In our first blog post on how to operationalize the Stakeholder Specific Vulnerability Categorization (SSVC) model, we discussed the intent behind the model, explored the promise of the core concept of risk-driven decision trees to transform vulnerability management, and the challenges that security teams face in achieving the promise.
In this blog post, we delve deeper into the SSVC decision focus principle. This topic builds on our earlier discussion of the qualitative assessment principle to inform ‘what’ to fix, based on contextual analysis and insights.
Silk’s orientation is toward enabling the fix, in contrast to approaches based on triage of technical findings, or producing a generalized severity score that is challenging to operationalize.
As an integral component of that orientation, Silk identifies who are the stakeholders responsible for remediation steps for a fix using predictive assignment that incorporates environmental and organizational context. Security teams that may have spent weeks in the past trying to identify a fix owner, can quickly assign the task, and refine assignment accuracy over time as the Silk system learns from ongoing interactions and re-assignments.
In tandem, security teams can also build asset ownership maps that help them take a systematic and repeatable approach to fix assignment as part of SSVC operationalization.
The risk prioritization journey is as important as the remediation destination
One criticism directed against the SSVC model is that the four potential categorizations of decision values for actions don’t provide concrete guidance. The decision values for response actions are Track, Track* (which may require closer monitoring), Attend and Act, with escalating degrees of urgency.
This criticism is valid, but also misses the point. It’s valid, since decision values are inevitably subjective, based on both quantitative and qualitative assessments, rather than technical scoring. Equally, it misses the point since the intent is to help inform how stakeholders should respond to the decision tree output.
The process is as important as the outcome, since SSVC decision values are a lever for the next phase in remediation: operationalizing the fix. In the same way that the output of a SSVC decision tree is informed by environmental and impact context, who is responsible for responding to the decision value is framed by organizational context.
Also, to facilitate a feedback loop on the operational impact of the security team’s decision value, bidirectional integrations between the ticketing system and the console that the security team uses, enables communication if the operations team needs to clarify the fix, or the decision value. This bidirectional integration is also key to maintaining visibility into the status of the remediation action.
Prioritization scoring, even with frameworks designed for assessing the likelihood of an exploit such as the Exploit Prediction Scoring System (EPSS), on its own only provides a generalized input for one phase in the risk resolution lifecycle. By reaching a decision value by working through the SSVC decision framework makes the action specific, and can also inform who should be responsible for the next step.
How Silk Helps
Silk’s platform connects the ‘what to fix’ of the SSVC’s qualitative assessment principle with the ‘who should fix’ aspect of the decision focus principle.
Silk’s asset-centric approach that enables three-dimensional prioritization, also serves as the foundation for automated discovery of fix owners and organizational structure mapping.
Just as new technology adoption has put existing vulnerability management approaches under enormous strain, security teams often struggle to identify a fix owner in the absence of consistent organizational knowledge for fix ownership mapping and automated assignment rules.
By enriching asset ownership with analysis of organizational structure, access logs and identity directory store logic, Silk automates the process of fix ownership assignment, with ongoing refinement based on fixer interaction. In tandem with contextual risk prioritization, Silk closes the ownership gap, addresses a major obstacle to efficient risk resolution, and enables consistent and repeatable operationalization of the SSVC model.
Instead of constantly approaching the fix ownership challenge on an individualized basis, security teams can operate with some degree of certainty based on fix assignment rules. Operations stakeholders can also re-assign the fix, if they or their teams are not responsible for the asset where a finding has been identified.
In our next post in the SSVC blog series, we will discuss communicating the ‘why’ and ‘how’ to fixers through the transparency and understandability principle.