Lab 16: Vulnerability Management Program

Time: 50 minutes | Level: Architect | Docker: docker run -it --rm zchencow/innozverse-cybersec:latest bash

Objectives

Design an enterprise vulnerability management programme
Calculate CVSS v3.1 scores (base/temporal/environmental)
Apply EPSS for risk-based prioritisation
Build SLA tiers and exception management workflow

Step 1: VM Programme Architecture

┌─────────────────────────────────────────────────────────┐
│              VULNERABILITY MANAGEMENT CYCLE              │
│                                                         │
│  DISCOVER      ASSESS       PRIORITISE     REMEDIATE    │
│  ┌────────┐  ┌─────────┐  ┌──────────┐  ┌──────────┐  │
│  │Asset   │  │Scan with│  │CVSS +    │  │Patch     │  │
│  │Inventory│→│Tenable/ │→│EPSS +    │→│deploy    │  │
│  │(CMDB)  │  │Qualys/  │  │Asset     │  │Config    │  │
│  │        │  │Rapid7   │  │criticality│  │change    │  │
│  └────────┘  └─────────┘  └──────────┘  └────┬─────┘  │
│                                               │         │
│  VERIFY                                REPORT │         │
│  ┌────────────────────────────┐  ┌────────────▼──────┐ │
│  │Rescan after patch/fix      │  │KPIs, SLA tracking,│ │
│  │Validate remediation        │  │board metrics      │ │
│  └────────────────────────────┘  └───────────────────┘ │
└─────────────────────────────────────────────────────────┘

Step 2: CVSS v3.1 Score Calculator + EPSS Prioritisation

import math

def cvss31_base(AV, AC, PR, UI, S, C, I, A):
    av  = {'N':0.85,'A':0.62,'L':0.55,'P':0.2}[AV]
    ac  = {'L':0.77,'H':0.44}[AC]
    pr  = {'N':0.85,'L':0.62,'H':0.27}[PR] if S=='U' else {'N':0.85,'L':0.68,'H':0.50}[PR]
    ui  = {'N':0.85,'R':0.62}[UI]
    isc_c = {'N':0,'L':0.22,'H':0.56}[C]
    isc_i = {'N':0,'L':0.22,'H':0.56}[I]
    isc_a = {'N':0,'L':0.22,'H':0.56}[A]
    ISC = min(1 - (1-isc_c)*(1-isc_i)*(1-isc_a), 1)
    ISCscope = 7.52*(ISC-0.029) - 3.25*((ISC-0.02)**15)
    if ISC <= 0: return 0
    exploitability = 8.22 * av * ac * pr * ui
    if S == 'U':
        base = min(ISCscope + exploitability, 10)
    else:
        base = min(1.08*(ISCscope + exploitability), 10)
    return round(math.ceil(base * 10) / 10, 1)

vulns = [
    {'id':'CVE-2021-44228','name':'Log4Shell','AV':'N','AC':'L','PR':'N','UI':'N','S':'C','C':'H','I':'H','A':'H','epss':0.975},
    {'id':'CVE-2023-23397','name':'Outlook-NTLM','AV':'N','AC':'L','PR':'N','UI':'N','S':'U','C':'H','I':'N','A':'N','epss':0.432},
    {'id':'CVE-2022-30190','name':'Follina','AV':'L','AC':'L','PR':'N','UI':'R','S':'U','C':'H','I':'H','A':'H','epss':0.087},
]

print('=== CVSS v3.1 Calculator + EPSS Prioritisation ===')
print(f'  {"CVE":<18} {"Name":<16} {"CVSS":<6} {"EPSS":<8} {"SLA":<10} {"Priority"}')
for v in vulns:
    score = cvss31_base(v['AV'],v['AC'],v['PR'],v['UI'],v['S'],v['C'],v['I'],v['A'])
    sla = '24h' if score>=9 else '7d' if score>=7 else '30d' if score>=4 else '90d'
    priority = 'P1-CRITICAL' if v['epss']>0.5 and score>=9 else 'P2-HIGH' if score>=7 else 'P3-MEDIUM'
    print(f'  {v["id"]:<18} {v["name"]:<16} {score:<6} {v["epss"]:<8} {sla:<10} {priority}')

