Introduction
Working with our dedicated customers, we often learn various best practices for using the Vulcan Cyber ExposureOS platform together. After two years of closely working with customers, our senior customer success managers produced this document to share the best practices they’ve learned with Vulcan Cyber ExposureOS customers. This will help them understand how to get the most out of the platform and use it to identify, measure, and understand an organization’s cyber risk posture.
Success criteria
A Vulcan Cyber ExposureOS customer will succeed with this capability as they identify a manageable number of critical (prioritized) vulnerabilities that can be addressed in a reasonable timeframe and meet organizational SLAs. Of course, the number of critical vulnerabilities identified depends on various factors, including company and team size, the organization’s risk appetite, and company vulnerability management processes.
Vulcan Cyber ExposureOS terminology
In this guide (and subsequent other guides), we will use terms that may differ between organizations; here is what we mean when we say:
Security Posture Rating (SPR)
SPR is the primary KPI driving the Vulnerability Management (VM) program through your Vulcan Cyber ExposureOS platform. The SPR value (in percentage) is the percentage of scanned assets complying with a defined threshold for maximum risk. All assets with risk below this threshold are risk-compliance assets, so the goal is to have the SPR as high as possible.
Finding (Instance)
A connection between a single vulnerability and a single asset.
Examples: One vulnerability affecting 10 assets will be counted as 10 findings (instances). Alternatively, one asset with 15 vulnerabilities will be counted as 15 findings (instances).
Atomic Risk
A unique risk score for a single finding (instance) is calculated by the risk score weights (that is based on technical severity, Temporal factors (threat intelligence), and Environmental factors (external access, business impact)) or by a customized risk script. We’re also referring to the atomic risk as a risk score.
Why customize risk scores?
After working with hundreds of enterprise cyber security teams, Vulcan Cyber ExposureOS recognizes the need for some organizations to determine a unique, dynamic, personalized, and customizable risk score. Organizations of all sizes should incorporate different contextual risk attributes to produce a dynamic score for each vulnerability in the system and for vulnerabilities in aggregate.
Vulcan Cyber ExposureOS supports the customization of risk scoring through the following:
Defining unique risk parameters by setting weights for the different components of the Vulcan Cyber ExposureOS Security Posture Rating algorithm. The components are static and relate to the vulnerability attributes (vulnerability technical score and vulnerability threats) and asset attributes (asset tags).
Customize your model with a Python script. Now, you can take risk flexibility even further by using a technical score other than CVSS, a combination of different threat feeds, and applying threat-related logic that fits the organization’s need to filter critical vulnerabilities. Vulcan Cyber ExposureOS risk score customization also uses asset attributes such as OS and OS version, IP subnets, software inventory, etc., to fine-tune asset context in the risk calculation.
How is it done?
Risk customization strategies vary between medium-large and enterprise companies. However, certain best practices for implementing customized risk scores apply to organizations of any size.
Medium-sized companies often have greater flexibility to experiment with scripts and redefine risk score calculations entirely. In contrast, enterprise organizations typically rely on mature risk models that standardize around a single score, such as the CVSS 3.0 Base Score or CVSS Temporal Score. These models generally do not incorporate additional vulnerability attributes into the risk calculation. Instead, enterprises assess business impact or asset group prioritization using finding-level (instance) scores.
Best practices
Use the Vulcan Cyber ExposureOS threat intelligent sources
(!) Why use Vulcan Cyber ExposureOS threat intelligence sources to set risk scores in your environment?
The Vulcan Cyber ExposureOS platform relies on threat intelligence data collected by the Vulcan Cyber ExposureOS Voyager18 research team to offer the most reliable risk rating for a given vulnerability. The exploitable information is gathered from large exploits databases, while the exploited in the wild (weaponized) and malware threats are sourced from CISA and others.
The Vulcan Cyber ExposureOS threat intelligence database is updated daily to stay ahead of the latest exploits, and vulnerability scores are adjusted accordingly. Vulcan Cyber ExposureOS correlates this data using CVE and CWE and matches it against the vulnerability database.
For further reading, please review the article on Threat Intelligence Sources and Logic.
Utilize Vulcan Cyber ExposureOS threat intelligence data to determine the severity of a vulnerability.
Add specific asset attribute(s) to the calculation.
Determine which vulnerability/asset source(s) the calculation should be applied to.
Define the risk score calculation for other vulnerability sources in the platform.
Example:
Vulnerabilities with CVE:
Critical where:
Threats = RCE AND Remote AND Exploitable
Asset tag = External facing
High where:
Threats = RCE AND Remote AND Exploitable
Medium where
Threats = Exploitable
Low where
All other vulnerabilities
Vulnerabilities without CVE:
"CVSS": 0.6, "Threats": 0.0, "Tags": 0.4
Use the Vulcan Cyber ExposureOS risk weights
(!) Why set different risk score weights to calculate risk?
Today, the risk score weights can be set globally and applied to all the sources in the platform. Using the customized risk script, you can decide to allocate the risk score weights according to your needs:
If you do not get any asset tags from source A but do get or create meaningful tags from source B, you can set the risk to be calculated without the asset tag information for source A and with the tag information for source B.
Set different risk weights for different scanners:
For Qualys and Tenable:
Vulnerabilities with CVE: Severity: 50%, Threats: 30%, Tags: 20%
Vulnerabilities W/O CVE: Severity: 85%, Tags: 15%
For HackerOne and BitSight:
Vulnerabilities with and without CVE: Use only the technical severity: 100%
For Wiz:
Set the weights according to the asset types: Hosts, container images, and cloud resources.
