What’s in a risk score? Implementing a Risk based remediation strategy using machine learning

Risk based remediation score = Likelihood to exploit

A risk score in Farsight is described as the likelihood of a vulnerability being exploited against the average. Given most vulnerabilities (the number varies from organization to organization, but is generally between 90% and 95%) are never exploited, likelihood is an useful measure of risk when it comes to prioritization. When the likelihood increases above 1.0, the algorithm is saying that the vulnerability fall into that remaining 5% - 10% of the vulnerabilities that are likely to be exploited over time. Another key difference to CVSS score is the dynamic nature of the risk score – by understanding the risk level of a vulnerability in real time, organizations will be able to adapt their remediation strategy on the fly.

Likelihood to exploit = predictive risk

When considering the likelihood, you are essentially looking at a prediction driven by a tested and proven machine learning model, on the likelihood that the vulnerability will be exploited. Whilst ‘Has an exploit’ and ‘has been exploited in the wild’ are both parts of the machine learning model, the evidence-based predictive risk score allows you to drive a more aggressive risk strategy by prioritizing on a likelihood spectrum that fits with your business context. Naturally, focusing on a likelihood > 25 will result in fewer vulnerabilities needing remediating than likelihood of > 10. Basing your risk based remediation strategy on a score of 10 could be considered a cautious approach to accepting risk vs a score of 25 or higher. Whilst this may be obvious it’s important to understand that neither approach is wrong. The key determining factors for your organization’s risk appetite are risk tolerance (how much risk are you willing to tolerate) and resource available for remediation (how much are you willing to spend to mitigate the risk). Setting the appetite is paramount to effective risk management, and it must tie together operational risk, security risk and technical risk in a cross functional perspective.

Higher risk appetite ≠ greater chance of attack

Just because you have a higher risk tolerance doesn’t mean you will be exposed to more risks. For vulnerabilities that are actively exploited in the wild the risk score will be at the highest at 38.5. So regardless of your risk appetite or the minimum predictive risk score you are willing to tolerate, you will always include these exploited vulnerabilities in your risk based remediation plan. The predictive risk score is there to guide your team on timely remediation for imminent threats, focusing on high risk vulnerabilities at this moment in time so it becomes manageable, rather than overwhelming.

The flexibility of Outscan combined with Farsight means you can add ‘Exploit Available’ as an additional filter field. This will drastically reduce the vulnerability count from a remediation perspective but takes you from reliance on the predictive likelihood – where essentially you are ahead of the threat actors - to a more urgent ‘these vulnerabilities have known exploits AND MAY be exploited in the wild’ scenario to prompt you for immediate remediation.

Ultimately, the flexibility – and indeed the right approach to using Farsight in your organization should be based on the individual needs of the business. Want to focus on anything trending over 1. Absolutely. Only on 38 or higher – absolutely. Either is a valid strategy but the remediation activity will differ significantly between the two.

An example to finish

In our own testing we saw some interesting results focusing just on two filters

1. Likelihood > 25
2. Likelihood > 25 where an exploit is available

When reviewing the total number of findings before applying any filters we saw approximately 3,000 affecting just over 180 assets By applying a filter (1) to narrow down on vulnerabilities of any type with a likelihood of exploitation greater than 25, that number dropped to 165 vulnerabilities affecting 22 assets. Already a reduction in focus to the top 5% of the riskiest vulnerabilities in the network. Adding where exploit available (2) to that filter dropped the number of affected targets to 16 and a total of 30 findings. And I’m not missing ANY that are currently being exploited. Or a total of 1% of the overall vulnerabilities in my estate.

Using Farsight intelligence its clear for a user to see the predicted likelihood score within Outscan to help aid risk prioritization.

This is a good number to work on each day or week for most security and IT teams.

And of course with Outscan an ability to build dynamic target groups, as the likelihood changes and you remediate, different vulnerabilities and assets will appear in those filtered groups. Allowing you to focus your attention on remediating based on a risk not a CVSS score.

Conclusion

There is no right or wrong way to approach using Farsight for risk based vulnerability management. Each organization must determine what their risk appetite is and the rest will follow. And with the flexibility of dynamic target groups and filters you can model a number of different risk strategies, compare them and gradually decide on those that make the most sense for your organization.