for our patching process we currently define criticality (if applicable) based on the
system is publicly accessible
optional - is the vulnerability being exploited ?
would like to hear from others if they do something different ..
and also if they do this for every vuln discovered by your scanning tool ?
We prioritize primarily based on VPR score, which is similar to CVSS but better incorporates the exploitedness and has the prerequisite that one uses Nesus.
That said, we also prioritize systems that are publicly accessible.
You've pretty much nailed it with those criteria, although you may want to consider any regulatory/legal aspect to being sure certain systems are secure too.
@orionquest the fixing of vulnerabilities in your infrastructure should factor in multiple criteria, including:-
For example, should scanner detects a vulnerability with a very high CVSS sore on a system that isn't critical to business or is used for testing & properly isolated from my production environment, I won't prioritize fixing it. On the other hand, if it's an important production system that happens to be published, I'll be concerned about vulnerabilities with even a low CVSS score.
This can be affected by organization policies; say, a policy mandating that ALL systems belonging to vendor be kept patched to ensure proper support.
Finally, all of this can be superseded if I have to comply with the requirements of the regulatory authority.
IBM does something similar, using IBM X-Force Red Security Services - it does the traditional vulnerability scanning as well as more: https://www.ibm.com/security/services/vulnerability-scanning
The team uses prioritisation of vulnerabilities via automation, Machine Learning, and Augmented Intelligence. Vulnerability ranking is based on if the vulnerability is being weaponised by criminals and the value of the vulnerable asset.
It provides a portal, which the client can access to run reports and remediation messages to the appropriate support staff etc.
It can run with a variety of vendor solutions, as the organisation prefers etc.
Plus as @Shannon states, it has to be run by the overarching regulations, i.e. PCI DSS quarterly scans etc etc.
Yes, My team also considers these parameters in order to priortise. From the raw Tenable scans, we recalibrate upward or downward the severity rating.
If external facing - yes, upwards, for med and low findings, and if exploitability is yes