This page explains some of the information and methods that you can use to prioritize Security Command Center findings of software vulnerabilities, misconfigurations, and, with the Enterprise tier, toxic combinations (posture findings, collectively), so that you can reduce risk and improve your security posture relative to your applicable security standards more quickly and efficiently.
The purpose of prioritization
Because your time is limited and the volume of Security Command Center posture findings can be overwhelming, especially in larger organizations, you need to quickly identify and respond to the vulnerabilities that pose the greatest risk to your organization.
You need to fix vulnerabilities to reduce the risk of a cyberattack on your organization and to maintain your organization's compliance with applicable security standards.
To effectively reduce the risk of a cyberattack, you need to find and fix the vulnerabilities that expose your resources the most, that are most exploitable, or that would result in the most severe damage if they were to be exploited.
To effectively improve your security posture with respect to a particular security standard, you need to find and fix the vulnerabilities that violate the controls of the security standards that apply to your organization.
The following sections explain how you can prioritize Security Command Center posture findings to meet these purposes.
Prioritize posture findings to reduce risk
Posture findings include the following information that you can use to prioritize the remediation of the underlying security issue:
- Attack exposure score or toxic combination score
- CVE records with CVE assessments by MandiantPreview
- Severity
Prioritize by attack exposure scores
Generally, prioritize the remediation of a posture finding that has a high attack exposure score over a posture finding that has a lower score or no score.
Posture findings include toxic combinations findings. If the score on a toxic combination finding is roughly equal to the attack exposure score on a finding in a different finding class, you should prioritize the remediation of the toxic combination finding, because it represents a complete path that a potential attacker could follow from the public internet to one or more of your high value resources.
If the attack exposure score of a finding in another finding class is significantly higher than the score on a toxic combination finding, prioritize the finding with the significantly higher score.
For more information, see the following:
View scores in the Security Operations console
In the Security Operations console, you work primarily with cases, in which findings are documented as alerts.
You can view the toxic combination cases with the top attack exposure scores on the Posture > Overview page.
You can view the scores for all cases on the Cases page, where you can sort the cases by their attack exposure scores. You can also sort findings by attack exposure score on the Posture > Findings page.
For information about how to query for toxic combination cases specifically, see View the details of a toxic combination case.
View scores in the Google Cloud console
In the Google Cloud console, the scores appear with the findings in multiple places, including the following:
- On the Risk overview page, where the 10 findings with the highest scores are displayed.
- In a column on the Findings page, where you can query and sort findings by score.
- When you view the details of a posture finding that affects a high-value resource.
On the Findings page in the Google Cloud console, the attack exposure scores of toxic combination findings are presented in the Toxic combination score column, separately from the attack exposure scores of other finding classes.
In the Google Cloud console, you can see the findings that have the highest attack exposure scores by following these steps:
Go to the Risk overview page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
In the Top toxic combination cases section, review the findings with the highest toxic combination scores.
- Click the View case link to open the corresponding case in the Security Operations console.
In the Active vulnerability findings section, review the posture findings that have the highest attack exposure scores. Toxic combination findings are not included in this section.
Click a score in the Attack exposure score column to open the attack path details page for the finding.
Click a finding name to open the finding details panel on the Findings page.
Prioritize by CVE exploitability and impact
Generally, prioritize the remediation of findings that have a CVE assessment of high-exploitability and high-impact over findings with a CVE assessment of low-exploitability and low-impact.
CVE information, including exploitability and impact assessments of the CVE that are provided by Mandiant, are based on the software vulnerability itself.
On the Overview page, in the Top CVE findings section, a chart or heat map, groups vulnerability findings into blocks by the exploitability and impact assessments that are provided by Mandiant.
When you view the details of software vulnerability findings in the console, you can find the CVE information in the Vulnerability section of the Summary tab. In addition to impact and exploitability, the Vulnerability section includes the CVSS score, references links, and other information about the CVE vulnerability definition.
To quickly identify the findings that have the highest impact and exploitability, follow these steps:
Go to the Overview page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
In the Top CVE findings section of the Overview page, click the block with a non-zero number that has the highest exploitability and impact. The Findings by CVE page opens to show a list of CVE IDs that have the same impact and exploitability.
In the Findings by CVE ID section, click a CVE ID. The Findings page opens to display the list of findings that share that CVE ID.
On the Findings page, click the name of a finding to see the details of the finding and recommended remediation steps.
Prioritize by severity
Generally, prioritize a posture finding with a CRITICAL severity
over a posture finding with a HIGH severity, prioritize HIGH
severity over a MEDIUM severity, and so forth.
Finding severities are based on the type of security issue and are assigned to finding categories by Security Command Center. All findings in a particular category or subcategory are issued with the same severity level.
Unless you are using the Enterprise tier of Security Command Center, finding severity levels are static values that don't change over the life of the finding.
With the Enterprise tier, the severity levels of posture findings more accurately represent the real-time risk of a finding. The findings are issued with the default severity level of the finding category, but, while the finding remains active, the severity level can increase or decrease as the attack exposure score of the finding increases or decreases.
Perhaps the easiest way to identify the highest severity vulnerabilities is to use Quick filters on the Findings page in the Google Cloud console.
To view the highest severity findings, follow these steps:
Go to the Findings page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
In the Quick filters panel on the Findings page, select the following properties:
- Under Finding class, select Vulnerability.
- Under Severity, select Critical, High, or both.
The Findings query results panel updates to show only findings that have the specified severity.
You can also see posture finding severities on the Overview page in the Active vulnerability findings section.
Prioritize posture findings to improve compliance
When prioritizing posture findings for compliance, your main concern is the findings that violate the controls of the applicable compliance standard.
You can see the findings that violate the controls of a particular benchmark by following these steps:
Go to the Compliance page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
Next to the name of the security standard that you need to comply with, click View details. The Compliance details page opens.
If the security standard you need is not displayed, specify the standard in the Compliance standard field on the Compliance detail page.
Sort the listed rules by Findings by clicking the column heading.
For any rule that shows one or more findings, click the rule name in the Rules column. The Findings page opens to display the findings for that rule.
Remediate the findings until there are no findings left. After the next scan, if no new vulnerabilities are found for the rule, the percentage of controls passed increases.