Contextual Risk Scoring: A Smarter Approach to Prioritizing Security Issues

We all know we need to prioritize but for security analysts this is not always easy

William Leichter

June 13, 2024

Contextual Risk Scoring: A Smarter Approach to Prioritizing Security Issues

Subscribe to AppSoc

Get the best, coolest, and latest in design and code delivered to your inbox each week.

In this blog we’ll discuss the challenges of effective risk scoring of security threats, and AppSOC’s next generation prioritization tools, driven by our unique Contextual Risk Engine (CoRE). You can also view of demo video to see this in real-time.

We all know we need to prioritize, but for security analysts this is not always easy. There are often far too many vulnerabilities and threats for humans to follow-up on, and you simply can’t patch everything. So how can you intelligently prioritize vulnerabilities with this tsunami of data?

There are many products that can detect vulnerabilities, threats, misconfigurations, and other problems, and they usually add some level of prioritization. But when you put together the dozens of tools that many organizations use, there is far too much noise, and far too many “red alert” issues to manage.

The AppSOC platform uses advanced technology to solve these nagging problems: aggregating risk scoring from multiple sources, incorporating business context, reducing noise, and effectively prioritizing the most critical vulnerabilities that need immediate attention.

Going beyond CVSS for prioritization

The conventional way to prioritize vulnerabilities is using the NIST CVE scores found in the National Vulnerability Database (NVD). These scores highlight the relative Severity of known vulnerabilities, but taken alone, there is an overwhelming number to manage, with thousands of potentially severe threats.

AppSOC goes far beyond these traditional CVSS scores that many security tools rely upon. While this is a good starting point, we also incorporate other factors to greatly sharpen our focus: Exploitability and Business Context

Let’s dig deeper into how we make these prioritization decisions and calculate your real risk.

A foundational formula is Risk = Impact x Likelihood

And as we mentioned before CVSS scores only consider Severity. That is only one aspect of overall Impact – you also need to consider:

  • Asset Criticality: how important is this application to your organization? Is this critical for business operations, or something less sensitive?
  • Data Classification: does the app process personal information or IP?
  • Network Exposure: is this internet facing production code, or something used internally or for testing?

Now that we have a more complete view of Impact, we need to consider Likelihood. Again, CVSS scores don’t tell us this, so we need to incorporate multiple other sources:

  • EPSS: this is the Exploit Prediction Scoring System, developed by First.org. This incorporates both Threat Intelligence data from the wild, as well as exploitability ratings.
  • CISA KEV: or Known Exploited Vulnerabilities. These don’t just pose a theoretical risk – they have been actively exploited in the field.
  • Other Red Flag sources of threat intelligence and risk quantification, such as OWASP, SANS, and others.

By considering all these factors, we can pare down an unmanageable list of thousands of potential vulnerabilities and show you the handful of highly critical ones, that trigger all these factors, and make sure you zero in on these first.

Doing the math on vulnerability response

It’s frankly impossible to keep up if you chase everything. Estimates show that, for a security analyst to investigate a vulnerability – to deduplicate, research, and assess the impact – takes least 30 minutes. So, if you receive 300 vulnerability alerts per day across all your tools, you will need a team of almost 20 full-time analysts just to do the basic work. 

But if you can prioritize this properly and turn that list into fewer than 20 critical vulnerabilities, two people could keep up with them, while others – if available, could go further down the list, or focus on other priorities.

Let’s look at a specific example - a Fintech application. This is a business critical, internet facing app, that includes sensitive contains customer data. The raw data gives us almost 700 vulnerabilities. The scanners have prioritized that down to about 300, but a team of 4 analysts can’t look at all of those.

AppSOC’s scoring brings that down to fewer than 50.

But if we look at our Heat Map, there are only 21 key vulnerabilities that combine Impact – including my business context, as well as being exploitable. 

With this sharper focus, a small team can stay on top of these, dig deeper into other edge cases, and then use AppSOC’s automated remediation workflows to file tickets, eliminate recurring false positives and much more – all part of other demos. 

Understanding application hierarchy 

Another area where AppSOC takes a more advanced approach is our flexible data model, which understands how applications are built, and enables us to better quantify and prioritize vulnerabilities.

We use a hierarchical model that helps you put all findings in the right context and map them to other findings. We start with 

  • Individual findings: typically delivered by vulnerability scanners. Then we build the stack up to:
  • Shared Libraries, which may be used in many places
  • Microservices – the building block of modern apps
  • Applications
  • Hosts, and even 
  • Business units

Our knowledge of the application hierarchy has a direct impact on how we aggregate and score risk. For example, a vulnerability in a commonly used library, like Log4J might show up in hundreds of places across your application stack. But this can also drown out other, less frequent vulnerabilities. 

Our CoRE engine tracks these common and unique vulnerabilities across the stack and aggregates them with a logarithmic scale to compress the data spikes, while still clearly illuminating the bigger picture. The result is clarity and flexibility. Here you see have an aggregated risk score of 650, but we can quickly drill down to the microservices or libraries that are most at risk or roll up data to the top and see which business units are affected.

For more details on the AppSOC platform, please watch more of these demo videos, or schedule a live demo where our experts can discuss your specific needs and show how the AppSOC platform can save you time and money, while improving your organization’s overall security posture.