All Collections
Risk and SPR
Understanding Vulnerability Risk
Understanding Vulnerability Risk

A best practice guide based on lessons learned from Vulcan Cyber users

Updated over a week ago

Introduction

Working with our dedicated customers, we often learn, together with them, a variety of best practices for using the Vulcan Cyber platform. After two years of closely working with customers, our senior customer success managers decided to produce this document to share the best practices they’ve learned with Vulcan Cyber customers to help them understand how to get the most out of the Vulcan Cyber platform and the best ways to use Vulcan Cyber to identify, measure and understand an organization’s cyber risk posture.

Success criteria

A Vulcan Cyber customer will achieve success with this capability as they identify a manageable number of critical (prioritized) vulnerabilities that can be addressed in a reasonable timeframe and thereby meet organizational SLAs. Of course, the number of critical vulnerabilities identified depends on various factors, including company and team size; the organization’s risk appetite; company vulnerability management processes; etc.

Vulcan Cyber terminology

In this guide (and subsequent other guides), we will use terms that may differ between organizations; here is what we mean when we say:

Security Posture Rating (SPR)

SPR is the main KPI driving the Vulnerability Management (VM) program through your Vulcan platform. This means that the SPR value (in %) is the percentage of scanned assets complying with a defined threshold for maximum risk. All the assets having risk below this threshold are risk complaint assets, so the goal is to have the SPR as high as possible.

Vulnerability Instance

A connection between a single vulnerability with a single asset.

Examples: One vulnerability affecting 10 assets will be counted as 10 vulnerability instances. Alternatively, 1 asset having 15 vulnerabilities is counted as 15 vulnerability instances.

Atomic Risk

A unique risk score for a single vulnerability instance that is calculated by the risk score weights (that is based on technical severity, Temporal factors(threat intelligence), and Environmental factors(external access, business impact)) or by a customized risk script. We’re also referring to the atomic risk as a risk score.

Why customize risk scores?

After working with hundreds of enterprise cyber security teams, Vulcan Cyber recognizes a need for some organizations to determine a unique risk score that is dynamic, personalized, and customizable. Organizations of all sizes should incorporate different contextual risk attributes to produce a dynamic score for each vulnerability in the system and for vulnerabilities in aggregate.

Vulcan Cyber supports the customization of risk scoring through the following:

  • Defining unique risk parameters by setting weights for the different components of the Vulcan Security Posture Rating algorithm. The components are static and relate to the vulnerability attributes (vulnerability technical score and vulnerability threats) and asset attributes (asset tags).

  • The customization of your model with a Python script. Now you can take risk flexibility even further by using a technical score other than CVSS, a combination of different threat feeds, and applying threat-related logic that fits the organization’s need to filter critical vulnerabilities. Vulcan Cyber risk score customization also uses asset attributes such as OS and OS version, IP subnets, software inventory, etc., to fine-tune asset context in the risk calculation.

How is it done?

Risk customization best practices differ between medium-large size and enterprise companies, but the best practices for customized risk score can be applied for any size company.

While medium-sized companies have more leeway to play with the script and entirely re-define the calculation of the risk, enterprises often have mature risk models that use one risk score, such as CVSS 3.0 base score or CVSS Temporal score, and don’t make additional uses of different vulnerability attributes in the risk model. They determine the impact on business or asset tag groupings through vulnerability instance scores.

Best practices

Use the Vulcan Cyber threat intelligent sources

(!) Why use Vulcan Cyber threat intelligence sources to set risk scores in your environment?

  • The Vulcan Cyber platform relies on threat intelligence data collected by the Vulcan Cyber Voyager18 research team to offer the most reliable risk rating for a given vulnerability. The exploitable information is gathered from large exploits databases, while the exploited in the wild (weaponized) and malware threats are sourced from CISA and others.

