Systems without non-patchable exploitable application vulnerabilities¶
Description¶
The percentage of systems that were active in the last 30 days that have addressed non-patchable, exploitable application vulnerabilities, providing critical insight into the organisation's "Isolation Protocol" capability to contain or remove vulnerable applications.
How we measure it¶
Find all active hosts per your vulnerability management system. Join the hosts with the vulnerability database, and filter the vulnerabilities on the criteria as defined in the metric definition (non-patchable + exploitable + Applications).
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | vm_posture_non_patchable_exploitable_apps |
| Category | Vulnerability Management |
| SLO | 85.00% - 95.00% |
| Weight | 0.8 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
| CIS 8.1 | 7.5 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Internal Enterprise Assets |
| CIS 8.1 | 7.6 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets |
| NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
Code¶
SELECT
host.hostname AS resource,
'host' as resource_type,
CASE
WHEN count(cve.aid) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.*) as text) AS detail
FROM
{{ ref('crowdstrike_hosts') }} AS host
LEFT JOIN
{{ ref('crowdstrike_vulnerabilities') }} AS cve
ON
host.device_id = cve.aid
AND cve.status IN ('open', 'reopen')
AND coalesce(cve.cve.remediation_level != 'O', true)
AND coalesce(cve.cve.exploit_status > 0, false)
AND cve.severity IN ('HIGH', 'CRITICAL')
WHERE
CURRENT_DATE - CAST(STRPTIME(host.last_seen, '%Y-%m-%dT%H:%M:%SZ') AS DATE) < 30
GROUP BY
host.hostname
SELECT
asset.hostname AS resource,
'host' AS resource_type,
CASE
WHEN count(cve.plugin.id) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.plugin) AS text) AS detail
FROM
{{ ref('tenable_assets') }} AS asset
LEFT JOIN
{{ ref('tenable_vulnerabilities') }} AS cve
ON
asset.uuid = cve.asset.uuid
AND cve.state IN ('OPEN', 'REOPENED')
AND cve.plugin.exploit_available IS TRUE
AND cve.plugin.has_patch IS FALSE
AND cve.severity IN ('high', 'critical')
WHERE
CURRENT_DATE - CAST(asset.last_seen AS DATE) < 30
GROUP BY
asset.hostname