The CVE list lists known vulnerabilities for your installed base. You can limit the scope of the listing by expanding the scope pane and filtering for specific locations, device groups, networks etc.
Entries are color coded in respect to CVSS base score, where a base score of 10 is shown in dark red and a base score of one is shown in white.
By default, the list includes vulnerabilities CRITICAL and HIGH priority and is sorted by CVE priority (Critical/High/Medium/Low) as the first sorting criterion and number of vulnerable devices as the second sorting criterion. You can re-sort the table by clicking on any column header.
The different columns have the following meaning:
The priority of a CVE as assigned by a user (usually an analyst). By default, CVE priority is identical to its CVSS severity.
Start of the textual description of the CVE. For the full text, double-click on the entry to open the CVE profile.
The number of vulnerable devices.
The number of affected devices. This includes devices for which the vulnerability is already mitigated.
The number of affected devices for which this vulnerability is already mitigated.
The identifier of the CVE with which it can also be found at NIST, MITRE, etc.
The severity of the CVE as assigned by MITRE.
The CVSS base score of the vulnerability.
The CVSS base score of the vulnerability, multiplied by the number of non-mitigated devices.
The date when the CVE was published.
A user-defined value (yes or no) which indicates if the CVE is considered relevant or not for the organization. Relevance defaults to "Yes".
The ratio of mitigated vs. unmitigated devices, shown as a chart where blue represents the number of mitigated and orange the number of unmitigated devices.
You can limit the scope of vulnerabilities listed to devices in a specific location, network, device group, or associated with a particular physical process by opening the scope selector, just like in the device inventory.
Filtering using numbers
Vulnerability management is a numbers game, and you may want to filter the CVE list by using numbers. For example, you may want to limit list output to vulnerabilities that haven't fully be mitigated -- because you don't need to bother with those anymore. In order to achieve this, you can use a filter like ">0" in the "#Vulnerable" column.
Chances are that you use certain filter and scope settings more than once. In this situation, you may want to store your settings for easy retrieval. This is what stored views are for.
Let's assume you are working on reducing vulnerabilities in a particular location, Flat Rock. Because you cannot fix all vulnerabilities, you limit the work set to CVEs with a CVSS base score greater than eight and sort the result list by CVSS score. Then you save your settings by clicking on "Manage Views", which will pop up the following dialog.
Your settings can now be retrieved easily by yourself and other users (since you selected "Public") in the drop-down right next to the "Manage Views" button.
If you check the box "KVE only", only vulnerabilities with known exploits are listed. For a more in-depth explanation check this video:
Attack Surface Map
The attack surface map is a 3D visualization of your attack surface, visualizing CVEs in respect to CVSS base score, number of vulnerable devices, and device criticality. It allows an analyst to get a first, visual impression of which CVEs to focus on for risk reduction.
- The size of rectangles represents the number of vulnerable devices.
- The color of rectangles represents CVSS base score.
- Elevation (Z axis) represents compound device criticality (see below).
The map is activated by clicking the "Map" button in the CVE list. You can then zoom, tilt and pan the map by using the mouse. Certainly, tilting the map only makes sense if your data set includes criticality data for devices, as otherwise the map will be flat.
Pointing at a specific rectangle brings up a tooltip that shows some basic information on the vulnerability. Double click to launch the vulnerability profile for comprehensive details.
The Edit CVE dialog
Users -- usually analysts -- can modify and append CVE information by selecting a CVE and clicking the "Edit" button.
In the "CVE" tab you can specify if the CVE as a whole is relevant for your organization or not. You can also assign a priority different from CVSS severity (which is used as a default). Computations and sorting algorithms in OT-BASE are always based on user assigned priority, not on CVSS severity.
Here you can assign tags to CVEs. This allows for easier filtering of the CVE list.
In the "Links" tab you can check links to third party information, as provided by NIST. You can't edit the links, they are only for informational purposes.
In the "Recommended Remediation" tab you can specify mitigation procedures that you recommend to mitigate the vulnerability. These mitigations are not limited to applying patches or updating firmware; they may also include the application of network security controls etc. -- For Microsoft products, security patches recommended by the vendor will be listed automatically.
In the "Files" tab you can attach files to the CVE that users will see in the vulnerability profile, and will also be able to download.
In the "Affected Devices" tab you will see all devices affected by the vulnerability. You have the opportunity to specify that the vulnerability isn't relevant for specific devices, or that it is already mitigated. For Microsoft products, the mitigation flag will be set automatically if the presence of an appropriate patch is detected.