Use the criticality policy to prioritize vulnerabilities

An asset can have a criticality policy. This item is based on the security requirements as defined in the environmental metrics of the CVSS standard:

• Environmental metrics of the CVSSv4.
• Environmental metrics of the CVSSv3.
• Environmental metrics of the CVSSv2.

The criticality policy is defined by criteria: Confidentiality, Integrity, and Availability as well as by a CVSS threshold between 0 and 10, an EPSS threshold between 0 and 100 and the presence of vulnerabilities in the CERT-FR ALE and CISA KEV catalogs.

Each Security Requirement has three possible values: Low, Medium, or High.

These metrics allow the analyst to define the security requirements according to the importance of the affected IT asset in the organization.

For example, if an IT asset supports a business function for which Availability is most important, the analyst can assign a High value to Availability, compared to the values left at Medium for Confidentiality and Integrity.

Prioritized vulnerabilities are calculated from:

• the presence of vulnerabilities in the CERT-FR ALE catalog;
• the presence of vulnerabilities in the CISA KEV catalog;
• the vulnerabilities’ EPSS score;
• the vulnerabilities’ CVSS score;
• the vulnerabilities’ SSVC decision;
• the criticality policy configured on an asset.

The type of CVSS score used for vulnerability prioritization depends on the metrics activated on the criticality policy. Base metrics (B) allow to calculate the initial CVSS score. Threat metrics (T) and environment metrics (E) enable to take into account respectively:

• the current state of exploit techniques or code availability for a vulnerability,
• the requirements of each asset in terms of Availability, Integrity and Confidentiality.

This allows you to choose between four types: CVSS-B, CVSS-BE, CVSS-BT and CVSS-BTE. The CVSS score is then adapted using the CVSS standard formula.

If the score thus obtained exceeds the criticality threshold of the asset, the vulnerability is prioritized. The presence of a vulnerability in one of the catalogs makes it prioritized.

Cyberwatch defines three default criticality policy:

• Low with:
  • presence in the CISA KEV catalog
  • presence in the CERT-FR ALE catalog
• Medium with:
  • the Confidentiality, Integrity, and Availability criteria at the Medium value
  • a CVSS threshold of 7.0
  • an EPSS threshold of 0.5%

  or

  • presence in the CISA KEV catalog
  • presence in the CERT-FR ALE catalog
• High with:
  • the criteria Confidentiality, Integrity, and Availability at the High value
  • a CVSS threshold of 7.0
  • an EPSS threshold of 0.2%

  or

  • presence in the CISA KEV catalog
  • presence in the CERT-FR ALE catalog

CVSS ceilings

To better take into account the environment of assets, you can define ceiling values for the CVSS base metrics to affect the contextual score of CVEs. For instance, if an asset is detached from all networks, you can define the vector attack of the CVSS ceilings to Local, which is going to reduce the score of remotely-exploitable CVEs by considering their attack vector is Local rather that Network.

To edit the CVSS ceilings, you need to click on the CVSS vector ceil button on the criticality edition page. By default each metric is defined to its maximum value, so that it does not affect the contextual scores.

SSVC decision

Stakeholder-Specific Vulnerability Categorization (SSVC) is a decision system for determining the urgency for handling a CVE. For more information, please consult the official documentation on CISA’s website : https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc.

To compute the SSVC decision on an asset’s CVEs, the SSVC metrics section of the criticality policy must be filled. Moreover, SSVC metrics are available only on CVEs processed by CISA, which include about 21 000 CVEs in 2024.

You may add a priority criterion on the SSVC decision to exclude CVEs whose SSVC decision is too low. That criteria would not affect CVEs without SSVC metrics.

The SSVC decision of the CVEs are displayable in the Vulnerabilities tab in the assets’ details page by customizing the columns of the table. They are also included in CSV exports and Kibana.

Create a criticality

1. Click on Settings > Criticalities
2. Click on the “Create” button
3. Fill out the form
4. Click on the “Save” button

Edit a criticality

1. Click on Settings > Criticalities
2. Click on the edit icon (the default criticalities are not editable)
3. Fill out the form
4. Click on the “Save” button

Delete a criticality

1. Click on Settings > Criticalities
2. Click on the delete icon (the default criticalities cannot be deleted)

Assign a criticality to an asset

1. Click on Inventory
2. Check the line of assets to assign the criticality
3. Click on “Bulk Edit”
4. Click on “Update the criticality” in the list
5. Click on the desired criticality