Research: Use NVD's Common Platform Enumeration (CPE) dictionary for asset classification
Problem to solve
Security professionals often have limited or no information about affected systems and assets inside their vulnerability management platform. They need this information to make appropriate triage and prioritization decisions as not all systems have the same risk level. Not having it all in the vulnerability management system makes getting proper context about the affected asset an extra, manual step.
Intended users
User experience goal
Provide a standardized, clear system for defining systems and assets that can be leveraged in our vulnerability management workflows to provide the right context to security analysts as they triage and evaluate vulnerabilities.
At a minimum, users will need to know:
- Individual asset details:
- network details (network name, IP address, MAC address, etc.)
- machine details (operating system and version, basic hardware info, etc.)
- asset cost/replacement cost
- membership in a company-defined asset group (e.g. "this is an end-user workstation in the Finance department")
- custom risk classification score/criticality for individual asset
- Asset groups:
- all assets in a given group (assets can potentially belong to more than one group)
- group properties such as "internal only" or "in DMZ" or "public GCP"
- custom risk classification score/criticality for group
Proposal
Evaluate if NVD CPE is a reasonable standard we can leverage for this purpose. The evaluation should include:
- an assessment of how feasible it would be to simplify the process of asset classification with CPE (such as by creating forms or using .yml templates)
- a high level list of pros and cons with a focus on: usability, extensibility, and fitness to desired use cases
- any gaps CPE format does not cover such as asset cost (this is an example; it may well cover this)
- proposed alternative formats or solutions including creating our own custom solution