Company Level (EPSS Configuration)

1. From the main menu (on the left side of the page), click Remediation Plan. The Remediation Plan lists missing OS (Operating System) security patches and the latest application versions that have not yet been installed. Also, rules set under Application Baseline feature will report items to Remove OR Install as per the Application baseline rule set.

2. Select a company to view the Remediation plan for that company. `

• The () Update icon indicates that the specified OS or application must be updated to the recommended version.

• After an application or OS is remediated and then the re-scan is successful, it will show the () icon under remediated status.

• The (Install) icon reports the missing application/s which should be installed based on Application Baseline Rule defined. (Mandatory applications are defined under Application Baseline)

• The trash (Remove) icon reports the denied application/s which should be uninstalled based on Application Baseline Rule defined. ( Denied applications are defined under Application Baseline)

EPSS Score

See EPSS at https://www.first.org/epss

Why can't we trust CVSS alone? Simply put: CVSS doesn't include how likely a vulnerability is to be exploited in reality.

• EPSS stands for "Exploit Prediction Scoring System" and it's an attempt to quantify how likely a given CVE is, to actually be exploited by attackers in the wild.

• The scoring system behind EPSS outputs a probability of the estimated likelihood of exploitation from 0 to 1 or 0% to 100%. Heartbleed has a CVSSv2 score of 5.0/10 and an EPSS score of 0.960760000 (it's 7.5/10 in CVSSv3).

• EPSS is a dynamic real-time score that rates vulnerabilities on the basis of a number of factors to determine the probability of exploitation. ConnectSecure uses this metric to provide guidance on how quickly the remedial action is to be performed so as to reduce the attack surface and secure the environment. ConnectSecure now provides remediations in a way a prioritized list can be given to the IT Team which allows a more scalable approach to remediating vulnerabilities instead of trying to resolve everything immediately which does not work and scale effectively.

  ConnectSecure offers flexibility to enable EPSS categorization for Exploitation Probability Score with the suggestive remedial timeframe. Below is the screenshot attached for your reference.

^{EPSS Scoring Sources}

• MITRE’s CVE List - Only CVEs in the “published” state are scored.

• Text-based “Tags” derived from the CVE description and other sources talking about the vulnerability.

• Count how many days the CVE has been published.

• Count how many references are listed in the CVE.

• Published Exploit code in any of Metasploit, ExploitDB, and/or GitHub.

• Security Scanners: Jaeles, Intrigue, Nuclei, sn1per.

• CVSS v3 vectors as published in the National Vulnerability Database (NVD)

• CPE (vendor) information as published in NVD.

• Ground Truth: Daily observations of exploitation-in-the-wild activity from AlienVault and Fortinet.

You've got a pretty good idea of how much vulnerability actually matters. You can close the loop.

Naturally, as this data changes, the score is recalculated. This seems to happen roughly daily, at least for important vulnerabilities, as new factors come into play like the maturity of an exploit, and as reports of real-world exploitation are observed.

• If an Operating System has not been updated with the latest security patches, the Remediation Plan recommends that you install the missing patch.

• If an OS/Application has not been installed, but those Applications are listed as mandatory in the Application Baseline, the Remediation Plan will indicate the need for their installation.

• When an OS/Application has been installed but is denied in the Application Baseline, it will appear in the Remediation Plan with a Remove icon.

• Similarly, if an application’s installed version has a known vulnerability, the Remediation Plan recommends that you upgrade the application to the latest version to remediate that vulnerability.

• Using the Select Tags option, All tags will be selected by default or please select the specific tag as required.

All Tags - This shows all tags which are present in the tags section.

Search Tags - To search a particular tag unselect All tags and then click on the particular tag as required and select it.

• Using the Platform option you can view the filtered data either as All /Mac OS/ Windows.

ALL - This shows all the applications which need to be upgraded to the latest version.

Mac OS - This shows only the Mac OS updates which need to be upgraded to the latest version.

Windows - This shows only the Windows applications which need to be upgraded to the latest version.

• There are three statuses of the Remediation Plan. Those are

Pending: This status shows the applications which need to be upgraded to the latest version.

Suppressed: This status shows the applications which are suppressed based on the number of days chosen.

Remediated: This status shows the applications which are upgraded to the latest version.

