Risk Management Approach
Similar to first four ISCM widgets, the risk management widget (RMW) is designed to provide situational awareness from the command level down to the asset level. The ARL team’s initial approach towards risk management provides a mechanism for stakeholders to prioritize the systems with the highest risk of compromise, based upon the NVD common vulnerabilities and exposures (CVE) and other factors. Fig. 4 above illustrates how ISCM visually represents the count of hosts (line graph) and the count of risks (bar graph) associated with a particular enclave. Each risk factor is a vulnerability identified through the installed software and CVE as depicted in Fig. 5.
The two primary functions of the RMW are risk identification and risk scoring. The functionality that determines the cause of the risk, identifies issues that are mitigated in order to eliminate a particular risk at the asset or site level. Issues are prioritized by their influence on risk. The relative risk scoring functionality uses vulnerability discovery results to estimate risk where risk score is based on the exposure of vulnerable services to external networks. Risk scores are presented by site, asset, or vulnerability.
The ARL team began by leveraging the generic algorithm for cyber risk, where risk is a function of threats, vulnerabilities and impact, R = ƒ (T × V × I). We supplemented the equation with additional characteristics that were critical to the defensive operations mission, including:
Confidence Level: The belief that an asset is exposed to a particular vulnerability by taking into account all relevant observations (i.e. output from all tools: HBSS, ACAS, etc.) This value is a derived percentage, currently implemented using term frequency–inverse document frequency algorithm [19] and represents the certainty that the host in question actually has the factors deemed to be vulnerable (i.e. software version, patch version, operating system, etc.)
Threat Multiplier: A factor associated with the exposure of a vulnerability to an external network for remote exploitation. Vulnerabilities exposed to a wide area network and remotely exploitable, produce the highest threat multiplier.
Temporal Certainty Multiplier: A factor associated with the age and freshness of the vulnerability scan reports. As scan information ages, the potential risk from vulnerabilities that cannot be confirmed as mitigated increases. The temporal certainty multiplier represents the increase as a factor, which is multiplied against the vulnerability instance risk score. The time period is determined by comparing the greatest last seen of all risk factors to current time.
Exposure Duration Multiplier: A factor indicating how long an unresolved risk was first detected. The time period is determined by comparing the earliest first seen of all risk factors to current time.
Exploit Threat Multiplier: A dynamic factor that allows a security analyst to amplify/decrease the weighting of a CVE risk score throughout the system. The value is set on the user interface through a RESTful service, which updates the entity model. The factor values can be very low, low, moderate, high and very high, depending upon the level of exploitation and other threat intelligence. If no multiplier is stored in the entity model, then the default value is moderate as depicted in Fig. 5.
ISCM’s current approach to risk management satisfies its initial goal of aiding stakeholders in the comparison and prioritization of higher-risk versus lower-risk assets. However, when looking at assets independently, the risk score does not provide the context necessary to assess the actual risk of an asset being compromised. The ARL team is actively implementing a probabilistic risk scoring widget, primarily based upon research performed at Massachusetts Institute of Technology – Lincoln Laboratory [20] and Johns Hopkins University Applied Physics Laboratory [21].
Fig. 4 ISCM user interface – host count and risk score visualization
Fig. 5 ISCM user interface – example host risk posture and score