Adopting a Risk-Based, Continuous Validation Strategy With PlexTrac Priorities

If we go over to the left-hand nav menu, I’ve created an initial priority just to kind of show you what it looks like, and then we’ll walk through how you do this and the capabilities that it has. First and foremost, I want to highlight that Priorities is configurable from a tenant- or a client-level perspective. So you can set priorities to be at the tenant level, or you can have priorities be assigned at the specific client level. And the same thing goes for our contextual scoring piece, which we’re really excited about as well. And I’ll show that off, but you can see here that I’ve created an initial priority, and then we’ll walk through creating a new one.

But if you dive in, I’ve just said that we’ve got some issues related to SNMP. As you can see, I’ve created a description, a recommendation, and a treatment plan for this. I’ve identified who’s responsible for owning this risk and this priority, who’s responsible for the treatment aspects of it, and when our target remediation date is as well. You can also see that I’ve linked 14 findings and five assets and it has been given a contextual priority score — which is our exciting new capability — around contextual risk scoring using the corporate risk equation that I’ve created, and I’ll show you how we got there. But then also when you highlight this is the criteria or the weighting categories that actually generated this score. So what you see is this takes you beyond that kind of black box risk scoring that everybody starts to get annoyed with and leaves the power in your hands for how you’re going to calculate your risk, and with this risk-scoring capability, you can actually go and apply it to different organizations in different ways. So you may have customers or departments within your organization that need to have their risk weighted differently. And you can assign a different category of risk equations to those folks as well. So it leaves the power in your hands, which we always like to do. But as you can see, I’ve also marked the progress. I could come in here and I could update the progress as we move along. We can also view what findings are associated with this priority, and we can do our standard capabilities of adding updates and tracking those as well. But you can also get a picture of who’s responsible for fixing these issues and then what assets are also associated with them.

So let’s kind of dive in on how we go about creating a priority. First, let’s just say we know we have some SSL issues that we need to go deal with. So SSL certificate issues, let’s say, and I’m going to leave this in the status of “open.” I’m going to say that it’s a “medium.” I’m just going to leave myself as the author. And you can have all of these capabilities. We can say that SSL issues represent significant risk. You can have recommendations. You can create a treatment plan. You have all this capability for the metadata around the priority itself. And then as we save this, we can now go and start to assign findings to the risk itself. So we have this handy picker for different findings. I’m just going to search on SSL and I’m going to go ahead and just grab several just as an example. And you can see that this has the different assets associated with it.
And so I can also choose to select those assets, and I could also add additional assets if I wanted to. So we’ll go ahead and continue with these three assets. So you’ll see now, this priority has now been linked with all the different findings and assets related to the SSL issues that I’ve incorporated. So this really speeds up the process of grouping those findings. Now, based on the priority score calculation that we’ve given, it is representing this as a low, and we can actually see how that’s being calculated. So if we wanted to go back into those findings, if we felt like this score might need to be adjusted, we would want to look at the different criteria that it’s being set up as and adjust the findings and assets accordingly to make sure that it aligns with what we’re looking at. But it also gives you an objective view.

When you come back to starting to compare these priorities, which ones actually are being calculated as a higher risk and ones that we should address first and foremost, you can see with this priorities list. Now we start to have a risk-based view of what priorities we should be working on first. And that’s the value of this contextual scoring algorithm, that we may think that something feels more severe or presents a higher risk than something else, but when we apply a somewhat objective algorithm to it, we now have a picture of, like, we should be focusing on these elements first, or if we do feel like they should have a higher risk, we can actually investigate why and how it’s getting calculated. So this not only supports a continuous assessment and a continuous risk-based mindset but also a risk-based prioritization of the findings that are most critical in our organization.

