Use the prioritization policy to prioritize vulnerabilities

An asset can have a prioritization policy. This item is based on the security requirements as defined in the environmental metrics of the CVSS standard:

The prioritization policy is defined by several criteria: Confidentiality, Integrity, and Availability, as well as a CVSS threshold (from 0 to 10), an EPSS threshold (from 0 to 100), and whether vulnerabilities are referenced in various recognized catalogs (such as CERT-FR ALE, CISA KEV and multiple others acknowledged by Cyberwatch).

Each Security Requirement has three possible values: Low, Medium, or High.

These metrics allow the analyst to define the security requirements according to the importance of the affected IT asset in the organization.

For example, if an IT asset supports a business function for which Availability is most important, the analyst can assign a High value to Availability, compared to the values left at Medium for Confidentiality and Integrity.

Prioritized vulnerabilities are calculated from:

the presence of vulnerabilities in at least one catalog
the vulnerabilities’ EPSS score
the vulnerabilities’ CVSS score
the vulnerabilities’ SSVC decision
the prioritization policy configured on an asset

The type of CVSS score used for vulnerability prioritization depends on the metrics activated on the prioritization policy. Base metrics (B) allow to calculate the initial CVSS score. Threat metrics (T) and environment metrics (E) enable to take into account respectively:

the current state of exploit techniques or code availability for a vulnerability
the requirements of each asset in terms of Availability, Integrity and Confidentiality

This allows you to choose between four types: CVSS-B, CVSS-BE, CVSS-BT and CVSS-BTE. The CVSS score is then adapted using the CVSS standard formula.

If the score thus obtained exceeds the criticality threshold defined in the prioritization policy of the asset, the vulnerability is prioritized. The presence of a vulnerability in one of the catalogs makes it prioritized.

Cyberwatch defines three default prioritization policies:

Low with:
- presence in at least one catalog
Medium with:
- the Confidentiality, Integrity, and Availability criteria at the Medium value
- a CVSS threshold of 7.0
- an EPSS threshold of 2%
or
- presence in at least one catalog
High with:
- the criteria Confidentiality, Integrity, and Availability at the High value
- a CVSS threshold of 7.0
- an EPSS threshold of 0.5%
or
- presence in at least one catalog

CVSS ceilings

To better take into account the environment of assets, you can define ceiling values for the CVSS base metrics to affect the contextual score of CVEs. For instance, if an asset is detached from all networks, you can define the vector attack of the CVSS ceilings to Local, which is going to reduce the score of remotely-exploitable CVEs by considering their attack vector is Local rather that Network.

To edit the CVSS ceilings, you need to click on the CVSS vector ceil button on the prioritization policy edition page. By default each metric is defined to its maximum value, so that it does not affect the contextual scores.

SSVC decision

Stakeholder-Specific Vulnerability Categorization (SSVC) is a decision system for determining the urgency for handling a CVE. For more information, please consult the official documentation on CISA’s website : https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc.

To compute the SSVC decision on an asset’s CVEs, the SSVC metrics section of the prioritization policy must be filled. Moreover, SSVC metrics are available only on CVEs processed by CISA.

You may add a priority criterion on the SSVC decision to exclude CVEs whose SSVC decision is too low. That criteria would not affect CVEs without SSVC metrics.

The SSVC decision of the CVEs are displayable in the Vulnerabilities tab in the assets’ details page by customizing the columns of the table. They are also included in CSV exports and Kibana.

Response time to vulnerabilities

It is possible to set remediation time objectives for assets based on their prioritization level. These objectives specify the maximum acceptable period between the detection and the resolution of a vulnerability. This metric helps monitor compliance with remediation targets and identify vulnerabilities that remain unresolved beyond the defined limits.

In the « Vulnerabilities » and « Patch Management » tabs, any vulnerability that exceeds its remediation objective is marked with a red status badge showing the number of overdue days. This badge also appears on the detailed CVE page, associated to the affected assets.

To visualize remediation velocity, two sets of semi-circular gauges are displayed in the « Summary » tab of each asset. The first set shows the average remediation time, meaning the delay between their detection and correction, in order to verify whether the defined objectives are being met. The second set highlights the average presence time of vulnerabilities, which reflects the actual duration of exposure before remediation. In both series, the gauges distinguish between prioritized vulnerabilities and cataloged vulnerabilities.

Create a prioritization policy

Click on Settings > Prioritization policies
Click on the “Create” button
Fill out the form
Click on the “Save” button

Edit a prioritization policy

Click on Settings > Prioritization policies
Click on the edit icon (the default prioritization policies are not editable)
Fill out the form
Click on the “Save” button

Delete a prioritization policy

Click on Settings > Prioritization policies
Click on the delete icon (the default prioritization policies cannot be deleted)

Assign a prioritization policy to an asset

Click on Inventory
Check the line of assets to assign the prioritization policy
Click on “Bulk Edit”
Click on “Update the prioritization” in the list
Click on the desired policy