Vulnerabilities-focused vs. Assets-focused risks
Once your connectors are synced, and you are ready to review and manage your risk, you'll probably go to the Vulnerabilities or Assets pages. This is where you can review and filter your data to focus on what matters to you the most. Some CISOs tend to focus on the security posture state of specific assets or asset groups, while others focus on high-risk vulnerabilities all across the organization. This is why we have two pages to start from; Assets and Vulnerabilities.
Risks and data presented on the Vulnerabilities page vs. the Assets page
There are two main approaches to evaluating and reviewing risks and vulnerabilities in the Vulcan Platform:
Both approaches present the same exact info, just from a different perspective.
On the Vulnerabilities page, your high-level view starts with vulnerabilities and breaks down to assets. In contrast, the Assets page starts with assets and breaks down to vulnerability instances. Whatever view you prefer, the risk calculation and data are the exact same.
Evaluating risks through the Vulnerabilities page
Unique-vulnerability risk calculation
When we have a vulnerability, we want to understand its risk and prioritization in our environment. What you should care about the most is the Max risk score of a vulnerability. But first, let's look at a single vulnerability and understand its risk calculation.
Go to the Vulnerabilities page and take a look at the presented vulnerabilities.
Each Vulnerability has a Max Risk and a Min Risk.
Max Risk vs. Min Risk
Max Risk of a unique vulnerability equals the highest risk found for the vulnerability instance affecting a specific asset. Min Risk is the lowest risk score of the vulnerability instance affecting a specific asset.
Vulnerability-instance risk calculation
Now that we know what the Max Risk stands for, we need to understand how the vulnerability instance risk is calculated.
The vulnerability instance risk score ("atomic risk") stands for the individual risk associated with a single vulnerability on a single asset. All the risk calculations, SLAs, and automation are highly based on the vulnerability instance risk.
So, what is the vulnerability instance risk score comprised of?
A vulnerability instance risk score calculates 3 factors; Technical Severity, Threats, and Tags. To calculate the final and business-contextualized risk of a vulnerability instance, Vulcan uses the risk weights you defined.
CVSS or other scores as provided by the scanning vendor.
0 - 100 (including decimal point)
Exploits, malware, OWASP Top 10, and other threat intelligence in the wild.
The tags "Weaponized" and "Exploitable" grant a score of 100.
Any other tag grants a score of 0.
Tags (Asset Tags and Business Groups)
The impact (High, Medium, Low) of tags on the vulnerable assets. This determines how impactful a vulnerability breach will be to your business. When multiple tags are assigned to the same asset - the tag with the highest impact is the one counted in the calculation.
0, 50, 100
Note: Threats are used in the calculation only for vulnerabilities that have CVEs. For non-CVE vulnerabilities, only Technical Severity and Tags are used in the calculation.
Let's take the "KB4551853: Windows 10 Version 1809 and Windows Server 2019 May 2020 Security Update" vulnerability instance on the "SCCM-VULCAN19" asset and analyze its risk calculation based on each of the factors.
The Technical Severity gathered on the vulnerability is 9.9 (cvss3) = 99 score points.
The vulnerability has the Threat tags "Explotaible" and "Weaponized" which automatically grants a score of 100.
One of the vulnerability instances exists on assets tagged as "SCCM Agents" and "Critical Windows External Facing" that you defined as High Impact Tags and Business Groups, which automatically grants a score of 100.
Now let's look at the risk weights defined in the environment:
45% (0.45) for Technical Severity, 35% (0.35) for Threats, and 20% (0.2) for Tags.
The resulting calculation would be as follows:
Technical severity = 99 (9.9 cvss3)
Threats = 100
Tags = 100
(99 * 0.45) + (100 * 0.35) + (100 * 0.2) = 99.55 (auto round up to 100 atomic risk score)
Evaluating risks through the Assets page
Single asset risk calculation
When looking at assets in a cyber-security context, we should look at high-impact assets that are at high risk. This means that we prioritize assets we tagged as important and have a Critical/High-risk score as their max risk.
The max risk of an asset equals the highest risk found on a unique vulnerability affecting a specific asset, which equals the max risk of the vulnerability instance affecting the asset.
Go to the Assets page and take a look at the presented assets.
Each asset has a Max risk and vulnerability instances count. By glancing at any asset row, you can quickly gather how many vulnerability instances exist on each asset and the Max risk score of at least one of the vulnerability instances existing on this asset.
Enter an asset to see the full list of vulnerability instances on the asset and the Min-Max risk scores of all instances.
In the example below, the max risk score is 100, and the min is 64.