This article details how risk scoring works in the Brinqa Platform, how Brinqa calculates risk scores out-of-the-box, and how changes can be made to customize these calculations.
What is risk scoring?
Risk scoring in the Brinqa Platform is designed to provide you and your organization with a clear and actionable understanding of your security risk landscape. Before diving into the details, let's define some key terms:
Base risk score: The initial score assigned to a vulnerability, typically derived from standardized scoring systems such as Common Vulnerability Scoring System (CVSS) v3 or CVSS v2. This score reflects the inherent risk of a vulnerability without considering any additional risk factors or context.
Risk score: A calculated score that takes the base risk score and adjusts it by considering additional risk factors specific to your organization or environment, such as asset criticality, business impact, and threat intelligence. This score provides a more accurate assessment of the actual risk posed by a vulnerability in your specific context.
Risk rating: A qualitative representation of the risk score, usually expressed as a category like Low, Medium, High, or Critical. Risk ratings provide a more accessible and easily understandable view of the risk associated with a vulnerability, making it easier to prioritize remediation efforts.
The risk score model is a configuration that determines the calculation of base risk scores, risk scores, and risk ratings for vulnerabilities that fulfill the specified conditions of the risk scoring model. By using multiple scoring models and offering customization options, Brinqa enables you to prioritize vulnerabilities and assets based on your organization's unique risk profiles. The risk scoring model configuration encompasses the attribute that will be used as the basis for the risk score, whether the base risk score will be adjusted by risk factors, and the name of each numerical range.
Risk scoring model for vulnerabilities
It's important to note that in the Brinqa Platform, vulnerabilities refer to specific instances of security weaknesses in your assets, whereas vulnerability definitions describe the general characteristics of a vulnerability, including details like CVSS v3 or CVSS v2 scores.
Brinqa calculates risk scores for vulnerability definitions by first identifying the most appropriate risk scoring model for each item, based on the available data. Brinqa prioritizes these models in the following order: CVSS v3, CVSS v2, Severity number, and then Default value. Brinqa then aggregates and normalizes the risk scores across all findings by applying a consistent numbering format, from 0-10, providing a comprehensive view of your organization's risk landscape. This process enables you and your security teams to prioritize remediation efforts and make informed decisions about risk mitigation strategies.
Brinqa also calculates risk scores for vulnerabilities by first determining if there is a vulnerability definition associated with them. If an associated vulnerability definition is available, Brinqa uses that risk score; if not, it uses the default value instead. In both cases, Brinqa then takes into account any related risk factors, which may increase or decrease the base risk score. This approach ensures that risk scores for vulnerabilities are accurately assessed, depending on the presence of vulnerability definitions and applicable risk factors.
Vulnerability definition risk scoring models
By default, there are four risk scoring models that Brinqa applies to calculate risk scores for vulnerability definitions:
CVSS v3 is an industry-standard method for assessing the severity of vulnerabilities. It takes into account various factors such as exploitability, impact, and scope. Brinqa uses CVSSv3 scores provided by vulnerability databases or security scanners, which typically range from 0-10, with 10 indicating the highest risk, to assess the risk of specific findings.
CVSS v2 is the previous version of the CVSS framework. While it has been largely superseded by CVSS v3, Brinqa continues to support it for backward compatibility. Like CVSS v3, CVSS v2 scores from 0-10 and are used to assess the risk of specific findings. If CVSS v3 scores are not available for a vulnerability, Brinqa can use CVSS v2 scores as a fallback.
The severity score is a simplified risk scoring model that categorizes vulnerabilities into different levels based on their severity. Brinqa calculates the severity score by normalizing a tool's severities or ratings to a scale of 0 to 10, particularly when a tool doesn't support CVSS v3 or CVSS v2 scores but provides its own severity ratings. By mapping the tools' severity levels to the 0-10 rating scale, Brinqa allows for a consistent assessment of risk across different tools and vulnerability findings.
The default value is a fallback risk scoring model that Brinqa uses when no other scoring information is available for a finding. This model assigns a predefined default risk score to ensure that all findings have a risk score, even if they lack CVSS or severity data. You can customize default values to fit your organization's risk management requirements.
