Prioritize the remediation of vulnerabilities

This page explains some of the information and methods that you can use to prioritize Security Command Center findings of software vulnerabilities, misconfigurations, and, with the Enterprise or Premium tiers, toxic combinations and chokepoints ( issues , collectively), so that you can reduce risk and improve your security posture relative to your applicable security standards more quickly and efficiently.

The purpose of prioritization

Because your time is limited and the volume of Security Command Center issues can be overwhelming, especially in larger organizations, you need to quickly identify and respond to the vulnerabilities that pose the greatest risk to your organization.

You need to fix vulnerabilities to reduce the risk of a cyberattack on your organization and to maintain your organization's compliance with applicable security standards.

To effectively reduce the risk of a cyberattack, you need to find and fix the vulnerabilities that expose your resources the most, that are most exploitable, or that would result in the most severe damage if they were to be exploited.

To effectively improve your security posture with respect to a particular security standard, you need to find and fix the vulnerabilities that violate the controls of the security standards that apply to your organization.

The following sections explain how you can prioritize Security Command Center posture findings to meet these purposes.

Prioritize issues to reduce risk

Issues contain toxic combinations and chokepoints that are detected in your organization. These are the most important issues to address. To further help you prioritize issues, they include the following information that you can use to prioritize the remediation of the underlying security issue:

• Severity
• Attack exposure score
• CVE records with CVE assessments by Mandiant ^Preview

Prioritize by attack exposure scores

Generally, prioritize the remediation of an issue that has a high attack exposure score over an issue finding that has a lower score or no score.

For more information, see the following:

• Using scores to prioritize finding remediations
• Attack exposure scores on toxic combinations and chokepoints

View scores in Security Command Center Google Cloud console

The scores appear with the findings in multiple places, including the following:

• On the Risk overviewpage:
  • In Security Command Center Enterprise, where riskiest issues are displayed.
  • In Security Command Center Premium, where the chokepoints and toxic combinations with the highest attack exposure scores are displayed.
• In a column on the Findingspage in Security Command Center Enterprise or Premium, where you can query and sort findings by score.
• In Security Command Center Enterprise or Premium, when you view the details of a posture finding that affects a high-value resource.

In the Google Cloud console, you can see the findings that have the highest attack exposure scores by following these steps:

1. Go to the Risk overviewpage in the Google Cloud console:

   Go to Risk overview

2. Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities.

3. In the Top vulnerability findingssection, review the posture findings that have the highest attack exposure scores. Toxic combination findings are not included in this section.

   • Click a score in the Attack exposure scorecolumn to open the attack path details page for the finding.

   • Click a finding name to open the finding details panel on the Findingspage.

View scores in cases

In the Security Operations console, you work primarily with cases , in which findings are documented as alerts .

In Security Command Center Enterprise, you can view the toxic combination cases with the top attack exposure scores on the Risk > Casespage. You can sort the cases by their attack exposure scores.

In Security Command Center Premium, you can also sort findings by attack exposure score on the Risk > Findingspage.

For information about how to query for toxic combination cases specifically, see View the details of a toxic combination case .

Prioritize by CVE exploitability and impact

Generally, prioritize the remediation of findings that have a CVE assessment of high-exploitability and high-impact over findings with a CVE assessment of low-exploitability and low-impact.

CVE information, including exploitability and impact assessments of the CVE that are provided by Mandiant, are based on the software vulnerability itself.

On the Overviewpage, in the Top CVE findingssection, a chart or heat map , groups vulnerability findings into blocks by the exploitability and impact assessments that are provided by Mandiant.

When you view the details of software vulnerability findings in the console, you can find the CVE information in the Vulnerabilitysection of the Summarytab. In addition to impact and exploitability, the Vulnerabilitysection includes the CVSS score, references links, and other information about the CVE vulnerability definition.

To quickly identify the findings that have the highest impact and exploitability, follow these steps:

1. Go to the Overviewpage in the Google Cloud console:

   Go to Overview

2. Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities.

3. In the Top CVE findingssection of the Overviewpage, click the block with a non-zero number that has the highest exploitability and impact. The Findings by CVEpage opens to show a list of CVE IDs that have the same impact and exploitability.

4. In the Findings by CVE IDsection, click a CVE ID. The Findingspage opens to display the list of findings that share that CVE ID.

5. On the Findingspage, click the name of a finding to see the details of the finding and recommended remediation steps.

Prioritize by severity

Generally, prioritize an issue or finding with a CRITICAL severity over an issue or finding with a HIGH severity, prioritize HIGH severity over a MEDIUM severity, and so forth.

Severities are based on the type of security issue and are assigned to finding categories by Security Command Center. All findings in a particular category or subcategory are generated with the same severity level.

Unless you are using the Enterprise or Premium tier of Security Command Center, finding severity levels are static values that don't change over the life of the finding.

With the Enterprise tier, the severity levels of issues more accurately represent the real-time risk of a finding. The findings are generated with the default severity level of the finding category, but, while the finding remains active, the severity level can increase or decrease as the attack exposure score of the finding increases or decreases.

Perhaps the easiest way to identify the highest severity vulnerabilities is to use Quick filterson the Findingspage in the Google Cloud console.

To view the highest severity findings, follow these steps:

1. Go to the Findingspage in the Google Cloud console:

   Go to Findings

2. Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities.

3. In the Quick filterspanel on the Findingspage, select the following properties:

   • Under Finding class, select Vulnerability.
   • Under Severity, select Critical, High, or both.

   The Findings query resultspanel updates to show only findings that have the specified severity.

You can also see posture finding severities on the Overviewpage in the Active vulnerability findingssection.

Prioritize posture findings to improve compliance

When prioritizing posture findings for compliance, your main concern is the findings that violate the controls of the applicable compliance standard.

You can see the findings that violate the controls of a particular benchmark by following these steps:

1. Go to the Compliancepage in the Google Cloud console:

   Go to Compliance

2. Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to prioritize vulnerabilities.

3. Next to the name of the security standard that you need to comply with, click View details. The Compliance detailspage opens.

4. If the security standard you need is not displayed, specify the standard in the Compliance standardfield on the Compliance detailpage.

5. Sort the listed rules by Findingsby clicking the column heading.

6. For any rule that shows one or more findings, click the rule name in the Rulescolumn. The Findingspage opens to display the findings for that rule.

7. Remediate the findings until there are no findings left. After the next scan, if no new vulnerabilities are found for the rule, the percentage of controls passed increases.