Prioritizing Remediation Efforts via Risk-based Scoring

May 11, 2022

Introduction

Because we’re always short of resources and/or time, we must put these two elements to their best use. When it comes to managing vulnerabilities in an enterprise infrastructure, we can make a significant impact in a short time by quickly fixing those vulnerabilities that pose the highest risk to the enterprise. Meanwhile, we don’t want our resources to get overwhelmed by the sheer number of vulnerabilities they encounter on a day-to-day basis or when there’s a critical vulnerability breakout, such as the most recent example: the Apache Log4j vulnerability. We need resources to focus attention on the highest-risk vulnerabilities affecting the enterprise’s critical resources. Scoring and the mechanism used for scoring vulnerabilities and assets plays a vital role within the vulnerability management program.

 

 

Challenges With CVSS and Commercial Vulnerability Management Platform Scoring

The most common scoring mechanism used is the Common Vulnerability Scoring System (CVSS). CVSS is a free and open industry standard for assessing the severity of vulnerabilities. One challenge with the CVSS score is that it doesn’t capture the contextual or business risk for an organization that arises from a particular vulnerability. The CVSS base score captures the technical severity of vulnerabilities but doesn’t convey their true risk.

 

Nearly all top industry vulnerability scanners – such as Tenable, Rapid7 and Qualys – use CVSS as a baseline scoring mechanism. Most often than not, users of such tools use CVSS scoring to prioritize their vulnerabilities, which is not the best approach. Prioritizing vulnerabilities solely based upon the CVSS scoring will not help security teams focus remediation efforts to address vulnerabilities with the highest risk for critical assets.

 

Consider the following scenarios:

 

  1. SSLv2 enabled within the private development environment, not accessible over internet
  2. SSLv2 enabled within the private production database environment, not accessible over internet
  3. SSLv2 enabled within the public-facing production web application environment

 

If the CVSS base score is used to prioritize the vulnerabilities in these scenarios, all will be critical and incorrectly given the same priority based upon their score. This highlights the need for a scoring mechanism that can consider the contextual and business risk of the vulnerabilities.

 

There are temporal and environmental score metrics (which to some extent capture the contextual and associated risk of vulnerabilities) available to complement the CVSS base score. However, using these metrics in enterprise environments where security teams deal with hundreds and thousands of vulnerabilities is overwhelming and complex. Security teams would need to find a mechanism to identify and leverage three base metrics to calculate the temporal score, and 11 base metrics to calculate the environmental score. This makes vulnerability prioritization cumbersome and simply not practical.

 

Platforms like Rapid7, Tenable and Qualys also have mechanisms to address enterprise risk by integrating threat information as an additional factor in their risk scoring. However, to benefit from these features, organizations must purchase or subscribe to additional or add-on applications that run on top of their VM platforms. Additionally, business context factors are still largely missing, and criticality of the assets must be predefined (by the organization) within the platform, all of which require well-trained resources. Only then can an improved risk-based prioritization of vulnerabilities and assets be achieved.

 

Based upon our experience working with clients using various vulnerability management platforms, we found that in most cases when an additional application is required to provide the contextual and business risk, it isn’t installed or utilized as an integral part of their vulnerability management platform. Furthermore, the platform often contains minimal asset details and lacks the contextual information necessary for calculating asset criticality.

 

 

Solution for Risk-based Scoring of Vulnerabilities and Assets

To address these challenges, we’ve devised a vulnerability and asset scoring mechanism that leverages business context information to more accurately identify the contextual and business risk associated with vulnerabilities and assets, thus enabling the team to correctly prioritize remediation efforts.

 

It’s critical for the remediation function of a vulnerability management program to identify the real-time risk of vulnerabilities and associated assets. Using this scoring mechanism will help teams determine which assets are the riskiest and which vulnerabilities should be remediated first; this reduces the overall risk to the enterprise significantly and more efficiently.

 

We start the scoring process by first evaluating the risk scores for vulnerabilities. Factors used in that calculation include the following:

 

  1. CVSS score
  2. Vulnerability intelligence score (if available)
  3. Asset criticality (range 0-4)
  4. Asset exposure (internal vs. external)

 

CVSS score is by default included as a component of any vulnerability scanner. Vulnerability intelligence score is collected from any (client-preferred) vulnerability intelligence add-on sources, such as Mandiant Advantage Rating, RiskSense VRR, Tenable VPR, Rapid7 Real Risk Score, etc., normalized to a number between 1-10. Asset criticality and exposure are provided by clients, identified through discussions with key stakeholders or derived from information collected during discovery workshops.

 

Once we have the above data points, we use the below formula to calculate the vulnerability risk score for each vulnerability on each asset:

 

Image
CDAS_TVMR_BLOG-interior.jpg

 

The first part of the formula is a sanity check – if the vulnerability intel and CVSS scores are zero, vulnerability risk score will be zero.

