SSVC (Stakeholder-Specific Vulnerability Categorization) is a framework for vulnerability management. For more details, please see here.
SSVC functionality is available only for the CSIRT plan.
With CSIRT Plan, you can use advanced automatic triage functionality. By using SSVC, you can derive the actual risks and automatically determine the specific response contents such as task priority, task response deadline, and task status based on the rules set in advance.
Here, we introduce how SSVC works on FutureVuls.
SSVC prioritizes tasks managed on FutureVuls into the following 4 levels:
| SSVC Priority | Contents |
|---|---|
| Immediate | Concentrate all resources and promptly respond, stopping normal business operations of the organization if necessary |
| Out-of-Cycle | Take action more quickly than usual and implement mitigation or repair measures on an unplanned opportunity |
| Scheduled | Respond during regular maintenance |
| Defer | Do not respond at this time |
This prioritization (hereinafter referred to as SSVC Priority) enables prioritization of immediate response to high-priority tasks and holding low-priority or non-problematic tasks in reserve. On FutureVuls, the SSVC Priority is derived for each task at the timing of vulnerability detection and scanning.
To derive SSVC Priority, we use the SSVC decision tree. Specifically, we consider the combination of the following 5 items (hereinafter referred to as DecisionPoint) and derive the SSVC Priority based on the result.
| DecisionPoint | Contents | Setting method |
|---|---|---|
| Exploitation | Publication of attack code and level of abuse | Derived automatically |
| Exposure | Exposure level of vulnerable components | Manually set |
| Utility Density | Value density of target systems | Manually set |
| Utility Automatable | Automation of attacks | Derived automatically |
| Human Impact | Business impact when attacked | Manually set |
Note that DecisionPoints related to vulnerabilities (Exploitation and Utility Automatable) are automatically derived based on information collected by FutureVuls. Other items can be set on a group basis. See SSVC Setting Method for details on how to set them.
Timing of SSVC Priority derivation
In FutureVuls, SSVC Priority is derived at the timing of scanning vulnerabilities. Therefore, it may not reflect changes in the vulnerability status that occurred after the scan. If you want to reflect changes in the vulnerability status in SSVC Priority, scan the vulnerability again to update the status.
SSVC Priority allows defining “Actions to perform when different from the previous time”. Based on the derived Priority, task information can be automatically operated. In the case of “Immediate”, further automation and labor-saving are possible by automatically setting the task priority to “High” and the response deadline to “3 days later”.
Please refer to CSIRT Plan>Automatic Triage>Advanced Automatic Triage using SSVC for more details.