Vulnerability Management Metrics: The Final Frontier

In Part 1 of this series, we looked at some of the metrics that an executive team would want to see to identify how the business risk is trending. It is very important to keep in mind that if the business does not see the information security program as effective and efficient, they will not continue to invest in information security projects.

Sponsorships Available

In this part, we will look at the operational level reports that can assist in focusing efforts to reduce the risk to the business.

Operational Vulnerability Reports

An alarming yet common trend among organizations is to run a report that contains all the vulnerabilities under a particular system-owner and send them a very large report. Some organizations have matured beyond this point to provide reports that include everything with a “High” score. The main question then becomes: what defines a high-scoring vulnerability? To answer this, security analysts have typically said anything that is a CVSS 7 or above should be remediated. The PCI compliance standard, for example, says that a CVSS score of 7.0-10.0 is High, 4.0-6.9 is Medium, and 0.0 to 3.9 is Low.

In common practice, system administrators have said that there are far too many vulnerabilities that are a CVSS score of 10 and above to remediate within a reasonable time frame. Depending on the organization, system administrators are committed to remediating anywhere from one to ten vulnerabilities per month. So the first question they pose to the security analysts is: which of these CVSS 10 scoring vulnerabilities is the most severe?

Vulnerability Management Risk Scoring

The Tripwire Vulnerability Risk Score alleviates this problem. By providing specific details about the ease of exploit, the privilege gained, and the age of the vulnerability, security analysts have a simple, (Read more...)