This page explains how to configure SSVC.
SSVC functionality is only available with the CSIRT plan.
Only organization administrators can perform this operation.
Go to Organization Settings > SSVC.
First, select “Enable SSVC functionality.”
When an SSVC Priority is derived, you can update the task status, priority, and response deadline based on the Priority.
For more information about SSVC Priority, please see here.
When you set “Action > Task Status,” the content of unhandled, in-progress, and on-hold tasks will be updated when an SSVC Priority is updated.
If SSVC Priority is determined to have a higher priority than immediate
or out of cycle
, the task status can be automatically reset to “new.” Tasks marked as “new” are assigned to the “unhandled” status in the vulnerability list and task list submenus, so you can recognize them as tasks that require triage again.
For tasks with lower priority, such as scheduled
or deferred
, the task status can be automatically set to deferred
or risk_accepted
.
Task statuses that can be updated by SSVC are those other than the following statuses:
For information on task status types, please see Task Status.
If you set a priority, the priority of the task will be automatically reflected at the time of SSVC Priority derivation.
The task’s response deadline is automatically updated at the time of SSVC Priority derivation. Tasks that exceed the response deadline can be checked in lists and email notifications, preventing oversight.
For immediate
and out of cycle
priorities, which should be addressed with high priority outside of regular maintenance, please specify “X days after SSVC Priority derivation.” For scheduled
and deferred
, which are sufficient to be addressed during regular maintenance, please specify the maintenance cycle using cron format.
The response deadline will be updated if any of the following apply:
Actions set in Trigger & Action for Priority changes will only be applied when there is a change in SSVC Priority due to scanning. For example, when a new immediate action is set, the new action will not be applied to tasks that already have an SSVC Priority of immediate.
If you want to execute Trigger & Action on a task that has already derived an SSVC, first reset the derived SSVC with the “Enable SSVC Function” setting turned off. Then turn it back on, set Trigger & Action, and run the scan again. The new Trigger & Action will be applied when the scan is executed.
Customize the SSVC decision tree. The default decision tree is set up, but if you need to change the results of SSVC derivation in actual operation, please customize it.
If you customize the decision tree, the SSVC Priority of tasks will be reflected on the next scan. Please wait for the next regular scan, or if you are in a hurry, scan again from “Group Setting>Manually Scan All Servers”.
In the group setting, you can set the Decision Point (required) and override some of the items set in certain organizations (optional).
Decision Point is a setting value used for SSVC derivation. Set the Exposure level of vulnerable components, the Utility Density of the target system, and the Human Impact when attacked. Note that FutureVuls automatically sets values that can be determined from vulnerability information, so users do not need to set them.
There are three Decision Points that require manual settings by users to match the managed system environment:
We will explain how to set each of them.
If you change Exposure, Utility, or HumanImpact, the SSVC Priority of tasks will be reflected on the next scan. Please wait for the next regular scan, or if you are in a hurry, scan again from “Group Setting>Manually Scan All Servers”.
Exposure is a Decision Point that determines the level of internet exposure of the target system.
Exposure Value | Description |
---|---|
small | Systems on local services or highly controlled networks |
controlled | Controlled systems that can detect attacks and respond promptly |
open | Systems that can be accessed without restriction from the internet |
Examples of thinking
Utility Density is a Decision Point that determines the value density of the target system.
Utility Density Value | Description |
---|---|
diffuse | Systems where important information is not concentrated (e.g. employee PCs) |
concentrated | Systems where important information is concentrated (e.g. servers, databases) |
Human Impact is a Decision Point that determines the business impact when the system is attacked.
Human Impact Value | Description |
---|---|
Low | Almost no impact (e.g. PCs, development environments) |
Medium | No impact on core operations (e.g. attendance management systems) |
High | Long-term impact on one core operation (e.g. one core system, one web service) |
Very High | Critical systems where multiple core operations stop and the entire business becomes unable to continue or recover (e.g. online banking or trading systems) |
FutureVuls automatically derives two Decision Points: Exploitation
and Utility Automatable
. Here is an explanation of how each is derived.
Exploitation is a Decision Point that evaluates the presence and reliability of attack code. FutureVuls judges it with the following logic:
Exploitation Value | Description |
---|---|
active | Vulnerabilities on CISA Known Exploited Vulnerabilities Catalog, where attack code is published and exploitation has occurred |
poc | Attack code exists that does not fall under the above category |
none | No attack code has been detected |
Utility Automatable is a Decision Point that determines whether an attacker can automate an attack. In FutureVuls, as of September 2022, the following conditions 1. and 2. are judged as automatable.
Generally, it is set by organization, but if it is necessary to set it individually for a specific group in actual operation, it is possible to override the organization setting at the group level. If you override the setting, you can confirm which group overrode which setting on the organization settings screen.
Customize the SSVC decision tree. Basically, the decision tree of the organization will be reflected, but if it is determined that it is necessary to change the SSVC derivation result for each group in actual operation, customize it here.
In the role settings, override settings (optional) for each role of Decision Point are possible. If you set them, the Decision Point for the group belonging to that role will be overwritten with the set value. The default value is the value of each group’s Decision Point.
By default, the value of each group’s Decision Point is reflected, as shown in the capture below, as the default value. After setting the Decision Point value for each role, you can reset the value for each group’s Decision Point by pressing the reset button displayed in the upper right corner.