Add CSPM Severity Framework to Docs Site #20954
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Preview links (active after the
|
|
|
||
| ### Misconfigurations and Identity Risks | ||
|
|
||
| Starting in early 2024, all CSM Misconfigurations and Identity Risk rules will migrate to our severity score framework. This framework is designed to compare the likelihood that an adversary will take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. |
There was a problem hiding this comment.
feels like we should publish the docs page once this is done only
There was a problem hiding this comment.
Ah, that was actually a request from product. They want the docs to be available before we start migrating rules.
There was a problem hiding this comment.
Who? I think we might want to challenge that. I feel like this gives a bad look, "we're showing that we have no clue how to assign a severity, and doing nothing about it"
| #### Likelihood | ||
|
|
||
| The likelihood component is made up of two subcomponents; The attack vector, the means through which a misconfiguration can be exploited, and the accessibility, if the resource is publicly accessible or not. | ||
|
|
There was a problem hiding this comment.
This table makes sense but the formatting made it challenging to understand
Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
…om:DataDog/documentation into nick.frichette/add_cspm_severity_framework
Frichetten
removed
WORK IN PROGRESS
drichards-87
approved these changes
Dec 18, 2023
|
|
||
| ## Misconfigurations, Identity Risks, and Security Inbox Misconfigurations | ||
|
|
||
| This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. |
There was a problem hiding this comment.
Suggested change
| This framework is designed to compare the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. | |
| The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately based on their real-world risks. The matrices below show how to compute a misconfiguration's severity score depending on certain criteria. |
Comment on lines
24
to
25
| * Attack vector: The means through which a misconfiguration can be exploited. | ||
| * Accessibility: If the resource is publicly accessible or not. |
There was a problem hiding this comment.
Suggested change
| * Attack vector: The means through which a misconfiguration can be exploited. | |
| * Accessibility: If the resource is publicly accessible or not. | |
| * **Attack vector**: The means through which a misconfiguration can be exploited. | |
| * **Accessibility**: If the resource is publicly accessible or not. |
| * Attack vector: The means through which a misconfiguration can be exploited. | ||
| * Accessibility: If the resource is publicly accessible or not. | ||
|
|
||
| The attack vector is determined by the following criteria: |
There was a problem hiding this comment.
Suggested change
| The attack vector is determined by the following criteria: | |
| #### Attack vector | |
| The attack vector is determined by the following criteria: |
| | Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | | ||
| | No Authorization | Requires no authorization/authentication to abuse. | | ||
|
|
||
| The accessibility is determined by the following criteria: |
There was a problem hiding this comment.
Suggested change
| The accessibility is determined by the following criteria: | |
| #### Accessibility | |
| Accessibility is determined by the following criteria: |
| | Attack Vector | Definition | | ||
| |:-------------------:|:---------------------------------------------------------------------------------------------------------:| | ||
| | Required Privileges | Requires specific privileges or access to abuse. | | ||
| | Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | |
There was a problem hiding this comment.
Suggested change
| | Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | | |
| | Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password or access key. | |
| |:-------------------:|:---------------------------------------------------------------------------------------------------------:| | ||
| | Required Privileges | Requires specific privileges or access to abuse. | | ||
| | Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password/access key. | | ||
| | No Authorization | Requires no authorization/authentication to abuse. | |
There was a problem hiding this comment.
Suggested change
| | No Authorization | Requires no authorization/authentication to abuse. | | |
| | No Authorization | Requires no authorization or authentication to abuse. | |
|
|
||
| | Accessibility | Definition | | ||
| |:-------------:|:------------------------------------------------------------------:| | ||
| | Private | The vulnerable component/resource is in a private network. | |
There was a problem hiding this comment.
Suggested change
| | Private | The vulnerable component/resource is in a private network. | | |
| | Private | The vulnerable component or resource is in a private network. | |
| | Accessibility | Definition | | ||
| |:-------------:|:------------------------------------------------------------------:| | ||
| | Private | The vulnerable component/resource is in a private network. | | ||
| | Public | The vulnerable component/resource is accessible from the internet. | |
There was a problem hiding this comment.
Suggested change
| | Public | The vulnerable component/resource is accessible from the internet. | | |
| | Public | The vulnerable component or resource is accessible from the Internet. | |
| | Private | The vulnerable component/resource is in a private network. | | ||
| | Public | The vulnerable component/resource is accessible from the internet. | | ||
|
|
||
| These subcomponents determine the Likelihood score: |
There was a problem hiding this comment.
Suggested change
| These subcomponents determine the Likelihood score: | |
| Together, these subcomponents determine the Likelihood score: |
MaelNamNam
pushed a commit
that referenced
this pull request
Jan 17, 2024
* Added initial likelihood matrix to test table look * Added additional matrices * Made table headers bold * Added severity scoring exammples * Moved severity matrix up a level * Fixed the link numbers in severity_scoring.md * Removed unused links from misconfigurations index * Reformatted severity scoring page * Added aliases * Added additional docs for other producs to severity scoring * Added severity scoring page to menu * Removed threats from the severity scoring page * Update content/en/security/severity_scoring.md Co-authored-by: Christophe Tafani-Dereeper <[email protected]> * Added more links to further_reading for severity_scoring * Fixed some minor issues with severity_scoring * Moved the Severity Scoring page to be under CSM * Changed the headers of severity_scoring * Fixed some minor issues with severity_scoring * Added CSM Vulnerabilities section for severity_scoring * Removed temporal language from severity_scoring * Minor edits * Changed the format of the matrices in severity_scoring * Minor edits * Added introduction to severity_scoring * Update menu --------- Co-authored-by: Christophe Tafani-Dereeper <[email protected]> Co-authored-by: DeForest Richards <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
This PR adds the new CSPM severity framework to the public documentation site, along with some examples of how to use it.
Merge instructions
Please do not merge this immediately. It needs to be reviewed by some other parties first.
Additional notes
This work is tied to this ticket.