Automated Triage

CSIRT Plan provides the following three automated triage functions for setting the status of detected tasks automatically, using:

  • Decision Tree-based
  • Rule-based

It is recommended to use these three functions in combination to complement each other.

Advanced Automated Triage Using SSVC

Automated triage using SSVC has the following advantages:

  • Even without advanced security knowledge, the response can be automatically determined.
  • “Smart automatic judgment considering actual risk” can be achieved using the following four variables:
    • System’s Internet exposure
    • Business impact of the system
    • Is the detected vulnerability being used in actual attacks?
    • Exploitation value of the vulnerability from an attacker’s perspective
  • The four-level priority derived by SSVC’s decision tree can trigger automatic setting of task status, priority, and deadline, further automating and streamlining vulnerability management operations.
  • Decision tree-based, making it possible to clarify the basis for determining response priority.
  • Easy to configure, requiring only two settings: NW environment for each system and business impact.

For more details about SSVC, see [Manual> SSVC] (/en/manual/csirt_option/ssvc/).

In automated triage using SSVC, you can set “actions to take when the SSVC Priority derived during scanning is different from the previous one.” For example, if SSVC Priority is determined to have a high priority of “immediate” or “out of cycle,” you can automatically set the task status to “new.” New tasks are assigned to the “unresolved” status on the vulnerability list and task list submenu, indicating that triage is required again.

For tasks determined to have a lower priority such as “scheduled” or “deferred,” the task status can be automatically set to “defer” or “risk_accepted.”

In addition, task priority and response deadline can also be set automatically.

For more information on settings, see [SSVC Configuration] (/en/manual/csirt_option/ssvc/config/).

Automatic Danger Assignment

This function allows you to define and configure rules to “consider high risk” and automatically assign the “danger” status to vulnerabilities that match these rules.

Currently, it is possible to use SSVC to complement the decision tree and automatically assign “danger” status to vulnerabilities with a CVSS score of “10,” even if they do not meet the “immediate” criteria in the SSVC decision tree.

image