Heather Lawrence and David Wisdom from ThreatKeys Data Science Team explain how ThreatKey calculates an organization's cloud security health score, considering factors like vulnerability age and regional complexity to help teams prioritize risks and improve their security measures.
How ThreatKey calculates your cloud security health score
Heather Lawrence and David Wisdom
Yet Another Metric
Crystal balls, unfortunately, are not available for your organization or your infrastructure. So how can organizations manage and reduce risk? While security scores are not perfect indicators of an environment, ThreatKey’s security health score measures both the volume and severity of the most common kinds of threats to internal security. In our latest release we continued using the familiar FICO credit scoring system where 300 reflects the worst possible score and 850 reflects the best.
Still, metrics like this are only useful if they are based in reality and consider quantitative aspects of a mature vulnerability management program:
Proactive: Vulnerabilities are remediated before they can be exploited.
Prioritization: Vulnerabilities are prioritized based on factors such as the ease and likelihood of exploitation and the potential impact of a successful attack.
Flexibility: It must be possible to adapt to new threats and vulnerabilities as they arise or to adjust the severity of existing vulnerabilities
Measurable: Measurable metrics to track the progress and effectiveness of the program.
Continuous: Ongoing review and update of vulnerabilities and their management.
Compliance: Compliant with applicable industry standards and regulations, such as PCI-DSS and SOC2.
Accountability, communication, and collaboration are also important aspects of running a successful vulnerability management program, but are not currently considered as quantifiable metrics.
Remediation teams have their work cut out for them and need assistance where they can get it. The stages to remediate a vulnerability typically include:
Budgets are strained between staffing, tooling, and securing endpoints. Our risk score is built to make it easier to compare and prioritize potential vulnerabilities thus enabling your teams to make informed decisions about where to allocate resources for security measures over time. We at ThreatKey strive to clearly communicate how metrics are calculated so your teams can interpret their performance. We are constantly optimizing how these metrics are calculated to improve their usefulness and the factors we consider now may change in future releases.
ThreatKey’s Security Health Score
The Old Formula
Our previous (read: first) version of a risk score only considered the number of high and critical findings. This was, perhaps, a crude approach, but a starting point on which to build something better.
Critical & High Findings
Critical and high findings are akin to a diver’s caution flag — they indicate a high likelihood of being exploited and a higher potential impact if that exploitation were to occur. As these findings indicate the greatest threat, a mature and effective remediation team must prioritize and take quick action to address them.
New, Open, & Stale Findings
ThreatKey’s risk score now takes the age of findings into account when determining risk. We weakly correlate a spike in the number of new vulnerabilities as an indication that new resources are misconfigured or that a wide number of existing resources have been changed. A large number of open findings indicates there are not enough resources available to effectively remediate identified vulnerabilities.
Stale (>30 days old) findings are like the socks at the bottom of a drawer — you know they're there, but you haven't seen them in a while. We believe a high number of stale findings indicate that your vulnerability management program is not identifying and remedying vulnerabilities in a timely manner. As a vulnerability ages, the chance that a usable exploit is developed increases drastically, thus increasing the risk to your organization. This is captured in the Security Health Score by giving more weight to older results.
Cross Region Findings
Tracking and remediating vulnerabilities is complex. Tracking and remediating vulnerabilities across regions is even more so. It is more difficult to monitor a network across regions and the chance of misconfigurations across regions that are available but unused increases. For this reason, the ThreatKey Security Health Score considers the complexity added across regions.
Security engineers at ThreatKey evaluate every finding type against industry best practices, but sometimes the severity does not reflect the priorities of your organization. We provide a means of easily customizing your severity, but this feature also allows subversion by reducing the severities of all high and critical findings. Any overridden severity that is lower than the ThreatKey default is factored into the score.
Finding & Interpreting Your Security Health Score
Risk Score Color Codes
You can find your ThreatKey risk score at any time under the Reporting tab in the Security Health Score panel.
The Security Health Score meter is colored according to these ranges:
300 to 579 (dark red): High risk
580 to 669 (red): Elevated risk
670 to 739 (orange): Notable risk
740 to 799 (yellow): Requires improvement
800 to 850 (green): Good
Teams should strive to have a good score in the 800-850 range. A "perfect" score of 850 is extremely challenging to achieve and not expected.
How Do I Improve My Score?
We weigh critical and high findings older than 30 days (i.e. stale) the heaviest as they indicate the highest impact and likelihood. Teams should prioritize remediating critical and high findings to have the greatest impact on your ThreatKey Security Health Score. Next, consider working on vulnerabilities that exist across cloud regions and reducing the number of findings where the severity is overridden. Finally, work on reducing the number of overall findings.
Determining the level of organizational risk is a tricky process. The ThreatKey Security Health Score now considers numerous factors, like the number of stale findings, to provide an improved quantifiable metric. No security program is perfect, but with these additional considerations, we provide more useful information to determine and mitigate risk in any given solution.