• Snoozing or suppressing is only applicable to applications that require updates.

• Choose the reason to suppress the application, enter the number of days, and click on submit.

• Once the application is suppressed, the list of applications will be shown in the suppressed status.

• Once the applications are patched, automatically next scan will be initiated. Post which the applications will be shown under the Remediated status.

• On the right side of each item under Asset(s), the number of assets affected for that item is displayed.

• Here the Evidence details will be shown with the Asset name, Online/Offline status of the asset, Application Name, Path, Uninstall path, Install Date, Version, Last Logon Username, etc.

• To create a ticket for your integrated PSA tool, click on Integration Action by selecting the applications. The Integration Action includes a Short and Long description of the application.

• The Short Description includes the Host Name, Fix URL, Uninstall Path, and Version.

• Once you choose the short description, select the Integration Mapping Credential (Required PSA should be successfully integrated prior to this action).

• Select the Action as per the requirement(Create, Close, or Update the ticket). Once chosen click on Next.

• The problem description field contains a short description. Provide the details for the required fields and click on Submit. The ticket will be created for the particular application.

• The Long Description includes the Host Name, Fix URL, Uninstall Path, Vulnerabilities count, Install Source, Version and etc.

• Once you choose the Long description, select the Integration Mapping Credential (Required PSA should be successfully integrated prior to this action).

• The problem description field contains a Long description. Provide the details for the required fields and click on Submit.

• The ticket will be created for the selected application/s under the chosen PSA tool.

• In the image depicted below, select the application which needs to be patched using the blinking icon next to the corresponding vulnerability.

• Once the application is selected, click on Patch if direct patching from the CyberCNS portal is required. Please refer to the detailed Patching System (CyberCNS 3rd Party MS Applications Patching System).

• When the patch is successfully updated, navigate to Jobs → Patch Jobs to get the information on the applications which is patched.

• Once the applications are patched, automatically next scan will be initiated. Post which the applications will be shown under the Remediated status.

• Under the Ticket ID column, click on the ticket ID it will redirect to the integrated PSA tool (Currently redirection to PSA is supported only for Connectwise and Autotask)

• Below is the example screenshot attached for your reference.

Company Level(without EPSS configuration)

1. From the main menu (on the left side of the page), click Remediation Plan. The Remediation Plan lists missing OS (Operating System) security patches and the latest application versions that have not yet been installed. Also, rules set under Application Baseline feature will showcase items to Remove OR Install as per the rule set.

2. Select a company to view the Remediation plan for that company. `

• The () icon indicates that the OS or application must be updated to the specified version.

• The (Install)icon indicates that the specified OS or Application must be installed.

• After a remediation item is updated, then on re-scan it will show the () icon.

• The trash (Remove) icon in CyberCNS basic ability to patch and a ticket can be raised on the PSA tool.

• If an Operating System has not been updated with the latest security patches, the Remediation Plan recommends that you install the missing patch.

• If an OS/Application has not been installed, but those Applications are listed as mandatory in the Application Baseline, the Remediation Plan will indicate the need for their installation.

• When an OS/Application has been installed but is denied in the Application Baseline, it will appear in the Remediation Plan with a Remove icon.

• Similarly, if an application’s installed version has a known vulnerability, the Remediation Plan recommends that you upgrade the application to the latest version to remediate that vulnerability.

• Using the Select Tags option, All tags will be selected by default or please select the specific tag as required.

All Tags - This shows all tags which are present in the tags section.

Search Tags - To search a particular tag unselect All tags and then click on the particular tag as required and select it.

• Using the Platform option you can view the filtered data either as All /Mac OS/ Windows.

ALL - This shows all the applications which need to be upgraded to the latest version.

Mac OS - This shows only the Mac OS applications which need to be upgraded to the latest version.

Windows - This shows only the Windows applications which need to be upgraded to the latest version.

• There are three statuses of the Remediation Plan. Those are

Pending: This status shows the applications which need to be upgraded to the latest version.

Suppressed: This status shows the applications which are suppressed based on the number of days chosen.

Remediated: This status shows the applications which are upgraded to the latest version.

• Snoozing or suppressing is only applicable to applications that require updates.

• Select the line item listed under remediation plan and click on Snooze/Suppress.

