You will learn how UVRM allows users to manage a Target's criticality and how it leverages Target Criticality in its risk scoring.
Overview
In order to provide clients with contextual risk prioritization where the goal is to focus the VM team's work using risk as a primary factor we need to understand where vulnerabilities are located. Target criticality helps us determine this and provide contextual vuln instance scores.
In the near future we will expand our goals for contextual risk and start identifying how targets are related, allow clients to help provide business context for targets, and overall enable UVRM to understand the unique environmental factors found within each client network.
Target Criticality
Targets can be categorized as Critical, High, Medium, Low, None. These values are meant to be used by each client subjectively. One client may choose to leverage revenue to determine criticality and can create a mapping between value and criticality; Any Target related to an Application which brings in more than $10 million is Critical. Another client may choose to categorize based on Risk such as Any Target that is internet facing is Critical.
Settings
Admins are now able to configure how the platform will manage Target Criticality.
Several clients have asked for the ability to disable the modification of an Targets criticality by users and have determined their source system of record for an asset's criticality setting. Often, this could be an organizations CMDB system or a custom platform. Or they may have chosen to update a Scanner with this value and would like to use this value.
Admins can configure these settings, however, our goal to enable clients to identify a criticality for all targets so we provide our own ruleset to be applied to asset's with no known criticality value.
NopSec Criticality Recommendations
NopSec has implemented some basic rules in 6.0 to identify target criticality via Scanner provided data or CMDB data. Examples include labeling a Target as Critical for being a Server vs a Printer.
In the near future, these rules will be visible in the Settings page where Admins may add or modify the rules to control how targets receive a Target Criticality value.
NopSec Vuln Instance Scoring
Vuln Instances receive a Score and Severity from NopSec by taking the specific Vuln Score (the score resulting from our Threat Feed analysis), the Targets Criticality, and any Mitigating Controls (if enabled and detected) on the specific Target. This provides our clients with a contextual risk for each vulnerability based on where the vulnerability is found. Our goal is to continue providing more contextual risk and enabling clients to control this value more directly in the future.
Vuln Instances with a Low Target Criticality and High Vuln Scores will have slightly lower scores than Vuln Instances found on Critical Targets with Urgent Vulns Scores.