Workload Security

Risk Score 101: What to Look for in a Risk Score

(Editor’s Note: Monica White, a guest author on the Carbon Black blog, is the Director of Product Marketing at Kenna Security)

When we at Kenna Security originally looked at adding a risk score to enumerate vulnerability risk in VMware Carbon Black Cloud Workload, we knew that Common Vulnerability Scoring System (CVSS) scores didn’t serve users well in determining what their own risk profile truly looked like. Instead, we wanted a risk score methodology that was pragmatic, highly accurate, actionable, tailored, and ultimately helps our customers make better, more efficient remediation decisions.

So, what makes a vulnerability scoring system good? What does the risk scoring system we use in VMware Carbon Black Cloud Workload look like? How does it work? And does our scoring system meet the criteria of a sound scoring system?

What makes for a good risk score or risk model?

An effective and actionable risk model needs to accomplish three things: measure risk, drive action and provide context (explanation builds trust). In looking for a risk score solution for VMware Carbon Black Cloud Workload, this is exactly what we set out to accomplish.

The Vulnerability Risk Score in fewer than 50 words

Within VMware Carbon Black Cloud Workload, a risk score is a number calculated for a vulnerability that ranges from 0.0 to 10.0. This granular value is an estimate of the likelihood of exploitation of that vulnerability. The probability of exploitation is based on vulnerability attacks and environmental vectors.

How do we measure vulnerability risk?

As mentioned previously, the vulnerability risk score measures risk by providing a number from 0.0 to 10.0 for every vulnerability. The risk score is calculated by combining threat and vulnerability context variables which can indicate the likelihood of the exploitation of that vulnerability. How predictive these variables are is measured using a variety of advanced data science and machine learning techniques, which are then incorporated into a scoring model that takes into account how predictive each of them are. The end result is a quantifiable, granular, and accurate risk score for every vulnerability that is backed up by relevant threat context.

In the 10 years that we have been defining risk-based vulnerability management, we’ve discovered key threat and vulnerability context variables that give us the insight needed to predict vulnerability exploitation:

  • Has the vulnerability been exploited?
  • Has an exploit been published for the vulnerability in question?
  • Has the vulnerability been seen in the wild? If yes, how pervasive is it?

What makes it actionable?

A risk score drives action if it is granular, accurate at predicting risk, and trustworthy. Granularity is extremely important because you really can’t make a choice if you’re presented with a number from 1 to 5 or High/Medium/Low. The range of numbers has to be able to tell you, for example, that a vulnerability ranked 9.8 carries significantly more risk than a vulnerability ranked 7.4. The Kenna risk score built into Carbon Black Cloud Workload is 94% accurate at predicting risk due to advanced data-science and robust threat context information.

How does a risk score provide context?

Again, context and explanation build trust, which in turn drives action. Semi-abstract scoring models like CVSS lack the necessary context to understand the real impact on an organization’s risk profile. Kenna risk scores are based on predictive modeling using real-world threat data measured against historical results. Users can see the threat data, the exploits that exist, whether it is pervasive in the wild, etc. When a vulnerability scores a 9.4, we want you to trust that a 9.4 really is a 9.4, and a 3.3 is truly a 3.3. Confidence in your scoring system spurs confidence in your actions. When you have confidence in the scoring system that you have, you will act with confidence.

To underline this idea, here are three vulnerabilities that are scored using the risk score used in Carbon Black Cloud Workload as 10, 9.5, and 62. Which would you prioritize first? We’ll give you a hint: use our risk score and the underlying threat data to back you.

The right answer according to a predictive risk model is CVE-2020-1472 that has a risk score of 10. The fact that this vulnerability has been exploited in the wild and is very prevalent makes it much riskier than the other two. As you can surmise, seeing the context behind the score really helps understand the risk behind vulnerabilities.

Download the whitepaper, Understanding the Kenna Security Vulnerability Risk Score, today to find out more about the Kenna Risk Score.