  • To stay ahead of the latest exploits, the Vulcan Cyber threat intelligence database is updated daily with vulnerability scores adjusted accordingly; Vulcan correlates this data using CVE and CWE, matching against Vulcan’s vulnerability database.

  • For further reading, please review the Threat Intelligence Sources and Logic article.

  1. Utilize Vulcan Cyber threat intelligence data to determine the severity of a vulnerability.

    1. Add specific asset attribute(s) to the calculation.

    2. Determine which vulnerability/asset source(s) the calculation should be applied to.

    3. Define the risk score calculation for other vulnerability sources in the platform.

    4. Example:

      1. Vulnerabilities with CVE:

        • Critical where:

          • Threats = RCE AND Remote AND Exploitable

          • Asset tag = External facing

        • High where:

          • Threats = RCE AND Remote AND Exploitable

        • Medium where

          • Threats = Exploitable

        • Low where

          • All other vulnerabilities

      2. Vulnerabilities without CVE:

         "CVSS": 0.6,   "Threats": 0.0,   "Tags": 0.4

Use the Vulcan Cyber risk weights

(!) Why set different risk score weights to calculate risk?

  • Today, the risk score weights can be set globally and applied to all the sources in the platform. Using the customized risk script, you can decide to allocate the risk score weights according to your need:

    • If you do not get any asset tags from source A, but you do get or create meaningful tags from source B, you can set the risk to be calculated without the asset tag information for source A and with the tag information for source B.

  • Set different risk weights for different scanners:

    1. For Qualys and Tenable:

      1. Vulnerabilities with CVE: Severity: 50%, Threats: 30%, Tags: 20%

      2. Vulnerabilities W/O CVE: Severity: 85%, Tags: 15%

    2. For HackerOne and BitSight:

      1. Vulnerabilities with and without CVE: Use only the technical severity: 100%

    3. For Wiz:

      1. Set the weights according to the asset types: Hosts, container images, and cloud resources.

(!) Good to know – It is recommended to adjust the script manually over time (with the help of the Vulcan CS team) and to conduct periodic checks of the risk score trend in the organization.

See the risk change over time from the vulnerability’s first-seen date < X days. Triage the trend using Vulcan Analytics reports.

Use other various threat intelligence sources

(!) Why use various threat intelligence sources to set the risk in your environment?

  • Vulcan already enriches vulnerability information with threat intelligence data gathered from various vulnerability DBs. Organizations that rely on TI feeds for other use cases, such as incident response, security operations, etc., can utilize this information in Vulcan to align prioritization with their organization’s standard and gain more insights into threat actors and threat details exploiting the vulnerability.

  • Threat intelligence analysis is the process of enhancing existing information by supplementing missing or incomplete data. It enhances the context of the threat information that may have been buried in the alerts or held in external sources.

  • A threat intelligence platform can improve threat detection and monitoring workflows, provide contextual threat intelligence by providing in-depth information and context about specific threats, assist in understanding the effectiveness and relevance of the threat intel feeds collected from various sources, and assist in better decision-making.

Source: https://cyware.com/security-guides/cyber-threat-intelligence/what-is-threat-intel-analysis-306b

Utilize data from various threat intelligence sources to set vulnerability severity in Vulcan Cyber. The currently supported TI integrations list Mandiant, Recorded Future, and CTCI. Example:

  • Critical where:

    • Vulnerabilities with Mandiant Risk: Critical

    • Asset with External Facing tag

  • High where:

    • Vulnerabilities with Mandiant Risk: Critical or High

    • Asset without External Facing tag

  • Medium where:

    • Vulnerabilities with Mandiant Risk: Medium

  • Low where:

    • Vulnerabilities with Mandiant Risk: Low

Use different KPIs from the scanners

(!) Why use different risk parameters from various scanners to set the risk in your environment?

  • Various scanners provide different risk scores that estimate a single vulnerability’s severity in addition to the SVSS score:

    • Tenable VPR (Vulnerability Priority Rating) considers the threat environmental aspect, such as the exploit code of a vulnerability becoming available or having escalated maturity.

