FutureVuls’ automatic triage function consists of three functions, which are recommended to be used in combination.
Automatic triage functionality is available in the CSIRT plan.
Vulnerability management based on CVSS basic values alone has the problem of not being able to make decisions on an “actual risk basis. The CVSS Base Score is not a reliable measure of the actual risk of a vulnerability.
The latest framework for vulnerability management designed to address the above issues of CVSS is the Carnegie Mellon University paper「SSVC」(Stakeholder-Specific Vulnerability Categorization) and FutureVuls implements and incorporates the latest SSVC triage engine.
SSVC can derive the “actual risk” using a decision tree based not only on the vulnerability itself, but also on the following four pieces of information, and automatically determine the response in four steps.
Four input information to the SSVC decision tree (Decision Point)
By tracing the decision tree using these four pieces of information and vulnerability information as variables, the following four response levels (SSVC Priority) are derived as output.
|Immediate||Respond as quickly as possible by focusing all resources and suspending normal operations of the organization if necessary.|
|Out-of-Cycle||Act more quickly than usual and implement mitigation or remediation measures for unplanned opportunities|
|Scheduled||Respond during scheduled maintenance|
|Defer||Not supported at this time|
To start using the SSVC triage engine in FutureVuls, configure two different pieces of information for each system from the group settings.
By simply setting these two different characteristics for each system, SSVC’s automatic triage engine will run and automatically classify the detected vulnerabilities into four levels.
For details on configuration, please refer to manual>How to configure SSVC The SSVC decision tree can also be customized.
The SSVC Priority derived from the SSVC Decision Tree has the advantage that the basis for the decision is clear, and FutureVuls displays the derivation process of the SSVC Decision Tree in a way that is easy to understand at a glance. The derivation process is displayed on the task detail screen as shown in the figure below.
The “SSVC Priority” column has also been added to the most screens, such as the Vulnerability tab and the Tasks tab, so that filter operations, such as displaying only “immediate” results, can be performed on the list screen.
FutureVuls allows you to set actions triggered by the four SSVC Priorities output by SSVC.
For example, an
Immediate task can have its
Priority set to
High and its
Task Due Date set to
2 weeks later, or a
Scheduled task can have its
Task Status set to
Priority set to
Low and its
Task Due Date set to the CRON expression, for example, next You can also set the
Task Due Date to the CRON expression, for example,
Wednesday of the 2nd week of December, which is the next maintenance day. Please refer to manual for specific settings.
How does the SSVC functionality improve day-to-day operations?
It is an image of managing tasks triaged by SSVC by continuously responding to them with daily differences.
Tasks that are deemed “immediate” or “out-of-cycle” will be assigned to the “Vulnerabilities Tab > Critical Unaddressed”. By setting up SSVC Triggers & Actions, you can automatically instruct your operators to automatically set deadlines, status, and priorities.
In addition, tasks that are determined to be “scheduled” or “defer” can be set to be automatically triaged to “pending” or “responded to” by automatically setting the task status to “defer” or “risk_accepted” using the SSVC Trigger & Action function.
In this way, the SSVC function can be used to
In this way, SSVC can automate the tasks from priority determination -> task operation -> instructions to operators, which is a costly part of daily operations that requires expert knowledge.
The content explained on this page is a simplified version of the content presented at “Vuls Festival#6” If you want to know more details about SSVC and how to derive it in an actual system, please refer to “Youtube Vuls Festival#6” for more details on SSVC and how to derive it in real systems.
The video explains the process of deriving SSVC decision tree using the following 5 patterns of systems as examples. (Movie 27:00～)
The results of actual automatic classification of vulnerabilities detected on FutureVuls using SSVC decision tree are also presented. (Video 31:10～)
As shown in the slide above, for a total of 4,716 vulnerabilities
Compared to CVSS basic score-based triage, SSVC has overwhelming filtering performance (15 times or more narrowing depending on the system environment), and the result shows that SSVC can narrow down the number of “actual risk-based” cases to those that are realistically feasible in daily vulnerability management.
For more information on SSVC and FutureVuls’ automated triage, please refer to the following blogs and manuals.
The Danger Functioncan be used to alert other operators. Dangerous CVEs are highlighted in red. Operators in other groups will be aware of the alerted vulnerability and can view the topic to learn more information about the alert. For example, this function can be used as a complement to SSVC to alert the organization of a vulnerability that is not currently “Immediate” as a result of SSVC, but has a CVSS score of 10, just in case.
The Auto-hide functionis a function to predefine a rule “deemed low risk” and automatically hide low-risk tasks that fall under the rule (detection is done, but the task is automatically put into hidden status).