asset with at least a single vulnerability with a risk score of 80 will be non-compliant.
SPR per Business Group
To measure progress across Business Groups and see which Business Groups have more risk than the others, Vulcan automatically calculates the SPR per Business Group and presents the relative SPR compliancy of the Business Group. The same also applies to the SPR of the entire organization.
You can see the SPR per Business Group on the Vulnerabilities page as well as on the Dashboard page.