Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
841
Views
15
Helpful
1
Comments

Executive Reporting in Cisco Vulnerability Management

jwfong
Cisco Employee
Cisco Employee

on ‎12-16-2022 09:07 AM - edited on ‎05-04-2023 03:15 PM by Cisco Employee

Customers often ask us: 

"What Cisco Vulnerability Management reports are your customers giving their executive team and/or board and why? What reports/context have worked well, and what has not?” 

Cisco Vulnerability Management's take on vulnerability management is more of a risk-based approach, rather than tracking total amounts of vulnerabilities remediated. We want to make sure that the vulnerabilities your teams remediate actually have an impact! 

Being able to show that you're reducing risk within your organization is extremely important, and these risk-based reporting charts are what we recommend when building an Executive Reporting template. 

  • "Risk Meter Score Over Time": Tracks risk score over time to answer, "Are people fixing the right things and how much of an impact is it making?". 
  • "Assets & Vulnerabilities Over Time": Tracks the # of open assets and vulns to show progress. 
  • "Open Vulnerabilities By Score": Use this to make sure your distribution of vulnerabilities by risk skews towards having more low risk vulnerabilities.  
  • "New Vulnerabilities Found" & "Total Closed Vulnerabilities": Shows the number of open and closed vulns over a certain date period, which can help prove your team is keeping up with the remediation race. 
  • "Mean Time to Remediate": This chart shows how long it is taking your teams to close vulnerabilities by risk. Are you remediating high risk vulnerabilities faster than lower risk ones? 

Finally, for our Premier Tier customers we offer a Remediation Performance Score. This score is a measurement of how well your organization is addressing the risk on your assets. This is different than the Risk Score, which represents a specific level of risk across an asset group at a point in time and is not a measure of performance. Remediation Score is a composite score of four vulnerability metrics - Coverage, Efficiency, Velocity, and Capacity - and provides great visibility into how well you are doing with your VM program! 

 

Here are some comments we have heard from our customers: 

“High-level reports for leadership/upper management- we use the Total Vulnerabilities by Risk and Total Assets and Vulnerabilities Over Time graphs showing the one-year trend and current and previous month comparison. We include commentary to explain any dips or spikes in the graphs” 

“We like the Risk Meter score and the active assets/open vulnerabilities graph. The open and closed vulnerabilities is also used regularly. We have risk meters based on different lines of business and by major groupings (i.e. user endpoints vs. servers vs. iot)” 

“We have two reports that we generate: Servers and Workstations. The first section is just the risk score compared to last month, and the difference. The second section is the new/active/closed from a ‘high risk’ equivalent of the meter. The graph at the end is a track of a ratio: assets / high risk vulnerabilities. The target set was to have - on average - 1 high risk vulnerability per device. We also have a second slide which then shows the “Open By Application” graph for each category. I have used the Kenna API to upload the device type (e.g. Desktops, Laptops, Sales Desks) into the ‘Application’ field. This then shows nicely in the ‘Open By Application’” 

 

We’d like to hear more from both the teams creating the reports as well as CISO’s and execs who are presenting these to the board. What metrics do you use? 

 

Comments
MaxShantar
Cisco Employee
Cisco Employee
‎12-16-2022 12:07 PM

great list so far.  my adds:

  1. Vulnerability discovery rate: This metric measures the rate at which new vulnerabilities are being identified within your organization's systems and networks. It can help you understand how effective your vulnerability scanning and assessment processes are at identifying potential risks.

  2. Vulnerability prevalence: This metric measures the percentage of systems or assets that have vulnerabilities present. It can help you understand the overall risk posture of your organization and prioritize remediation efforts.

  3. Vulnerability criticality: This metric measures the severity of vulnerabilities based on the potential impact they could have on your organization. It can help you prioritize remediation efforts based on the potential consequences of a breach.

  4. Vulnerability age: This metric measures the length of time that a vulnerability has been present in your systems or networks. It can help you understand how well your organization is keeping up with the latest threats and vulnerabilities, and identify any areas where your processes may be falling behind.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents