Target Audience | Vulnerability Manager |
About
What's the rationale behind this best practice?
Organizations routinely configure their vulnerability scanners to conduct regular scans of their assets to detect emerging vulnerabilities. Subsequently, these identified vulnerabilities are fed into the Vulcan Platform for further analysis and visualization within the user interface. Irrespective of whether the scanning and data ingestion occur daily or weekly, it is customary in most organizations for Vulnerability Managers to conduct a comprehensive review and triage of these findings every week.
What's the goal of this best practice?
This best practice is based on a deep understanding of the challenges encountered by cybersecurity vulnerability managers and hands-on professionals across diverse organizations. This guide provides instructions and suggestions focusing on the crucial task of triaging and prioritizing new vulnerabilities every week.
As a Hands-On Vulnerability Manager, your goal is to perform a vulnerability triage once a week to assess and prioritize new vulnerability findings within the past seven days.
Why triage vulnerabilities on a weekly basis?
Performing a weekly vulnerability triage ensures the timely identification of high-risk vulnerabilities, allowing for a rapid response to reduce the organization's exposure window. By prioritizing and addressing critical vulnerabilities promptly, Vulnerability Managers can achieve the following:
Optimize resource allocation.
Enhance incident response readiness.
Maintain a proactive security posture.
Safeguard the organization against cyber threats.
Minimize potential damage and downtime.
Best Practice Workflows
NOTE: The filters and parameters used in this best practice represent the most basic and widely utilized criteria used by Vulnerability Managers when triaging vulnerability findings on a weekly basis. It's important to note that these filters serve as a starting point, and you can expand and tailor them to your specific needs. Feel free to add more filters to refine your focus further and prioritize what matters most to your organization.
Triage Vulnerabilities on a Weekly Basis by Utilizing Vulcan Cyber's Risk Assessment
This practice is designed for customers who have integrated their organizational business context into the Vulcan Platform. It focuses on relying on Vulcan's recalculated risk assessment, which considers factors like risk weights, affected assets, and the impact on business groups to determine vulnerability risk levels (Low, Medium, High, Critical). The steps for implementing this practice are as follows:
Navigate to Vulcan > Vulnerabilities > Unique Vulnerabilities.
Utilize the "Magic Search" filter to refine results. Set the conditions:
Vulnerability > In the last > 7 days;
and;
Vulnerability > Risk > Level > Critical.
Save this filter as "Critical Last 7d" to use it weekly.
Sort results by Assets to focus on the vulnerabilities impacting the largest number of assets.
(Optional) If assets are categorized into Business Groups, consider filtering by Business Group to address the most critical assets.
Review the results and click on a top vulnerability to examine details such as description, affected assets, available fixes, and threat intelligence information.
At this stage, you can take one or more of the following actions:
Cooperate: Collaborate by sharing vulnerability details with other Vulnerability Managers or Cyber Security colleagues for further consultation.
Remediate: Take immediate action on the vulnerability and initiate a remediation ticket.
Exception Request: If necessary, create an Exception Request to acknowledge the risk without immediate remediation.
Triage Vulnerabilities on a Weekly Basis by Utilizing CVSS and Threat Intelligence
This practice is for customers who prefer to evaluate vulnerabilities based on their raw CVSS (Common Vulnerability Scoring System) scores. In its base form, it does not incorporate additional organizational context. The emphasis here is on considering the inherent severity of vulnerabilities as determined by CVSS scores without further contextual adjustments (unless more filters are applied).
Navigate to Vulcan > Vulnerabilities > Unique Vulnerabilities.
Utilize the "Magic Search" filter to refine results. Set the conditions:
Vulnerability > In the last > 7 days;
and;Vulnerability > Threat Tag > Exploitable;
and;Vulnerability > CVSS > greater than > 9
BEST PRACTICE TIP: Vulnerability Managers are primarily interested in the tags "Exploitable", "CISA", and "Weaponized"
Save this filter as "Exploitable last 7d CVSS" so you can use it weekly.
Sort results by Assets to focus on the vulnerabilities impacting the most significant number of assets.
(Optional) If assets are categorized into Business Groups, consider filtering by Business Group to address the most critical assets.
Review the results and click on a top vulnerability to review its details, including Max risk score, description, affected assets, available fixes, and threat intelligence information.
Assess and evaluate the presented risk score, and ask yourself: "Does the vulnerability's Max Risk score accurately reflect the risk it poses to the organization's affected assets?"
If the answer is "Yes", maintain the risk score as is.
If the answer is "No", click to edit the risk score and adjust it higher/lower if the default risk is underestimated/overestimated.
At this stage, you can take one or more of the following actions:
Cooperate: Collaborate by sharing vulnerability details with other Vulnerability Managers or Cyber Security colleagues for further consultation.
Remediate: Take immediate action on the vulnerability and initiate a remediation ticket.
Exception Request: If necessary, create an Exception Request to acknowledge the risk without immediate remediation.