Vulnerability Scoring

Transcript

Hi there. My name is Katie Morland. I’m a member of the product team here at PlexTrac and wanted to give a quick demo on some of the scoring work that we have coming out here shortly. The first thing I want to show you today is our new CVSS Three one calculator. I have jumped right in and am actually editing a finding that’s already inside of a report. A few things that we’ve changed related to the finding. Details include the severity selector.

That’s something that we made a few adjustments to and you’ll see that in use here in a second. So a little background currently today in the product we offer multiple scoring types to be added to a finding that is still the case today. However, we have decided to save a little space. You can toggle through each of the various scores that could possibly be tracked against a finding by using this drop down here and navigating through the list. So for this particular example, this finding came in through a scanner and the CVS Three score was pulled in from that particular scanner. So we can see the value, the label, and then also the calculation that was pulled in from the scanner that was used. However, we want to take a look at this from another angle.

So three auto is the older version of CVS and maybe we want to go and move this more to the future. So we are going to come in and take a look at the calculator that we’ve built to make things a little bit easier for you guys. So first things first. There’s a few different sections of this particular calculator. There’s kind of our base metrics and then we have two additional areas. We have the temporal and environmental scoring as well. Based on your selections here, we will auto generate a severity and a top level score for the particular findings.

So we’re going to go ahead and just make a couple of selections here just so we have an example and as you can see, this particular finding has been scored at a medium with a 5.1. We’re going to go ahead and click Save and you can see that this was updated. If I navigate back down to three auto, you can see that this score is also still saved on the findings. So we didn’t lose that information. If we had maybe another touch point that we wanted to add, maybe a risk score or something else that was coming in from maybe a different product and we wanted to make sure that was captured on this particular finding. You can add those general scores here as well, similar to what you can do today. So we’re going to jump back to the CVS Three One.

As I mentioned, the severity and the score were auto calculated by what you selected in the calculator. Now maybe you’ve done some chatting with your team and you don’t really feel like this is a medium, you feel like this is a low. You do have the ability to override the severity of the finding even though it was auto calculated by the calculator. However, we do pop this to make sure that you are aware that you’re making this manual change. So we’re going to go ahead and click override. Now if I’m moving through the three Auto score or the two Auto or the general, these scores do not auto calculate anything related to do with the severity. These are just additional scores that can be added to your findings to add additional detail and nuance.

So if we move a little bit further down the page, we can see there’s quite a bit of information here. Since this is an older finding, we’re populating references with CVE information that’s coming in from those scanners, as I mentioned before. But what we’ve done is we’ve broken out and added two fields, two optional fields to each finding. The first is the CVE ID and then the Cweid. As you can see here, these particular CVEs have already been added to this client. So we have the ability to go down and make a selection since they’ve already been added. We do have field validation here so that if you’re at manually adding a CBE or copy and pasting a number from somewhere else, it is going to check and make sure that it fits the format of a CBE to date.

So we’re going to go ahead and select one that’s already been established and then we’re going to go ahead and this finding has already been saved, which is amazing. So then we’re going to go ahead and pop back to details.

So when you navigate back to the specific findings overview in view mode, you’re able to see the scores that we added. So here you can see the five one. You can see that we’ve adjusted the severity based on our own insight to low. It was a medium that was calculated from the calculator, but we made that manual adjustment. And then you can also see the CVE ID that we’ve added down here at the bottom. And that’s the tag that we added. And we’ve also hyperlinked this.

So as a user you can click on it and jump out to the particular CVE that was indicated and take a look at the information so you can learn a little bit more about what’s going on. If we want to go back in, and this isn’t exactly a perfect example, but we’ll go ahead and jump in and add a CWE ID as well. And then we will jump back to the view mode of the finding and take a look. And as you can see, this CWE also is hyperlinked. So if I click on it, it’s going to take me to Mitre’s website specifically focus on CWE and give me all the information that I need. We’re very excited about these two new improvements. We’ve also made some adjustments to analytics so that you’re able to see and kind of manipulate your findings information with some of the data that we’re now collecting.

So if you take a look and scroll down all the way to the bottom at this point in time, we’ve added a few things. We added assignees a while back, and if you’re not aware of that, you can look for specific assignees here to indicate which findings are assigned to each person. So you’re looking for a particular individual and you want to see what their potential workload is like or tracking progress on remediation. If you take a look down here, we have the same kind of experience that we have elsewhere in analytics where you can go ahead and make a selection. And then we will filter the information that’s shown in the left by those specific items that have been selected. And as you can see on the left hand side, we’ve had some adjustments. So we started with about 500 or so findings, and now we can see that there’s two findings total that have this particular CBE.

And if we want to go ahead and take a peek at these particular findings, we can access them here. We can also jump into the reports where they were found. So those are a few of the changes that we have implemented and they will be releasing to you very soon. Please let us know if you have any questions. There will be a joining documentation available, and we look forward to hearing any comments or feedback. Thank you so much.