How are you evaluating the risk a vulnerability poses to your org? Are you using the CVSS score, a different scoring system, or doing your own analysis internally?

Security & GRC Threat & Vulnerability Management Security Strategy & Roadmap+1 more

7.9k views1 Upvote4 Comments

Sort By:

Oldest

Principle Consultant in IT Services7 months ago

Currently, we are using the risk score calculated by our vulnerability scanning solution. I am not a fan of this approach, because it is based upon the number of vulnerabilities and their CVE score.

I prefer a measurement which we have more control over, because the number of vulnerabilities in our environment is based more on how good the hackers are versus how good we are. The metric I am working to introduce is either average age of a vulnerability or mean time to repair, both of these metrics are how good the team is at fixing issues. I am leaning towards the former because I can easily calculate this number from our vulnerability scanning solution.

Director of Information Security in Healthcare and Biotech7 months ago

For us, we use a combination of CVSS score, along with scoring from the vuln tool, the position of the system inside the network taking into consideration segmentation and configuration plus the context of the system in relation to the business.. i.e we'll patch a business critical system that's internet facing before we patch a system that is not holding important data deep inside the network (unless there is an interface to said critical system). This helps us prioritise.

Fractional CISO in Telecommunication5 months ago

CVSS should ideally only be used as a starting point, then add context for your own technical environment, architecture and any related threat intelligence you have.

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

Peer Discussions and Polls
One-Minute Insights
Connect with like-minded individuals

Group Director of Information Security in Banking4 months ago

Upon the official release of CVSS v4 in Nov 2023, it was anticipated that the National Vulnerability Database (NVD) may commence issuing updates in alignment as NVD is also most often used vulnerability classification database alongside CVSS. This timeframe was also when we thought that there will be a broader uptake of CVSS v4 beginning to take shape by various vendors in the vulnerability identification game (Qualys, Tenable etc) but seems like that hasn't happened as yet and Microsoft Defender which uses Qualys as its engine, still maintains its own prioritisation formula. Until that happens, read the below article and use the 3 approaches mentioned therein. Its not as straightforward, needs some procedural definitions and application classification but it makes most sense to me.

https://www.brinqa.com/blog/stop-prioritizing-vulnerabilities-by-cvss-score-use-these-3-approaches-instead/

Content you might like

We are a large manufacturing company with over 17,000 associates, about half of whom have company-provided cell phones. We average two lost devices per week, which seems low, but executive management is concerned and wants to know if our numbers are typical compared to other companies. My questions are: 1. Do other companies also struggle with lost or stolen devices? 2. What is the average number of lost devices per week? 3. Are there repercussions for associates who lose devices due to carelessness or negligence?

Mobile Device Management (MDM)Mobile Devices Security+2 more

VP of IT in Retail3 days ago

My previous organization implemented a strict one-strike policy for lost or damaged devices. While the first incident was considered an accident, repeat offenders were required to reimburse the company for the lost or damaged ...read more

82 views1 Comment