High-level overview of the Q3 2020 RS³ v2 update. Updated 6/24/2020.
In Q3 2020, RiskSense will release an enhancement to the RiskSense Security Score (RS³) scoring model that allows RiskSense to provide you with a greater level of accuracy and actionability in your organization’s security posture than ever before. Remediation becomes more responsive, assets are contextualized more effectively, and the Vulnerability Risk Rating (VRR) will continue to be the driving force behind prioritization with even greater insight into threat intelligence and trending exploits.
The enhancements solve numerous customer-reported use cases for maximizing RS³ utility, as described below.
Vulnerability Risk Rating
Your organization needs to know which vulnerabilities are key indicators of potential compromise. RiskSense prioritizes these vulnerabilities by capturing threat context in our VRR. In order to further augment this knowledge, vulnerabilities identified as trending will see an increase in their VRR to ensure a greater degree of visibility.
As the cornerstone of prioritization in the RiskSense platform, VRR extends industry-standard Common Vulnerability Scoring System (CVSS) data from the National Vulnerability Database (NVD) with threat intelligence, subject matter expertise, trending information, and more. In other words, VRR is a one-stop-shop for the foundation of your organization’s key risk indicators, using threat context to make scores accurate and actionable.
An asset’s criticality indicates how mission-critical it is to your organization. In order to optimize the usefulness of this feature, the criticality (alongside the accessibility of an asset, either internal or external) now has more of an impact on the RS³ of that asset. The difference between an asset with a criticality of 1 versus that of one with a 5 is that the one graded as a 5 has been increased to ensure that RS³ is the top indicator of your focus. In addition, a collection of assets’ RS³ (such as a group score or the overall organizational score) now takes those criticalities into consideration; a higher-criticality asset will contribute more to the average than a lower-criticality one, reflecting its importance to your business.
Asset RS³ Scoring
An asset’s RS³ depends on the VRRs of the constituent vulnerabilities. To ensure the greatest accuracy of an asset’s score, we upgraded the aggregation methodology behind this process to consider the most important vulnerabilities on any given asset. Further reinforcing this accuracy is the concentration of vulnerabilities across your organization; assets with fewer vulnerabilities will see a better score relative to those with many.
Your organization’s actions should be accurately reflected in the scores of your assets. To that end, the asset-level scoring mechanism has been enhanced to ensure that closing vulnerabilities will more frequently result in a point gain to the associated asset’s RS³. Resolving low-risk vulnerabilities may affect the score by a marginal increase, while resolving critical-risk vulnerabilities results in substantial point increases. This reinforces the importance of VRR as a key indicator of security posture.
Insight into your web applications is now more robust, with each one now receiving its own RS³ to provide you with the same level of security information as your network host assets. The RS³s of applications are driven by the VRR scores of associated application findings, powered by application-specific data, including the Open Web Application Security Project (OWASP) Top 10, the Common Weakness Enumeration (CWE) Top 25 Software Vulnerabilities, and our robust threat intelligence sources. Vulnerabilities related to dynamic application security testing (DAST), static application security testing (SAST), and open-source software- (OSS)-type findings can all be analyzed for threats.
We understand that changes like this are significant for our customers. We want to ensure you are empowered with as much knowledge as possible to make this a smooth transition and understand the benefits of our scoring methodology improvements, such as:
Accuracy: Prioritizing remediation by VRR will provide the greatest measure of accuracy with respect to your organization’s RS³.
Safety: Your organization needs to know what kinds of unique attacks you’re susceptible to, as well as the likelihood and impact involved in such attacks.
Actionability: Intelligent scoring allows RiskSense to help you prioritize across multiple indicators to drive your remediation efforts most effectively.
Scalability: Full spectrum risk-based vulnerability management is powered by scalable metrics that adapt over time to keep pace with the latest threats to your organization.
In the coming weeks, we will be providing regular updates to this article that give more specific information on what you can expect from this enhanced scoring system, as well as details on how it will impact you specifically.