 

The second part of the formula is used to calculate the vulnerability risk score. CVSS, vulnerability intelligence, asset criticality and asset exposure (internal/external) attributes are all used to derive the vulnerability risk score. In the formula, the score attributes are assigned different weights to account for varying levels of importance. For example, the vulnerability intel score will carry more weight than CVSS. Asset criticality and asset exposure are both weighted to help normalize the highest value up to a value of 10. As asset criticality increases, this weight causes it to increase two-and-a-half times, and as the asset exposure goes from 1 (internally exposed) to 2 (externally exposed), this weight causes it to double.

 

Risk-based vulnerability scoring helps prioritize remediation efforts by determining which assets have the highest risk. To do this, we also calculate the asset risk scores, which complement the vulnerability risk scoring and assists with focusing remediation efforts.

 

Since an asset can have multiple vulnerabilities, we calculate the asset risk score from the risk scores of each of the vulnerabilities on the asset.

 

Asset-Vulnerability(i) Risk = (-Vulnerability(i) Risk Score)2 * 5 / (sequence# of -Vulnerability(i) on the host)1.5

 

The goal of the asset-vulnerability(i) risk scoring formula is to prevent the mechanism from being overwhelmed by the sheer number of low- or medium-severity findings. We accomplish this by:

 

  1. Squaring the vulnerability(i) risk score and multiplying it times five to give more weight to the critical/high severity findings and exponentially increase the difference between the risk scores.
  2. Sequencing based upon the count of the vulnerabilities on an asset, since the asset-vulnerability(i) risk is decreasing as we increase the sequence number.
  3. Calculating the overall risk score of the asset based upon all identified vulnerabilities, which results in the new calculated risk score assigned.

 

This avoids scenarios where an asset with 15 low-severity findings will have a higher asset risk score than the asset with four critical severity findings.

 

Once the asset-vulnerability(i) risk from each of the vulnerabilities on the asset is identified, we calculate the overall risk score of the asset by adding the asset-vulnerability(i) risk values of all identified vulnerabilities for that asset.

 

Total Asset Risk Score = SUM (All the asset-vulnerability(i) risk values identified for that asset)

 

 

Conclusion

Our methodology for calculating vulnerability risk score and asset risk score helps prioritize the remediation efforts, whether clients are or are not using expensive commercial addons for their VM platforms. Implementing our risk-based approach and focusing upon key attributes essential for scoring the vulnerabilities and assets will help your organization accelerate and concentrate remediation activities in areas that reduce the most risk.

mayank_singh_headshot.jpg
Practice Manager | Optiv
Mayank has over 12 years of experience in consulting and enterprise environments. His experience ranges from small businesses to large corporations in a multitude of industries. He’s a Subject matter expert in the design and implementation of security program development, vulnerability assessment and management, conducting security assessment for web applications, and managing regulatory compliance. His areas of expertise include vulnerability assessment and management, penetration testing, threat modeling, regulatory compliance, and attack surface management.

Prior to joining Optiv, Singh was the Head of Data Security for a Dallas-based North American leading prepays solution provider for utilities. He was responsible for running and managing their security program, regulatory compliance, and conducting security assessments for their products and environments.

Singh earned a bachelor’s degree in computer science from the University of Rajiv Gandhi Proudyogiki Vishwavidyalaya and post-graduation in software technology from the Center for Development of Advanced Computing (CDAC).
dav_wilson_headshot.jpg
Senior Consultant | Optiv
Dav has nearly three decades of combined experience in naval electronics, information technology, telecommunication, network engineering and physical security, with the past 15+ years focused upon information security. His extensive experience with various tools and technologies, along with his sincere enthusiasm for continuing education, provide him with multiple examples of lessons learned which he often shares with clients seeking to improve their security program.

He has assisted clients with a vast variety of tasks, including threat hunting; post-breach remediation; process and program development; security architecture; onboarding security operation services and personnel; installation and integration of security products and appliances.

Prior to working with Optiv, Dav was instrumental in developing and refining custom onboarding services delivering security operations for multiple large enterprise clients across a variety of industry verticals. His understanding of the threat landscape, people, and business processes led him to develop new strategies for onboarding and handling of security incidents for teams supporting clients through remote and onsite work.
luis_castillo_headshot.jpg
Principal Consultant / Technical Manager | Optiv
Luis Castillo brings over 25 years of experience in IT and information security with a proven record of delivering enterprise solutions that transform business operations and secure the organization.

Prior to joining Optiv, Castillo spent his career in corporate industry and security consulting. He held several technical and leadership positions of increasing responsibility in areas, including IT systems management, IT service delivery, NOC/SOC operations, program management, and cybersecurity.

Castillo’s cybersecurity experience includes integration and implementation projects identity and access management, email security, network security, endpoint security, application security, incident response, advanced persistent threat, extended detection, and response, cyber GRC and vulnerability Management.

Castillo holds a Bachelor of Science degree from the University of Notre Dame and a Master of Science in Computer Science from Rensselaer Polytechnic Institute.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.