What is SSVC

What is SSVC

SSVC (Stakeholder-Specific Vulnerability Categorization) is a framework for vulnerability management. For more details, please see here.

With CSIRT Plan, you can use advanced automatic triage functionality. By using SSVC, you can derive the actual risks and automatically determine the specific response contents such as task priority, task response deadline, and task status based on the rules set in advance.

Here, we introduce how SSVC works on FutureVuls.

Classify detected vulnerabilities into 4 risk levels

SSVC prioritizes tasks managed on FutureVuls into the following 4 levels:

 SSVC Priority Contents
Immediate Concentrate all resources and promptly respond, stopping normal business operations of the organization if necessary
Out-of-Cycle Take action more quickly than usual and implement mitigation or repair measures on an unplanned opportunity
Scheduled Respond during regular maintenance
Defer Do not respond at this time

This prioritization (hereinafter referred to as SSVC Priority) enables prioritization of immediate response to high-priority tasks and holding low-priority or non-problematic tasks in reserve. On FutureVuls, the SSVC Priority is derived for each task at the timing of vulnerability detection and scanning.

How to derive SSVC Priority

To derive SSVC Priority, we use the SSVC decision tree. Specifically, we consider the combination of the following 5 items (hereinafter referred to as Decision Point) and derive the SSVC Priority based on the result.

Decision Point Contents Setting method
Exploitation Publication of attack code and level of abuse Derived automatically
Exposure Exposure level of vulnerable components Manually set
Utility Density Value density of target systems Manually set
Utility Automatable Automation of attacks Derived automatically
Human Impact Business impact when attacked Manually set

Note that Decision Points related to vulnerabilities (Exploitation and Utility Automatable) are automatically derived based on information collected by FutureVuls. Other items can be set on a group basis. See SSVC Setting Method for details on how to set them.

Advanced Automatic Triage using SSVC

SSVC Priority allows defining “Actions to perform when different from the previous time”. Based on the derived Priority, task information can be automatically operated. In the case of “Immediate”, further automation and labor-saving are possible by automatically setting the task priority to “High” and the response deadline to “3 days later”.

Please refer to CSIRT Plan>Automatic Triage>Advanced Automatic Triage using SSVC for more details.