Figure 1 illustrates this risk scoring process:
Figure 1: Vulnerability definition risk scoring process
Users with the Configurator or System Administrator role can access the pre-defined risk scoring model categories for vulnerability definitions by navigating to Administration > Data > Models > Vulnerability definition > Risk scoring. The default risk scoring models are detailed in the table below:
Table 1: Brinqa built-in vulnerability definition risk scoring models
|1||CVSS v3||The default risk scoring model for CVE records that have a CVSS v3 base score. The risk score is derived from the |
|2||CVSS v2||The default risk scoring model for CVE records that have a CVSS v2 base score. The risk score is derived from the |
|3||Severity score||The default risk scoring model for CVE records that have a severity number. The risk score is derived from the |
|4||Default value||The default risk scoring model for CVE records that do not have a CVSS base score or severity number.|
Vulnerability risk scoring models
By default, there are two risk models that Brinqa applies to calculate risk scores for vulnerabilities:
Findings with associated definitions and risk factors
This risk scoring model calculates vulnerability risk scores based on the corresponding vulnerability definition's risk score, which includes CVSS v3 or v2 scores. It takes into account both the characteristics of the vulnerability and any related risk factors. If a vulnerability has an associated definition, this model assigns the risk score from the definition to the vulnerability, ensuring a comprehensive and accurate risk assessment for each individual vulnerability.
Default value with risk factors
This risk scoring model is designed for findings that have no CVSS or severity information. In the absence of an industry-standard scoring system like CVSS or a defined severity, this model incorporates any relevant risk factors to assess the risk of specific findings. This ensures that even findings without CVSS or severity scores are evaluated and prioritized appropriately, based on available risk factor data.
Figure 2 illustrates this risk scoring process:
Figure 2: Vulnerability risk scoring process
Users with the Configurator or System Administrator role can access the pre-defined risk scoring model categories for vulnerabilities by navigating to Administration > Data > Models > Vulnerability > Risk scoring. The default risk scoring models are detailed in the table below:
Table 2: Brinqa built-in vulnerability risk scoring models
|1||Findings with associated definitions and risk factors||The default risk scoring model for findings based on the associated finding definition's risk score and related risk factors.|
|2||Default value with risk factors||The default risk scoring model for findings that do not have a CVSS score or severity.|
Risk scoring model for assets
In the Brinqa Platform, assets are also assigned risk scores; however, the process differs from vulnerability risk scoring.
By default, the risk score assigned to assets is based on the risk score of their open vulnerabilities. If an asset has one or more open vulnerabilities, the highest risk score is assigned to the asset. This approach ensures that the asset's risk score accurately represents the most significant risk currently associated with it.
Assigning risk scores to assets based on their open vulnerabilities enables organizations to better understand the overall risk landscape of their infrastructure. This information helps security teams prioritize remediation efforts, allocate resources effectively, and implement risk mitigation strategies to reduce the potential impact of vulnerabilities on their assets.
Users with the Configurator or System Administrator role can access the pre-defined risk scoring model categories for assets by navigating to Administration > Data > Models > Host > Risk scoring. The default risk scoring model for assets is detailed in the table below:
Table 3: Brinqa built-in asset risk scoring model
|Highest active finding risk score||The default asset risk scoring model is based on the highest risk score for associated active findings.|
The conditions for the asset risk scoring model apply to data models that extend the asset data model. The conditions for these data models are as follows:
Target data model: Host (or any data model that extends Asset)
Aggregation data model: Finding
Aggregation attribute: Risk score
statusCategory = "open"
ID exists(Note: This condition will always be true)
These conditions are used to compute the risk score for assets based on the open vulnerabilities associated with them. The risk scoring model first checks if the ID exists for each Host in the target data model, ensuring that the host exists. Then, for each existing host, it filters for findings with an "open" status category and identifies the highest risk score among them. This approach ensures that only relevant and active vulnerabilities are considered when calculating the asset's risk score.
Adjust risk score with risk factors
The risk scoring model defines which attributes act as the base risk score for the risk score computation. If the chosen risk scoring model has risk factors enabled, then the base risk score can be adjusted by the risk factors applied to that finding. Risk factors may either increase or decrease the base risk score.
Typically, if you rely solely on base scores, you may end up with many findings rated as high or critical. Risk factors are designed to lower the priority of findings in secure networks with little to no traffic, while elevating those that involve sensitive data or support critical business functions. CVSS scores provide information about the vulnerability itself, but they don't offer insights into the importance of the location where the vulnerability is found.
