Use the criticality policy to prioritize vulnerabilities

An asset can have a criticality policy. This item is based on the security requirements as defined in the environmental metrics of the CVSSv3 standard.

The criticality policy is defined by criteria: Confidentiality, Integrity, and Availability as well as by a CVSS threshold between 0 and 10, an EPSS threshold between 0 and 100 and the presence of vulnerabilities in the CERT-FR ALE and CISA KEV catalogs.

Each Security Requirement has three possible values: Low, Medium, or High.

These metrics allow the analyst to define the security requirements according to the importance of the affected IT asset in the organization.

For example, if an IT asset supports a business function for which Availability is most important, the analyst can assign a High value to Availability, compared to the values left at Medium for Confidentiality and Integrity.

Prioritized vulnerabilities are calculated from:

  • the presence of vulnerabilities in the CERT-FR ALE catalog;
  • the presence of vulnerabilities in the CISA KEV catalog;
  • the vulnerabilities EPSS score;
  • the vulnerabilities CVSS score;
  • the criticality policy configured on an asset.

The CVSS score is then adapted using the CVSSv3 standard formula to take into account the requirements of each asset in terms of Availability, Integrity and Confidentiality. If the score thus obtained exceeds the criticality threshold of the asset, the vulnerability is prioritized. The presence of a vulnerability in one of the catalogs makes it prioritized.

Cyberwatch defines three default criticality policy:

  • Low with:
    • presence in the CISA KEV catalog
    • presence in the CERT-FR ALE catalog
  • Medium with:
    • the Confidentiality, Integrity, and Availability criteria at the Medium value
    • a CVSS threshold of 7.0
    • an EPSS threshold of 0.5%

    or

    • presence in the CISA KEV catalog
    • presence in the CERT-FR ALE catalog
  • High with:
    • the criteria Confidentiality, Integrity, and Availability at the High value
    • a CVSS threshold of 7.0
    • an EPSS threshold of 0.2%

    or

    • presence in the CISA KEV catalog
    • presence in the CERT-FR ALE catalog

Ceiling CVSS

To better take into account the environment of assets, you can define ceiling values for the CVSS base metrics to affect the contextual score of CVEs. For instance, if an asset is detached from all networks, you can define the vector attack of the ceiling CVSS to Local, which is going to reduce the score of remotely-exploitable CVEs by considering their attack vector is Local rather that Network.

To edit the ceiling CVSS, you need to expand the Advanced settings section on the criticality edition page. By default each metric is defined to its maximum value, so that it does not affect the contextual scores.

Create a criticality

  1. Click on Settings > Criticalities
  2. Click on the “Create” button
  3. Fill out the form
  4. Click on the “Save” button

Edit a criticality

  1. Click on Settings > Criticalities
  2. Click on the edit icon (the default criticalities are not editable)
  3. Fill out the form
  4. Click on the “Save” button

Delete a criticality

  1. Click on Settings > Criticalities
  2. Click on the delete icon (the default criticalities cannot be deleted)

Assign a criticality to an asset

  1. Click on Inventory
  2. Check the line of assets to assign the criticality
  3. Click on “Bulk Edit”
  4. Click on “Update the criticality” in the list
  5. Click on the desired criticality