    • Qualys Vulnerability Score (QVS) is a Qualys score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.

  • Vulcan Cyber accommodates various scores from different scanners; in case you were already utilizing them before purchasing Vulcan or in case, you would like to add different threat aspects to the risk calculation in Vulcan.

  1. Combine different risk parameters from a single scanner to create a unique risk score in Vulcan Cyber:

    1. Use Tenable VPR along with the CVSS score. Since VPR reflects the current threat landscape, it can be leveraged with the CVSS score and account for a more complete view of severity.

      Note that VPR with a higher value represents a higher likelihood of exploit. Consider decreasing the risk of a CVE having a CVSS of 9.8 but a VPR of 2, and vice versa.

    2. Add specific asset attribute(s) to the calculation.

    3. Decide how the score should be mapped according to the VPR: CVSS combination.

    4. Define the risk score calculation for other vulnerability sources if utilized.

    5. ** This practice is true for Qualys QVS, CrowdStrike Exprt.AI, BitSight Rating score, and many more. You can decide to solely use a different risk parameter than CVSS or combine it with Vulcan Cyber risk calculation logic.

Use the CVSS temporal score

(i) Why use the temporal and environmental score metrics in the risk calculation?

  • The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics, which are constant over time and assume the reasonable worst-case impact across different environments.

  • The Temporal Metrics adjust the Base Score severity of a vulnerability based on factors that change over time, such as the availability of exploit code.

  • The Environmental Metrics adjust the Base Score and Temporal Metric severities to a specific computing environment. They consider factors such as the presence of mitigations in that environment.

Source: https://www.first.org/cvss/specification-document

  1. Utilize CVSS, temporal, and environmental score metrics to aggregate all the conditions of a vulnerability to be defined as critical (attack vector, complexity, required privileges, remediation level, report confidence, etc.).

  2. Add specific asset attribute(s) to the calculation.

  3. Decide how the score should be skewed once a vulnerability instance answers the parameters defined above.

  4. Decide which vulnerability/asset source(s) this calculation applies to.

  5. Define the risk score calculation for other vulnerability data sources aggregated with Vulcan Cyber. Example:

If the vulnerability is from Tenable     Start with Risk Score = Vulcan Risk Score     Offset the Risk Score by a predetermined value using the Temporal Vector String     Using the Temporal Vector String, modify the risk score by the following offsets for the given vector metric     and value (given in the spreadsheet)         "E":{"U": Offset -10, "P": Offset -5, "F": Offset +5, "H": Offset +10},         "RL":{"O": Offset +0, "T": Offset +0, "W": Offset +0, "U": Offset +5},         "RC":{"U": Offset -5, "R": Offset +0, "C": Offset +0}         *(If any metric (E, RL, or RC) is not defined, +0 offset for that metric)

How to measure success

Our goal is to deliver customized risk scoring to our customers to help reduce the percentage of critical vulnerabilities over time. We suggest following these metrics to track vulnerability risk reduction efficacy:

  • After adjusting the risk properly to fit the organization’s need, in most enterprises, critical vulnerabilities are between 1-2% out of total vulnerabilities – tracked by the “Vulnerability Instances by Risk Level“ widget in Vulcan Analytics.

  • The negative trend of critical vulnerabilities in the SPR report.

  • Positive trend showing progress in remediation of critical vulnerabilities.

  • Critical vulnerability SLA compliance improving over time (i.e., no critical vulnerabilities exceed SLA).

If you have any questions or comments, please contact your customer success manager.

Read next

Related Articles
Threat Intelligence Sources and Logic
Mandiant Connector (API v4 - September 2023)
Vulnerabilities Triage Best Practice
Vulnerability Custom Risk Script Best Practice
Mandiant Connector (API v4 - February 2024)
Did this answer your question?