📸 Verified Output:

=== CVSS v3.1 Calculator + EPSS Prioritisation ===
  CVE                Name             CVSS   EPSS     SLA        Priority
  CVE-2021-44228     Log4Shell        10.0   0.975    24h        P1-CRITICAL
  CVE-2023-23397     Outlook-NTLM     7.9    0.432    7d         P2-HIGH
  CVE-2022-30190     Follina          7.9    0.087    7d         P2-HIGH

Step 3: CVSS v3.1 Metrics Explained

Base Metrics:

Exploitability:

Metric

Values

Description

Attack Vector (AV)

N/A/L/P

Network → Adjacent → Local → Physical

Attack Complexity (AC)

L/H

Low/High conditions to exploit

Privileges Required (PR)

N/L/H

None/Low/High privileges needed

User Interaction (UI)

N/R

None/Required

Impact (C/I/A):

Value

Score

Description

None (N)

No impact

Low (L)

0.22

Limited

High (H)

0.56

Total loss

Severity ratings:

Score

Rating

0.0

None

0.1–3.9

Low

4.0–6.9

Medium

7.0–8.9

High

9.0–10.0

Critical

💡 CVSS alone is insufficient for prioritisation — EPSS (Exploit Prediction Scoring System) adds exploitation probability. A CVSS 7.5 with EPSS 0.85 is higher priority than CVSS 9.0 with EPSS 0.02 (theoretical exploit, never seen in wild).

Step 4: EPSS — Exploit Prediction Scoring System

EPSS v3 (current):

Scores 0.0–1.0: probability of exploitation in the wild within 30 days
Updated daily based on threat intel feeds
High EPSS = active exploitation observed

Prioritisation matrix:

CVSS Score

EPSS Score

Priority

SLA

≥ 9.0

≥ 0.5

P1-CRITICAL

24 hours

≥ 7.0

≥ 0.5

P1-HIGH

7 days

≥ 9.0

< 0.5

P2-HIGH

7 days

≥ 7.0

< 0.5

P3-MEDIUM

30 days

4.0–6.9

Any

P4-MEDIUM

30–90 days

< 4.0

Any

P5-LOW

90 days

CISA KEV (Known Exploited Vulnerabilities):

CISA maintains KEV catalogue of actively exploited CVEs
Federal agencies: must patch KEV within 2-3 weeks
Best practice: treat all KEV as P1 regardless of CVSS

Step 5: Asset Inventory and CMDB Integration

CMDB attributes for VM:

{
  "asset_id": "SRV-001",
  "hostname": "prod-db-01",
  "ip": "10.1.1.100",
  "os": "RHEL 8.9",
  "criticality": "Tier1",
  "owner": "[email protected]",
  "environment": "production",
  "internet_facing": false,
  "data_classification": "confidential",
  "patch_group": "weekend-maintenance",
  "last_scan": "2024-01-14T03:00:00Z"
}

Environmental CVSS adjustment:

Environmental score accounts for:
  - Confidentiality Requirement (CR): Medium/High/Not-Defined
  - Integrity Requirement (IR): Medium/High/Not-Defined
  - Availability Requirement (AR): Medium/High/Not-Defined

Example: 
  Base CVSS 7.5 + High Availability Requirement (production DB) 
  → Environmental score: 8.5 → Upgrade to P1

Step 6: SLA Tiers and Exception Management

SLA tiers:

Priority

CVSS Range

Typical EPSS

SLA

Owner

P1 Critical

≥ 9.0

High

24 hours

Security + IT

P2 High

7.0–8.9

Any

7 days

IT Operations

P3 Medium

4.0–6.9

Any

30 days

System owners

P4 Low

0.1–3.9

Any

90 days

System owners

Exception management process:

Exception request triggers:
  - Critical system cannot be patched without major outage
  - Vendor patch not yet available
  - Compensating controls in place

Exception workflow:
  1. System owner submits exception request
     - CVE ID, CVSS, business justification
     - Compensating controls proposed
     - Acceptance duration (max 90 days)
  2. Security team review
     - Validate compensating controls are effective
     - Assess residual risk
  3. Risk acceptance sign-off
     - < 90 days: security manager
     - > 90 days: CISO
  4. Exception tracked in GRC tool
  5. Re-review at 30/60/90 days