Users with the Configurator or System Administrator role can access the risk factor adjustments by navigating to Administration > Configuration > Risk factors. Brinqa provides default risk factor adjustments out-of-the-box, which can be enabled or disabled as needed. The default risk factor adjustments are as shown in the following table:
Table 4: Default Brinqa risk factors
|1||PII||Assets with PII (Personally Identifiable Information) can have a greater impact on the business if exploited.||Host: |
|2||PCI||Assets needing to meet PCI (Payment Card Industry) standards have a greater impact on the business if exploited.||Host: |
|3||NERC||Assets needing to meet NERC (North American Electricity Reliability Corporation) standards that have a greater impact on the business if exploited.||Host: |
|4||HIPAA||Assets needing to meet HIPAA (Health Insurance Portability and Accountability Act) standards have a greater impact on the business if exploited.||Host: |
|5||CVSS v2 vector indicates local or adjacent access required||Vulnerabilities that require local or adjacent access are less common.||Vulnerability: |
|6||CVSS v2 vector indicates no integrity or confidentiality impact||Vulnerabilities that do not impact the integrity or confidentiality of the system can be deprioritized.||Vulnerability: |
|7||CVSS v3 vector indicates local or adjacent access required||Vulnerabilities that require local or adjacent access are less common.||Vulnerability: |
|8||CVSS v3 vector indicates no integrity or confidentiality impact||Vulnerabilities that do not impact the integrity or confidentiality of the system can be deprioritized.||Vulnerability: |
|9||CVSS v3 vector indicates low integrity and low confidentiality impact||Vulnerabilities with low impact on integrity or confidentiality can be deprioritized.||Vulnerability: |
|10||Percentage impacted is low||Vulnerabilities that impact a very limited number of systems can be deprioritized.||Vulnerability: |
|11||EPSS Likelihood < 1%||Vulnerabilities where EPSS indicates a likelihood of less than 1%.||Vulnerability: |
|12||EPSS Likelihood > 15%||Vulnerabilities where EPSS indicates a likelihood of greater than 15%.||Vulnerability: |
See risk factors for additional information about risk factors and how to create and apply risk factors to your security data.
The risk score of a finding equals the base risk score plus the sum of all risk factor scores on a scale of 0-10. For example, a risk factor score of
-1 on the vulnerability data model decreases the risk score of the associated findings by 1.
To examine how risk factors impact the base risk score of a finding, navigate to Findings, click the Risk factors filter, and then select one or more risk factors from the drop-down. For example:
In the screenshot above, the CVSS v2 vector indicates local or adjacent access required risk factor has been applied and only the findings with that risk factor are displayed in the list view. Click one of the entries in the list view, and locate the Risk section in the slide-out view to see how the sum of the risk factors (Risk factor offset) affects the final risk score (Risk): it increases the base risk score (6.8) of the finding by 0.5, resulting in a final risk score of 7.3.
Create a new risk scoring model
To calculate risk, you must first determine the most suitable risk score model for the finding you are computing. If the default Brinqa risk scoring models do not quite fit your risk scoring and risk prioritization needs, users with the Configurator or System Administrator role can create a new risk scoring model. To do so, follow these steps:
Navigate to Administration > Configuration > Risk scoring models.
Click Create and fill in the fields as shown below:
Name: The name of the risk scoring model.
Active: Whether the risk scoring model is active or not.
Description: The description of the risk scoring model.
Preset: The different ways that the risk scoring model calculates the base risk score. Select one of the following:
Aggregate related attribute: Takes an aggregation (Maximum, Minimum, Sum, etc.) of a dataset.
Value from attribute: Uses the value of an attribute on any dataset or related data.
Default value: Returns a number.
Condition: Specify the condition to score your data. The supported syntax is Brinqa Condition Language. For example:
cvssV2BaseScore IS NOT NULL, or
patchAvailable = "False".
Test condition: Click Test condition to see the results retrieved by the condition.
Click + to add additional conditions to the risk scoring model.
Your new risk scoring model applies when the data orchestration runs. However, if you want the new risk scoring model to go into effect immediately, follow these steps:
Navigate to the data model to which the risk scoring model applies.
Click the compute flow for your data model. For example, if you have added a new risk scoring model for the Vulnerability data model, click Vulnerability compute flow.