Dynamic risk scoring in action
Let's investigate how dynamic threat intelligence trends through enhancements for Elements Vulnerability Management works, in real world scenarios.
Customer walks into a bar...
A customer reports that Elements reports an asset with a moderate risk score but a day later, with no other activities in the interim, that score changed to severe, escalating the threat level.
Why did this happen?
WithSecure's Threat Intelligence identified a proof-of-concept exploit for a vulnerability, and Elements Vulnerability Management raised the risk score to increase the threat level. If a real exploit is found, the score increases further, prioritising the device for attention. Similarly, the score can decrease if the risk is reassessed. Additionally, using Elements Endpoint Protection, a special rule blocks incoming Internet connections when the risk score surpasses a threshold, safeguarding the vulnerable device. Once the service is patched, connections are automatically restored.
So what does this mean to the average person?
Every organisational device or asset carries potential risks, and Elements Vulnerability Management (EVM) is crafted to assist in their effective management. The Asset Risk value serves as a tool to pinpoint assets with the highest risk within your company's environment. This metric aids in prioritising the remediation of identified vulnerabilities based on their potential impact.
Let's consider the following scenarios...
Scenario 1
In the illustration above, the CEO's laptop and surgical equipment may be deemed more critical to business operations than an ad screen or a device used by a junior employee. Elements Vulnerability Management (EVM) gives the organisation the ability to assess and assign levels of criticality to devices. This means that vulnerabilities in these business-critical assets result in higher risks.
However, the likelihood of exploitable vulnerabilities affecting an asset can change over time. For example, a vulnerable asset may face an increased risk if active exploits against its vulnerabilities emerge. Leveraging Threat Intelligence data from WithSecure allows us to present the current threat level with the latest information available.
Changes in Threat Intelligence data related to detected vulnerabilities are communicated to the EVM administrator through a modified Risk Score. When the Threat Intelligence data indicates a reduction in exploit prevalence, the score automatically decreases in response. Armed with this heightened risk level information from EVM, administrators can promptly prioritise patching or take other remedial actions if a software vendor has not released a patch.
Furthermore, WithSecure Elements seamlessly integrates Vulnerability Management and Endpoint Protection (EPP) into a cohesive ecosystem, enhancing the security of assets. The Outbreak Control functionality reacts to an increased risk score, selecting a more stringent security profile than the standard one.
Scenario 2
Consider a Content Management System (CMS) accessed by the Sales team in the field through Single Sign-On (SSO) to retrieve non-public website data.
In the event of a vulnerable and remotely exploitable CMS software, Outbreak Control could enforce a security profile restricting access solely to internal hosts, activated over the weekend when the Sales team is not working. On the next working day, the IT team can take further steps to address the risk. Once the vulnerability is resolved and EVM re-evaluates the web server, the risk score decreases. EPP then automatically reverts to the original security profile, allowing access from the Internet.