Step 7: VM Programme Metrics

Key KPIs:

KPI

Definition

Target

Mean Time to Patch (MTTP)

Avg days from CVE disclosure to patch

Critical: < 1d, High: < 7d

Patch compliance rate

% assets patched within SLA

> 95%

Vulnerability density

Critical CVEs per 100 assets

< 5

Scan coverage

% assets scanned in last 7 days

> 98%

Exception backlog

Open exceptions past deadline

Repeat findings

Findings from last audit still open

< 10%

Reporting cadence:

Daily: Critical CVEs discovered; patches applied
Weekly: SLA compliance by team; overdue items
Monthly: Executive dashboard; trend analysis
Quarterly: Board risk report; programme maturity

Step 8: Capstone — Enterprise VM Programme Design

Scenario: 15,000-asset estate across 3 regions; PCI DSS + ISO 27001

VM Programme Architecture:

Scanning:
  - Tenable.io (cloud-managed)
  - 3 scan zones: Americas, EMEA, APAC
  - Authenticated scans: weekly (servers), daily (internet-facing)
  - Agent-based: laptops + VMs (continuous)

Prioritisation engine:
  - CVSS v3.1 base score
  - EPSS daily feed (FIRST.org API)
  - CISA KEV integration (mandatory P1 regardless of CVSS)
  - Asset criticality from CMDB (Tier1-4 multiplier)
  - Internet-facing: automatic +1 priority level

SLA enforcement:
  - P1 Critical: 24h | automated alerts to on-call
  - P2 High: 7d | JIRA ticket auto-created
  - P3 Medium: 30d | monthly sweep
  - P4 Low: 90d | quarterly cleanup
  - SLA breach: auto-escalate to manager + security

Tooling:
  - Tenable.io: scanner + dashboard
  - Jira: ticket tracking + SLA monitoring
  - Drata/Vanta: compliance evidence
  - Splunk: VM data ingestion, KPI dashboards

PCI DSS alignment:
  - Req. 6.3.3: All software protected from known vulns
  - Req. 11.3: Internal/external penetration tests (annual)
  - Req. 11.3.2: Vulnerability scanning (quarterly external, internal after changes)
  - ASV scans: quarterly for internet-facing CDE systems

Metrics targets:
  - Patch compliance P1: 100% within 24h
  - Patch compliance P2: 98% within 7 days
  - Scan coverage: 99.5% within 7 days
  - Exception ratio: < 2% of open vulns

Summary

Concept

Key Points

CVSS v3.1

Base score from exploitability + impact metrics

EPSS

Exploitation probability in 30 days; 0.0-1.0 scale

CISA KEV

Actively exploited; treat as P1 regardless of CVSS

SLA tiers

Critical 24h, High 7d, Medium 30d, Low 90d

Environmental CVSS

Adjust score based on asset criticality/exposure

Exception process

Approve + compensating controls + expiry + track

CMDB integration

Asset criticality feeds into prioritisation engine

PreviousLab 15: Compliance Frameworks NextLab 17: DLP Architecture

Last updated 26 days ago

Good morning

hashtagObjectives

hashtagStep 1: VM Programme Architecture

hashtagStep 2: CVSS v3.1 Score Calculator + EPSS Prioritisation

hashtagStep 3: CVSS v3.1 Metrics Explained

hashtagStep 4: EPSS — Exploit Prediction Scoring System

hashtagStep 5: Asset Inventory and CMDB Integration

hashtagStep 6: SLA Tiers and Exception Management

hashtagStep 7: VM Programme Metrics

hashtagStep 8: Capstone — Enterprise VM Programme Design

hashtagSummary

Objectives

Step 1: VM Programme Architecture

Step 2: CVSS v3.1 Score Calculator + EPSS Prioritisation

Step 3: CVSS v3.1 Metrics Explained

Step 4: EPSS — Exploit Prediction Scoring System

Step 5: Asset Inventory and CMDB Integration

Step 6: SLA Tiers and Exception Management

Step 7: VM Programme Metrics

Step 8: Capstone — Enterprise VM Programme Design

Summary