by Josef Weiss
January 26, 2021
Building an effective cybersecurity program is an ongoing process requiring significant commitment from limited resources. Chief Information Security Officers (CISO) are responsible for establishing and maintaining the cybersecurity program, and ensuring assets are adequately protected. Organizational executives and business leadership require methodologies that concisely present vulnerability findings in a measurable manner.
In addition to these methodologies, processes must also focus on presenting findings in a manner that allows cyber security leaders to visualize how effectively the organization is achieving vulnerability management objectives. Effective strategies include focusing not only the overall posture of the information security programs, but also on immediate threats and remediation efforts. Understanding and conveying potential security related problems, and the strategies to mitigate them, is key to successfully advocating for security to organizational leadership.
This dashboard assists cyber security leaders that are building or strengthening a vulnerability management program to better visualize the modern attack surface. The Information presented focuses on the findings that organizations should prioritize and mitigate first, by leveraging the Vulnerability Priority Rating (VPR). The VPR score is an output of Predictive Prioritization, which allows cyber security leaders to focus on items that help drive key performance indicators, by combining research insights, threat intelligence, and vulnerability ratings to reduce noise. Effective vulnerability remediation becomes easier as vulnerabilities are presented in a manner that helps visualize vulnerability remediation programs and provide measures against established goals and SLAs.
The prioritized data establishes a measurable reference point used by cyber security leaders to create actionable mitigation tasks based on VPR, and improve the risk reduction timelines. When not using VPR as a filter to focus on the most significant concerns, noise increases and the large number of critical and high vulnerabilities, as determined most often by Common Vulnerability Scoring System (CVSS) rating, become cumbersome and difficult to sort. The dashboard is laid out to provide a high-level risk summary in a visual manner allowing business leaders to gain insight into their vulnerability management programs quickly and effectively. Risk is measured between customer lines of business, locations, etc. and fosters healthy team competition to not be at the top of the wall-of-shame.
Designed with the principles of Cyber Exposure Management in mind, the presented vulnerability data is tailored to guide executives, managers and operations teams to detect, predict, and act to reduce risk across their entire attack surface. Administrators within these teams are empowered to analyze vulnerabilities within their area of expertise, remediate identified risk, track progress, and measure success against their own team charter and SLAs.
Many organizations have teams that focus on detailed information, relevant to the teams’ own assets; or area of operational focus, such as Windows, Linux, databases, or network infrastructure. The components do not require specific assets to be loaded prior to use. However, organizations that have teams that do focus on a specific group of assets, benefit from customizing filters around those assets for the individual components. CISO’s and other leaders visualize findings against assets that are “owned by” or “assigned to” specific teams within the organization using this method. This provides insight into where additional resource need to be allocated to mitigate vulnerabilities. Another goal is foster internal competition between lines of business to become the top group/team with the least amount of risk.
This dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Threat Detection and Vulnerability Assessments.
The dashboard requirements are:
- Tenable.sc 5.15.0
- Nessus 8.11.1
Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously Assess an organization’s adherence to best practice configuration baselines. Tenable.sc provides customers with a complete Cyber Exposure platform for completing effective cybersecurity practices
Components
- Cyber Risk Executive Briefing – 90 Day Trend for Exploitable Vulnerabilities - This component displays a 3-month graph across two separate data series. CISOs can quickly visualize all levels of vulnerabilities from low to critical across one series and exploitable vulnerabilities in the second series. This helps CISOs understand the vulnerability posture of the network. CISOs can also utilize this information to monitor change in detected vulnerability findings, and adjust efforts as needed to set mitigation efforts.
- Cyber Risk Executive Briefing - Risk Remediation SLAs - This component utilized the Mitigated Database as well as a variety of date range filters to display a ratio of vulnerability findings that have been mitigated within the specified time frame vs. those vulnerabilities which have still not been remediated. CISOs can quickly visualize the status of their risk mitigation strategies and compare them against organizational goals and SLAs.
- Cyber Risk Executive Briefing - Tracking CVE Vulnerabilities - Common Vulnerability and Exposure (CVE) is a widely used standard vulnerability identifier which was created in 1999. Most organizations are familiar with the using CVE identifiers to track and identify vulnerabilities and target systems for remediation. This component uses CVE identifiers from 1999 to present to display vulnerability findings, along with their severity rating. CISOs can quickly visualize the number of active CVE findings in their environment, and compare them against organizational goals and SLAs.
- Cyber Risk Executive Briefing - 90 Day Trend for Remediating Unsupported Products - Unsupported products are an issue for many organizations. Products that have reach their end-of-life and are no longer supported by their vendors, this increases risk as patches, updates, and security fixes are no longer available. CISOs need to be able to identify products that are no longer supported as part of their duties to minimize organizational risk
- Cyber Risk Executive Briefing - Internal Teams Unsupported Product Instances - This component assists CISOs measure progress of teams with groups of assets owned by them, or assigned to them identify unsupported products. Unsupported products are an issue for many organizations. Products that have reach their end-of-life and are no longer supported by their vendors and this increases risk as patches, updates, and security fixes are no longer available. CISOs need to see the work their team performs, as well as measure progress and success against their workload.
- Cyber Risk Executive Briefing - Business Unites Ranked by the Worst Vulnerabilities - This table helps organizations visualize the most immediate issues that require attention. This component specifically assists CISOs measure progress of teams or business units ranked by the worst vulnerability findings. This component displays vulnerability counts present on all vulnerability instances, exploitable vulnerabilities, remotely exploitable, low complexity, no authentication required vulnerabilities and those with the highest VPR score.
- Worst of the Worst - By Asset - This table provides information on the most vulnerable assets group. Risk teams are presented with the total number of vulnerabilities and vulnerabilities by severity. The data displayed takes into account the VPR score, exploitability, and CVSS vectors under an Asset Summary. The filters identify the worst asset groups and focuses on specific CVSS vectors to concentrate on the most essential actions. The CVSS vectors used are (Remotely Exploitable, Low Complexity, No Authentication Required and Tenable VPR is 9-10).
- Cyber Risk Executive Briefing - Internal Teams Presenting the Greatest Risk - This table helps organizations visualize the most immediate issues that require attention by team/group ranking. This component specifically assists CISOs measure progress of teams or business units ranked by their vulnerability findings based on severity and score for assets owned by them or assigned to them.
- Worst of the Worst - Certificate Concerns by Asset - This component focuses results around three primary SSL Certificate Active Plugins.