(!) Good to know – It is recommended to adjust the script manually over time (with the help of the Vulcan Cyber ExposureOS CS team) and to conduct periodic checks of the risk score trend in the organization.
See the risk change over time from the vulnerability’s first-seen date < X days. Triage the trend using Vulcan Cyber ExposureOS Reports (analytics).
Use other various threat intelligence sources
(!) Why use various threat intelligence sources to set the risk in your environment?
Vulcan Cyber ExposureOS already enriches vulnerability information with threat intelligence data gathered from various vulnerability DBs. Organizations that rely on TI feeds for other use cases, such as incident response, security operations, etc., can utilize this information in Vulcan Cyber ExposureOS to align prioritization with their organization’s standard and gain more insights into threat actors and threat details, exploiting the vulnerability.
Threat intelligence analysis enriches existing information by supplementing missing or incomplete data. It enhances the context of threat information that may have been buried in alerts or held in external sources.
A threat intelligence platform can improve threat detection and monitoring workflows, provide contextual threat intelligence by providing in-depth information and context about specific threats, help understand the effectiveness and relevance of threat intelligence feeds collected from various sources, and facilitate better decision-making.
Source: https://cyware.com/security-guides/cyber-threat-intelligence/what-is-threat-intel-analysis-306b
Utilize data from various threat intelligence sources to set vulnerability severity in Vulcan Cyber ExposureOS. The currently supported TI integrations list Mandiant, Recorded Future, and CTCI. Example:
Critical where:
Vulnerabilities with Mandiant Risk: Critical
An asset with an external-facing tag
High where:
Vulnerabilities with Mandiant Risk: Critical or High
An asset without an external-facing tag
Medium where:
Vulnerabilities with Mandiant Risk: Medium
Low where:
Vulnerabilities with Mandiant Risk: Low
Use different KPIs from scanners
(!) Why use different risk parameters from various scanners to set the risk in your environment?
Various scanners provide different risk scores that estimate a single vulnerability’s severity in addition to the SVSS score:
Tenable VPR (Vulnerability Priority Rating) considers the threat environmental aspect, such as the exploit code of a vulnerability becoming available or having escalated maturity.
Qualys Vulnerability Score (QVS) is a Qualys score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Vulcan Cyber ExposureOS accommodates various scores from different scanners, in case you were already utilizing them before purchasing Vulcan Cyber ExposureOS or if you would like to add different threat aspects to the risk calculation in Vulcan Cyber ExposureOS.
Combine different risk parameters from a single scanner to create a unique risk score in Vulcan Cyber ExposureOS:
Use Tenable VPR along with the CVSS score. Since VPR reflects the current threat landscape, it can be leveraged with the CVSS score, accounting for a more complete view of severity.
Note that a higher VPR represents a higher likelihood of exploitation. Consider decreasing the risk of a CVE with a CVSS of 9.8 but a VPR of 2 or vice versa.
Add specific asset attribute(s) to the calculation.
Decide how the score should be mapped according to the VPR: CVSS combination.
Define the risk score calculation for other vulnerability sources if utilized.
** This practice applies to Qualys QVS, CrowdStrike Exprt.AI, BitSight Rating score, and many others. You can use a risk parameter different from CVSS or combine it with Vulcan Cyber ExposureOS risk calculation logic.
Use the CVSS temporal score
(i) Why use the temporal and environmental score metrics in the risk calculation?
The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics, which are constant over time and assume the reasonable worst-case impact across different environments.
The Temporal Metrics adjust the Base Score severity of a vulnerability based on factors that change over time, such as the availability of exploit code.
The Environmental Metrics adjust the Base Score and Temporal Metric severities to a specific computing environment, considering factors such as the presence of mitigations in that environment.
Utilize CVSS, temporal, and environmental score metrics to aggregate all the conditions of a vulnerability to be defined as critical (attack vector, complexity, required privileges, remediation level, report confidence, etc.).
Add specific asset attribute(s) to the calculation.
Decide how the score should be skewed once a finding (instance) answers the abovementioned parameters.
Decide which vulnerability/asset source(s) this calculation applies to.
Define the risk score calculation for other vulnerability data sources aggregated with Vulcan Cyber ExposureOS. Example:
If the vulnerability is from Tenable Start with Risk Score = Vulcan Risk Score Offset the Risk Score by a predetermined value using the Temporal Vector String Using the Temporal Vector String, modify the risk score by the following offsets for the given vector metric and value (given in the spreadsheet) "E":{"U": Offset -10, "P": Offset -5, "F": Offset +5, "H": Offset +10}, "RL":{"O": Offset +0, "T": Offset +0, "W": Offset +0, "U": Offset +5}, "RC":{"U": Offset -5, "R": Offset +0, "C": Offset +0} *(If any metric (E, RL, or RC) is not defined, +0 offset for that metric)
How to measure success
Our goal is to deliver customized risk scoring to our customers to help reduce the percentage of critical vulnerabilities over time. We suggest following these metrics to track vulnerability risk reduction efficacy:
After adjusting the risk properly to fit the organization’s need, in most enterprises, critical vulnerabilities are between 1-2% out of total vulnerabilities – tracked by the “Vulnerability instances by Risk Level“ widget in Vulcan Cyber ExposureOS Reports (Analytics).
The negative trend of critical vulnerabilities in the SPR report.
Positive trend showing progress in remediation of critical vulnerabilities.
Critical vulnerability SLA compliance improving over time (i.e., no critical vulnerabilities exceed SLA).
Please contact your customer success manager if you have any questions or comments.