Mitigation Summary

by David Schwalenberg
June 18, 2014

This dashboard presents vulnerability summary information grouped in various ways. It provides a succinct visual representation of how quickly vulnerabilities on the network are being mitigated and how many exploitable vulnerabilities remain.

Each of the “Vulnerabilities by…” components on the dashboard presents eight columns of vulnerability summary information, as follows:

The Total Mitigated column displays the total number of mitigated vulnerabilities. The next three columns display the percentage of these vulnerabilities that were mitigated within the specified number of days. Ideally, the percentage of vulnerabilities mitigated in less than 10 days should be close to 100%. The percentage of vulnerabilities mitigated after more than 30 days should be close to 0%, because all vulnerabilities should have been mitigated before then.

The Total Unmitigated column displays the total number of vulnerabilities that have not yet been mitigated. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already.

The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tags vulnerabilities and mitigated. The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.5
  • LCE 4.2.2
  • PVS 4.0.1

Listed below are the included components:

  • Mitigation Summary – 3-Month Trend of Vulnerabilities - This component is a 3-month summary chart tracking unmitigated vulnerabilities of low, medium, high, and critical severity.
  • Mitigation Summary – Vulnerabilities by Severity - This matrix presents vulnerability summary information by severity. In the matrix, the row with purple is critical severity vulnerability information; the row with red is high severity; the row with orange is medium severity; and the row with blue is low severity.
  • Mitigation Summary – Vulnerabilities by CVSS Score - This matrix presents vulnerability summary information by Common Vulnerability Scoring System (CVSS) score. CVSS is an open industry standard for assessing the severity of computer system security vulnerabilities; it attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are critical, those in the range 4.0-6.9 are major, and those in the range 0.0-3.9 are minor. The CVSS scores correspond to the Tenable severity levels as follows: 10.0 = Critical severity, 7.0-9.9 = High, 4.0-6.9 = Medium, and 0.0-3.9 = Low. In the matrix, the row with purple is critical severity vulnerability information; the row with red is high severity; the row with orange is medium severity; and the row with blue is low severity.
  • Mitigation Summary – Vulnerabilities by CVE ID - This matrix presents vulnerability summary information by Common Vulnerabilities and Exposures (CVE) identifier. The CVE system is a dictionary of publicly known information security vulnerabilities and exposures in publicly released software packages. Each CVE identifier begins with a year; in the matrix, the identifiers are grouped in 5 year blocks.
  • Mitigation Summary – Vulnerabilities by Group - Nessus and PVS use many different plugins to discover vulnerabilities on various network systems and devices. This matrix presents vulnerability summary information by groups of related Nessus and PVS plugins, such as all Windows plugins, all Linux/Unix plugins, etc.