• Choose the reason to suppress the application, enter the number of days, and click on submit.

• Once the application is suppressed, the suppressed application/s will be shown under the suppressed status.

• Once the applications are patched, automatically next scan will be initiated. Post which the applications will be shown under the Remediated status.

• On the right side of each item under Asset(s), the number of assets affected for that item is displayed.

• Here the Evidence details will be shown with the Asset name, Online/Offline status of the asset, Application Name, Path, Uninstall path, Install Date, Version, Last Logon Username, etc.

• To create a ticket for your integrated PSA tool, click on Integration Action by selecting the applications. The Integration Action includes a Short and Long description of the application.

• The Short Description includes the Host Name, Fix URL, Uninstall Path, and Version.

• Once you choose the short description, select the Integration Mapping Credential (PSA should be successfully integrated prior to this action).

• Select the Action as per the requirement(Create, Close, or Update the ticket). Once chosen click on Next.

• The problem description field contains a short description. Provide the details for the required fields and click on Submit. The ticket will be created for the particular application.

• The Long Description includes the Host Name, Fix URL, Uninstall Path, Vulnerabilities count, Install Source, Version and etc.

• Once you choose the short description, select the Integration Mapping Credential (PSA should be successfully integrated prior to this action).

• The problem description field contains a Long description. Provide the details for the required fields and click on Submit.

• The ticket will be created for the particular application.

• In the image depicted below, select the application which needs to be patched using the blinking icon next to the corresponding vulnerability.

• Once the application is selected, click on Patch if direct patching from the CyberCNS portal is required. Please refer to the detailed Patching System (CyberCNS 3rd Party MS Applications Patching System).

• When the patch is successfully updated, navigate to Jobs → Patch Jobs to get the information on the applications which is patched.

• Once the applications are patched, automatically next scan will be initiated. Post which the applications will be shown under the Remediated status.

• Under the Ticket ID column, click on the ticket ID it will redirect to the integrated PSA tool.

• Below is the example screenshot attached for your reference.

Global Level

1. On the Global level, navigate to Remediation Plan. The Remediation Plan lists missing OS (Operating System) security patches and the latest application versions that have not yet been installed.

2. If an OS/Application has not been installed, but those Applications are listed as mandatory in the Application Baseline, the Remediation Plan will indicate the need for their installation.

3. When an OS/Application has been installed but is denied in the Application Baseline, it will appear in the Remediation Plan with a Remove icon.

4. In the depicted below image, click on global settings() on the top of the right and navigate to Remediation Plan.

5. Also, rules set under Application Baseline feature will showcase items to Remove OR Install as per the rule set across all the companies.

6. The applications are installed for a number of companies and the asset count is listed here.

• Using the Select Tags option select All tags by default or select the specific tags required.

  All Tags - This shows all tags which are present in the tags section.

  Seach Tags - To search a particular tag unselect All tags and then click on the particular tags. required.

• Using the Platform option you can view the filtered data either as All /Mac OS/ Windows.

ALL - This shows all the applications which need to be upgraded to the latest version.

Mac OS - This shows only the Mac OS applications which need to be upgraded to the latest version.

Windows - This shows only the Windows applications which need to be upgraded to the latest version.

VMWare - This shows only the VMWare applications which need to be upgraded to the latest version.

• On the right side of each item under Remediation Details, the number of Companies affected for that item is displayed.

• To display only assets with a specific status, select Pending, Suppressed, or Remediated under Status as required.

• Click the Assets count to display the Asset with Evidence details like Asset Online/Offline status, Name, Path, Install Date, Version, Vulnerability, etc., as shown below.

• To display only assets with a specific status, select Pending, Suppressed, or Remediated under Status as required.

• Similarly, if an application’s installed version has a known vulnerability, it recommends that you upgrade the application to the latest version to remediate that vulnerability.

  

• Snoozing or suppressing is only applicable to applications that require updates.

• Choose the reason to suppress the application, enter the number of days, and click on submit.

• By filtering the status as Suppressed, a view of the suppressed vulnerabilities with Remediation details & Status can be seen.

In the depicted below image, can view the Remediated vulnerabilities.

• On the right side of each item under Remediation Details, the number of Companies is displayed.

• This completes the documentation of the Remediation Plan.