Understanding the security metrics data for your organization or a specific unit involves understanding which factors contributed the most to the unit’s security metrics score and then deciding how to proceed.
There are several methods that you can use to understand the results: • Top-down
Using the top-down method, you view the security metrics scores of the main unit in which you are interested and drill down to the subunits with the highest scores, continuing in this manner until you arrive at the lowest-level units, where you can see what is triggering the high score. • (In Security View) Vulnerability Definitions
The Top Vulnerability Definitions table contains a list of the vulnerability definitions with the greatest contribution towards a unit’s security metrics score. You can also see a list of the
vulnerability definitions that contributed to the security metrics score. Drill down to the individual vulnerability occurrences to see additional information.
• (In Vendor Solution View) Vendor Solutions
The Top Vendor Solutions table contains a list of the security bulletins with the greatest
contribution towards a unit’s security metrics score. You can also see a list of the security bulletins that contributed to the security metrics score. Drill down to the individual security bulletins to see additional information.
Chapter 5 Viewing security metrics information
Skybox Risk Control version 7.0.0 33
Note: For Microsoft Security Bulletins, you can also view information about bulletin supersedence. For additional information, see Superseding Bulletins (on page 33). • Trends
If enough information was collected to create security metrics trend graphs, you can view the trends of a specific unit to track remediation progress relative to earlier security metrics scores of that unit.
• Low level
Using the low-level method, you look for the Business Asset Groups with the highest scores. Sometimes the criticality of a Business Asset Group is not visible from the highest levels (for example, if it contains a very small number of assets), but it should be fixed.
Start by looking at the Summary tab, to try and identify factors with a high contribution to the unit’s security metrics.
Figure 11: Contribution to security metric score of parent unit
If you lower the security metrics scores of these factors (that is, fix whatever is causing the security metric to be high), the security metrics score of the parent unit is decreased by a significant amount. • If you find units with a high contribution to the security metrics score of the parent unit, you can
use the top-down approach to search for the cause.
Note that some units may have high security metrics scores in their own right, but not contribute significantly to the security metrics score of their parent unit. Fixing such units is usually not a first priority, as even a significant lowering of their security metrics scores does not have much impact on the security metrics score of the parent unit.
• If you find vulnerability definitions with a high contribution to the security metrics score, you can start the process of mitigating their vulnerability occurrences (for example, by creating tickets).
Superseding Microsoft Bulletins
For security metrics using Microsoft Bulletins, information about patch supersedence is available. When you select an MS bulletin, you can see which MS bulletins are completely or partially replaced by it and which newer MS bulletins (if any) replace it. An MS bulletin completely or partially replaces another bulletin if all or some patches included in the newer bulletin replace all or some of the patches included in the older bulletin.
Skybox Risk Control User’s Guide
Skybox Risk Control version 7.0.0 34
Each MS bulletin shows its estimated total contribution to solving vulnerability occurrences of the selected Business Unit, which includes the direct contribution of the selected bulletin plus the direct contribution of all the bulletins it supersedes. The Superseding Bulletins tab in the Details pane shows both the bulletins that the selected bulletin supersedes and those that supersede it, including the same information about each of those as for the selected bulletin (reported date, affected assets, and more). Some bulletins that supersede the selected bulletin may be shown in a gray font. These bulletins actually supersede the selected bulletin but don’t appear in the scope of the selected node. This information is provided so that you are aware of the newest relevant MS bulletins and can choose to apply them.
Figure 12: Superseding Bulletins
Using the top-down approach
To understand what caused the score of a specific unit to be high, look at the Top Subunits by
Contribution to <Security Metrics type> table. This table lists the contribution (in percentages) of each
child unit to the score of the selected unit, the security metrics score, and the number of vulnerable assets. It is useful to examine these metrics in combination. For example, if a child unit contributes a large percentage to the security metrics score of its parent unit, look at the number of vulnerable assets. A high security metrics score caused by a small number of assets probably more critical than a high score caused by a large number of assets.
You can view additional information about a subunit:
• From the table: Click a subunit in the table to move the focus (in both the tree and the workspace) to that subunit.
• From the High Level Subunits tab. This tab lists the immediate children (Business Units or
Business Asset Groups) of the parent unit. When you select a subunit, you can view additional information about it in the Details pane.