Leverage the full potential of your security control by manually attesting its effectiveness.
Use the workflow below to manually set compensating control effectiveness:
Navigate to → and sort the vulnerabilities listed by their CVRS score or Compensating Control Effectiveness. Select a a high-priority issue (e.g., a critical and exploitable vulnerability on a production and internet facing web server) to inspect further.
Click on an issue to open the detailed issue side-panel view. In the Security Controls section, you will find active security controls that are in effect mitigating the issue. You can also sort issues by Control Effectiveness and select all issues that are Effective for instance. From this list, right click on any issue to update the effectiveness level.
Examine the Compensating Control Effectiveness column. If the security control was automatically detected and the platform has access to its configuration, the effectiveness will be also automatically defined.
If the effectiveness is listed as Unknown, you will have to manually define the security control's effectiveness. The Cortex platform does not presume effectiveness. It urges you to use your expertise to make a determination.
Based on your knowledge of the Security Control configuration, manually change the Unknown value to one of the following effectiveness states:
Effective: The control can fully mitigate the risk. (e.g., "I know this SC is in 'Block' mode for this vulnerability").
Partially Effective: The control mitigates the risk under certain conditions. (e.g., The Security is in 'Log Only' mode or it only blocks some of the available exploits, but not all variants. This is a partial mitigation.).
Not Effective: The control is not adequate. (e.g., This is an SSH 'root' login vulnerability; the Security Control in place does not mitigate the issue).
After you complete the workflow above, the Compensating Control state will be set as manually defined. The platform will re-prioritize the finding, potentially moving it out of the Critical remediation bucket, since an expert has reviewed this issue and their assessment is considered the source of truth.