This page explains some of the information and methods that you can use to prioritize Security Command Center vulnerability and misconfiguration findings (vulnerabilities, collectively), so that you can reduce risk and improve your security posture relative to your applicable security standards more quickly and efficiently.
The purpose of prioritization
Because your time is limited and the volume of Security Command Center vulnerability findings can be overwhelming, especially in larger organizations, you need to quickly identify and respond to the vulnerabilities that pose the greatest risk to your organization.
You need to fix vulnerabilities to reduce the risk of a cyberattack on your organization and to maintain your organization's compliance with applicable security standards.
To effectively reduce the risk of a cyberattack, you need to find and fix the vulnerabilities that expose your resources the most, that are most exploitable, or that would result in the most severe damage if they were to be exploited.
To effectively improve your security posture with respect to a particular security standard, you need to find and fix the vulnerabilities that violate the controls of the security standards that apply to your organization.
The following sections explain how you can prioritize Security Command Center vulnerability findings to meet these purposes.
Prioritize vulnerability findings to reduce risk
A finding is a record of a security issue. A vulnerability finding includes the following information that you can use to prioritize the remediation of the vulnerability:
- Attack exposure score
- CVE records with CVE assessments by MandiantPreview
- Severity
Although attack exposure scores are assigned to vulnerability findings, they are primarily based on the identification of potential attack paths from the public internet to your high-value resources, the assigned priority value of the resources, and how many resources the finding affects.
CVE information, including exploitability and impact assessments of the CVE that are provided by Mandiant, are based on the vulnerability itself.
Similarly, finding severities are based on the type of vulnerability and are assigned to finding categories by Security Command Center. All findings in a particular category or subcategory are issued with the same severity level.
Unless you are using the Enterprise tier of Security Command Center, finding severity levels are static values that don't change over the life of the finding.
With the Enterprise tier, the severity levels of vulnerability and misconfiguration findings more accurately represent the real-time risk of a finding. The findings are issued with the default severity level of the finding category, but can rise above or fall below the default level as the attack exposure score of the finding rises or falls while the finding remains active.
Prioritize by attack exposure scores
Generally, prioritize the remediation of vulnerability findings that have high attack exposure score over findings that have a low score or no score.
Only vulnerability findings that affect resources that are designated as high-value receive attack exposure scores. For the scores to reflect your business priorities, you must first define which of your resource are high value. For more information, see Resource values.
In the Google Cloud console, the scores appear with the findings in multiple places, including the following:
- On the Overview page, where the 10 findings with the highest scores are displayed.
- In a column on the Findings page, where you can query and sort findings by their attack exposure score.
- When you view the details of a vulnerability finding that affects a high-value resource.
To see the 10 vulnerability findings that have the highest attack exposure scores, follow these steps:
Go to the Overview page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
In the Top vulnerability findings section, review the 10 findings.
Click a score in the Attack exposure score column to open the attack path details page for the finding.
Click a finding name to open the finding details panel on the Findings page.
For more information, see Attack exposure scores and attack paths.
Prioritize by CVE exploitability and impact
Generally, prioritize the remediation of findings that have a CVE assessment of high-exploitability and high-impact over findings with a CVE assessment of low-exploitability and low-impact.
On the Overview page, in the Top CVE findings section, a chart or heat map, groups vulnerability findings into blocks by the exploitability and impact assessments that are provided by Mandiant.
When you view the details of certain vulnerability findings in the console, you can find the CVE information in the Vulnerability section of the Summary tab. In addition to impact and exploitability, the Vulnerability section includes the CVSS score, references links, and other information about the CVE vulnerability definition.
To quickly identify the findings that have the highest impact and exploitability, follow these steps:
Go to the Overview page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
In the Top CVE findings section of the Overview page, click the block with a non-zero number that has the highest exploitability and impact. The Findings by CVE page opens to show a list of CVE IDs that have the same impact and exploitability.
In the Findings by CVE ID section, click a CVE ID. The Findings page opens to display the list of findings that share that CVE ID.
On the Findings page, click the name of a finding to see the details of the finding and recommended remediation steps.
Prioritize by severity
Generally, prioritize a vulnerability finding with a CRITICAL severity
over a vulnerability finding with a HIGH severity, prioritize HIGH
severity over a MEDIUM severity, and so forth.
Perhaps the easiest way to identify the highest severity vulnerabilities is to use Quick filters on the Findings page in the Google Cloud console.
To view the highest severity findings, follow these steps:
Go to the Findings page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
In the Quick filters panel on the Findings page, select the following properties:
- Under Finding class, select Vulnerability.
- Under Severity, select Critical, High, or both.
The Findings query results panel updates to show only findings that have the specified severity.
You can also see vulnerability finding severities on the Overview page in the Active vulnerability findings section.
Prioritize vulnerability findings to improve compliance
When prioritizing vulnerability findings for compliance, your main concern is the findings that violate the controls of the applicable compliance standard.
You can see the findings that violate the controls of a particular benchmark by following these steps:
Go to the Compliance page in the Google Cloud console:
Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities:
Next to the name of the security standard that you need to comply with, click View details. The Compliance details page opens.
If the security standard you need is not displayed, specify the standard in the Compliance standard field on the Compliance detail page.
Sort the listed rules by Findings by clicking the column heading.
For any rule that shows one or more findings, click the rule name in the Rules column. The Findings page opens to display the findings for that rule.
Remediate the findings until there are no findings left. After the next scan, if no new vulnerabilities are found for the rule, the percentage of controls passed increases.