NCM Ability to adjust severity of reported vulnerabilities CVSS scores

Solarwinds 7.5.1 currently classes everything with a CVSS score of 7 or above as High.

We need to break this down so 7.0 - 8.9 is High with 9.0 - 10 classed as Critical as per the table below because we get 7 days to fix critical vulnerabilities and 30 days to fix High vulnerabilities so for reporting purposes we need them to be editable.

Requirement	Solawinds
Critical : 9.0 - 10
High : (7.0-8.9)	High (7.0-10.0)
Medium : (4.0-6.9)	Medium (4.0-6.9)
Low : (0-3.9)	Low (0-3.9)

Thanks,

Steve

Find more posts tagged with

cvss

ncm 7.5

vul

vulnerabilities

Status: None

Comments

deverts

I voted this up, but I'm not entirely in agreement with the request. The NCM scale is based on the posted CVSS score, so I think it is what it is. But if you follow the security practice Asset (A) + Threat (T) + Vulnerability (V) = Risk (R), then what we really need is a way to calculate "R". Given "R", we then apply the above request to classify/prioritize into those categories. There are lots of vulnerabilities that are 10, but if the threat is minimal or if the asset is not important, the risk might only be a 5.

Threat, vulnerability, risk - commonly mixed up terms - INDEPENDENT SECURITY CONSULTANTS

CVSS v3.0 User Guide

NVD - CVSS v3 Calculator

foonly

deverts -

I agree. Also note that NCM used the older CVSS V2 scores.

It would be even handier if there was a built-in calculator where we could check off nodes interactively.

Getting started with the NCM Vulnerability feature appears impossibly difficult to some people - too much to research. So cutting some things down makes a difference. For people who use only the base score, here is a simple query you can do from Orion Database Manager, if you're comfortable with it:

UPDATE NCM_VulnerabilitiesAnnouncementsNodes

SET

NCM_VulnerabilitiesAnnouncementsNodes.State = 5,

NCM_VulnerabilitiesAnnouncementsNodes.Comment = 'Waiver - base less than 5'

FROM

NCM_VulnerabilitiesAnnouncements AS nva

INNER JOIN NCM_VulnerabilitiesAnnouncementsNodes nvan

ON nvan.EntryID=nva.EntryID

WHERE nva.Score < 5 AND nvan.State = 0

------------------

Note that State 5 = Waiver

Note also, though, that a low base score can be raised (or lowered) by Temporal and Environmental scores. So always treat devices with vulnerabilities on the internet edge with extra care due to Modified Attack Vector, etc, which can add several points to a base score. Ultimately, your organization needs to identify critical components, and perhaps make that your initial focus for research.

Despite all the numbers, for some organizations, this is about technical religion, pessimism, and anxiety more than objective, rational analysis in the end.