By: Tim Keanini, CRO
In July 2003, the National Infrastructure Advisory Council (NIAC) commissioned a research project to come up with a Vulnerability Scoring System that would be common for the network security industry. Its main objective is to promote a common method of understanding vulnerabilities and their potential impact. The result so far is the first-generation release of the emerging CVSS standard. Mike Murray, nCircle's Director of Vulnerability Research, and I have been active participants in the Special Interest Group (SIG) in charge of the ongoing evolution of the CVSS standard because we believe CVSS will bring some important value to the market. In particular, we believe that CVSS will bring two important concepts to the forefront of vulnerability management:
1) It is "common." First and foremost, the primary value of CVSS is that fact that it is common across all vendors. To succeed, it must deliver on two critical common factors: a common method for scoring and a common score. We must remind ourselves that the objective of the common scoring method is for a diverse population to come up with the same score (the common score), not that everyone is using the same method and comes up with different scores. As it becomes more widely adopted (and we think it will), the fact that it will offer a common vulnerability metric is valuable to our industry because customers will be able to analyze across industry, across vendors, and across a growing body that shares the common reference point known as CVSS.
2) It is a composite metric. Like the composite scoring system that nCircle has used since 2001, CVSS also uses multiple combined parameters that result in a vulnerability score. We have long known that single parameter scoring does not deliver the proper context needed by customers to understand their risk, and we fully support the industry shift towards our choice of composite scoring.
Since CVSS was first released, I am often asked how it compares to nCircle's scoring system. First, let me say that no scoring system will ever be perfect - that is never the goal. The goal is to find the scoring system that is the most relative to your specific environment and needs. However, one subtle (but important) differentiator is that nCircle's scoring system has been developed specifically to meet the needs of large enterprises and is more relevant to the governance of large enterprises than CVSS. The following three points illustrate this:
CVSS represents the dynamic of the Internet and nCircle represents the dynamics of the Enterprise.Simply put, CVSS utilizes an Internet-perspective of the Company rather than the Company's perspective of the Internet. With the CVSS scoring system, changes to exploitability, remediation, and the confidence of information related to the vulnerability are factors that make up its Temporal Metrics. The main idea is that these factors will change over the lifetime of the vulnerability.
The problem is this statement in the standard: "Eventually, the set of vulnerable systems will reach its low point as remedial information reaches its high point." According to CVSS, over time, vulnerabilities that have fixes associated with them will slowly diminish the overall vulnerability metric; as the systems have the potential to be fixed, the vulnerability score should go down. The problem here, as you might already see, is that this is true at the Internet perspective but the opposite from the Company's perspective. Let's look at an example:
From the standpoint of the Department of Homeland Security, or from the perspective of the Internet as a whole, CVSS is useful because from that altitude, as more systems are patched the risk is lowered. From the perspective of the Company, however, the opposite is true. As more of the Internet is patched and the Company has not patched, the threat will be more likely to target the Company. Over time, vulnerabilities that remain will increase the vulnerability of the Company in the context of the Internet. In fact, the official fixes often give the attacker even more information on where and how to exploit the vulnerability.
In summary, nCircle's composite scoring system was designed and deployed to orient the vulnerability to threat from the perspective of the enterprise to help customers manage their risks.
GranularityAny composite system can produce a number. In CVSS, that number ranges from 0 to 10 with the precision of the tenths place (0.1 through 9.9). In nCircle IP360, a vulnerability can have a score from 0 to (2^31)-1 which is 2,147,483,647. Before you start to freak out at the size of that number, think about it this way: in terms of granularity, it is better to start off with a high resolution and if need be, transform it down to the appropriate resolution than it is to not have the resolution in the first place. This is true in digital photography and audio and the same is true here. In smaller organizations, this is not really that big a deal but in the Fortune 1000, not having sufficient granularity is disastrous. Let me give you a short example. In any enterprise deployment of a quality vulnerability management system, a single report could deliver as many as a million-item list of vulnerabilities (sometimes more). If you have a simple 1 to 100 scoring system, it is difficult to achieve a goal of getting this list down to the 10 most important things you must do in the next 8 hours of your shift.
A high resolution score allows the customer to integrate other factors, like asset values for example (which can be large and non-linear), into their risk analysis resulting in the most granular composite score possible. It is after this granular composite score has been calculated that second order analysis can produce very course metrics like an A through F grade, or a high-med-low chart. This allows the system to deliver the right second order analysis to individual areas of the organization without compromising the richness of the original high resolution score.
Ready today and still valid tomorrowFrom now until CVSS is stable and widely accepted, customers can use nCircle and its advanced scoring system. When most of CVSS is ironed out (probably later this year), our customers will be able to compare and contrast two very useful scoring systems. All vulnerabilities covered in IP360 will have a composite score (regardless of CVSS achieving its objectives).and when CVSS is ready, they will be able to see how their scores compare and contrast to what is common across all CVSS supported systems. I for one can't wait for this to happen, because all other business processes support these industry averages and national or global comparative metrics. It is about time that our industry has one for vulnerabilities.
In summary, standards are a good thing. So is choice. Standards should add to our customers' choices, and we also need to respect any internal standards that may exist within their organizations. We will continue to participate in the CVSS process and plan to integrate the standard into our products as it reaches maturity. Until then, nCircle will continue to provide an industry-leading, enterprise-class vulnerability scoring system.