Facing the Reality of Risk Prioritization

Accelerate progress in your security program through better risk scoring

Dan DeCloss recently joined Paul Asadoorian, principal security evangelist at Eclypsium, and Mandy Logan, brainstem hacker and infosec enthusiast, on the Paul’s Security Weekly podcast. In Episode #819, they dove into the topic of risk prioritization — how do security programs prioritize what they need to work on first to reduce risk as quickly as possible? 

Every program regardless of maturity deals with resource limitations — personnel, time, budget, etc. — and can’t possibly address every potential risk in their environment simultaneously. But every program must still answer the questions, “Are we working on the right things?” and “Are we getting better?”

Check out the full episode to hear Dan’s take on the value of flexible risk scoring, the importance of applying organizational context, and the potential of AI to help — or read on for the highlights. 

Contextual risk scoring

Scoring the criticality of vulnerabilities is an important step in an organization’s ability to prioritize their risk. Unfortunately, the matrices in the cybersecurity industry have a number of limitations. 

In terms of the current standardized scoring systems falling short, Paul said, “I don’t want to pick on people or things or companies because I don’t think that’s productive, right, so I don’t want to pick on MITRE and CVE, and I don’t want to pick on NVD, but I want to address things that I think are problems that I don’t agree with, and I’m more than happy to be part of the solution.”

Those problems and limitations with the current scoring systems typically involve a lack of flexibility and organizational context. Something may be very dangerous in general terms but may not be a major concern in a particular environment, for example. 

Dan said, “I have all this data — I may have pentest data, vuln scan data, anything proactive in terms of assessments — it’s coming in fast and it’s almost too much to know really how to prioritize. What is needed is a way to contextualize the data and score it based on the specific environment and controls in place so teams know what to focus on first.” 

The inverse is also true. It’s important to understand what — maybe even something with a critical score — isn’t a priority in the specific environment right now. 

Paul pointed this out saying, “We tend as practitioners to harp on things that we need to go fix, and we sometimes don’t like to think … that because no new information has come out that really should make me want to go react to that [that I don’t need to fix it now], so I want to save cycles for doing other things.” In other words, deprioritizing can be just as important as prioritizing when it comes to efficiency. 

The solution to prioritizing through risk scoring is the ability to adjust the calculation to account for organizational context. Dan continued, “So being able to provide the context for your business is super important, and actually a problem that a lot of people have tried to solve and it is a challenge for the industry. We’re [PlexTrac] excited to be able to bring that capability to the market. So now you can assign your own criteria and it can take into context the other scoring mechanisms from other sources. CVSS still can be a factor in that but it doesn’t have to be the only factor. I think that’s critical.”

Transparent risk scoring  

Another area that can interfere with effective risk quantification is subjective opinions on the priorities within the organization. Subjective or unclear scoring, again, leads to the potential of wasting time on the wrong things. 

Dan stated, “It’s easy for us to have bias, so what we need is to be able to apply an objective score that’s been agreed upon by the organization — not some third party vendor or outside risk assessor — but truly the organization saying this is how we’re ranking this, this is the criteria. So findings and vulnerabilities and risks that meet this criteria are going to be scored accordingly.”

Mandy, who has experienced a lack of alignment in identifying risk in previous roles, said, “I think that the ability to use our expertise in ways that are not squandered because of squabbling or because of trying to fight a particular person’s ability to be louder on something, that’s a beautiful thing that goes far beyond just taking care of the data because you’re actually then relieving stress on the practitioners and the team and that bodes well for everybody involved. I see a lot of big implications on being able to quantify risk and have an additional resource for prioritizing what takes precedence.”

With a way to make risk scoring more objective by standardizing within the context of the organization, security teams can work more collaboratively and efficiently. Once the scoring criteria are set and agreed on, everyone can take action confidently knowing what they should be working on and why. 

Dan explained, “I often talk about the algorithm black box, so to speak, when not everybody is understanding how the algorithm is actually working. But what if you could set the criteria how you want it to be and everybody can see how that score is getting created so the the box is now transparent?”

Threat intel and AI for prioritization

Finally, they discussed how automation, threat intelligence, and artificial intelligence could be leveraged in risk prioritization. Paul said, “When it comes to AI and threat intelligence feeds, what’s your vision, Dan, for how we can take external data and use it to help augment our remediation prioritization?”

“Where I see the value is marrying the ability of AI to take large amounts of data and be able to identify and correlate the findings that might be related with the threat intelligence feeds. For example, you may get threat intelligence that comes in that doesn’t have anything associated with attack techniques or exploit steps yet. But maybe in your data set within your list of vulnerabilities, and particularly results from pentests and purple team engagements, you know that those types of techniques have been executed in your environment. You can use AI and large language processing and all of the above to say this is valid, this is being exploited in your environment, we just don’t have any way to correlate it outside of just the text and the procedures yet.” 

Using AI to quickly process and validate threat intelligence data can help teams identify and prioritize risks more proactively. Dan explained that he sees AI as essential for scaling offensive security testing and validation. In addition, AI can then support faster processing and correlating of large data sets from multiple sources to enhance prioritization and remediation efforts.

“Everybody recognizes the value of pentesting, the real issue is how do we make it more scalable because human effort can only scale so much. So can we automate some of those other things with AI? I see AI and the automation techniques that we have today as raising the low-hanging fruit for everyone, which is great because before you always had to try to get rid of that low-hanging fruit first so that you could actually focus, as a pentester, on the most critical, more complex vulnerabilities and exploits. So as technology evolves and AI is on the scene, it just raises the bar for what that low-hanging fruit is, which is great because then the pentester can spend more time on those deep complex exploits.” 

The panel agreed that the cybersecurity industry is seeking ways to manage risk through prioritization to reach the ultimate goal of continuous assessment and validation. The key to achieving this will include transparent, context-based risk scoring to drive clearly defined priorities along with automation and AI to scale efforts and track progress.

PlexTrac Priorities is solving for the reality of risk prioritization with the industry’s first fully configurable, contextual scoring engine housed in the market-leading offensive security management and reporting platform. 

Find out more about Priorities.