So let’s talk through how you actually create that contextual scoring algorithm that we applied to these findings. If you come over to the Account Administration page, we have a section called Contextual Scoring, and it comes with a default equation, and then you can create your own. So when you come in to edit the equation, you can name it, you can give it a description, and then we have all these variables that play a factor into the overall risk score. This is what’s built out of the box. You can see the asset count itself will account for 25% of the weighted scoring. And these are the different rules. And you can add additional rules as you see fit. So you can see here we’ve got an asset count of less than 25. You’re going to get half of the points available for this category. And if you have an asset count of greater than 25, you’re going to get 100% of the points for this category. So remember, this counts for 25% of this algorithm. So if you have more assets, it’s going to weigh the priority a little bit higher. But the nice thing is that we can add as many criteria as we want and we can also adjust it.

So let’s say that we have an issue with PCI, right? And we want to make sure that we want to weigh assets that have a PCI that are part of the PCI CDE in a much more significant fashion. So we’re going to bump that up to 20%. And you’ll notice I’ve got to bump some other things down. So let’s go ahead and put this at 10%. We will put this at 5%, and we’ll put this at 15%. So now we have our weighting correct. And then we come into tags and we want to say, hey, if this is part of the PCI or this has PCI or PCI CDE implications, we want to get it the full 100 points. And you can see here that I forgot to fill out this rule. So we’ll go ahead and delete that and then we will save it. And so now that algorithm is going to be updated when we go back over to the priorities list. And you can see that now this has even increased this one to even higher and the SSL one to even lower. So this is what’s nice about being able to apply some objective criteria, is it really does start to give a picture for what you should be focused on.

So that’s a general overview of priorities and creating a priority, linking findings and assets to it, and then utilizing the contextual scoring algorithm to provide a risk-based prioritization view of the priorities and the findings that are composed within them.

So now let’s talk about the notion of being able to apply priorities as you’re going through an assessment. So let’s say we’ve come into an assessment that we’re doing and we want to actually apply this to a priority. We can select it, and we can actually link to priority, and it’ll bring up the list of priorities that we have. We’ll go ahead and just associate this with an SSL Certificate priority. And there are no assets associated with this finding, so it’ll immediately link it. And now that metadata is also applied to the finding itself, and so if we were to go back over to the priorities section, we’ll see that that finding has been assigned to this issue as well.
So it’s this one right here, the Run Command, that’s the one that we just assigned to it. And now we can actually have the context around if this issue is being worked on with respect to the other issues in the priority findings list of findings as well. So it’s important to keep in mind that you can do this on a continuous basis. So as you’re going through various assessments, you can link those immediately to priorities and start to have that be updated in real time, giving you a real-time view of your risk as findings are coming in. So this really supports the continuous assessment portion of applying priorities to your continuous assessment model.

Let’s also talk about the continuous validation aspects and how PlexTrac really supports the notion of being able to help you close the loop on that last mile of continuous validation. If we come into our priorities, we can see that we have SNMP weaknesses and there are 14 linked findings associated with this priority. So this provides a good workflow and a place to actually start assigning issues to the people that might be responsible for fixing them. So let’s just say we’re drafting this and we want to assign it to — I’ll go ahead and assign it to myself — and we need to say, “fix this.” We now have a perspective that this finding is in process related to this priority. And from the PlexTrac perspective, this starts to help validate that.

This helps customers validate that they are closing the loop on all the elements that are getting reported in their environment. And so we can quickly come in and see that as this gets closed out, you can make comments, “fixed and validated.” And there we have the ability to actually now see in real time that these issues are starting to get closed out, that our risk is actually being continuously addressed, and that we can actually now start to show progress over time. And if we come back to the priority, as we close findings out, we’ll start to see the contextual score be reduced. This is a really important aspect of that continuous validation lifecycle, not only being able to see the progress but actually see it updated in real time. So this is another important aspect of the priorities module.

Now I’d like to highlight one final element of priorities that I think is really important. It’s the notion that you can pull in exploitable vulnerabilities from a variety of sources and be able to start addressing them right away. So we recently launched in our Content Library, the CISA KEVs, which are the known exploitable vulnerabilities. So maybe we actually just want to create a priority that addresses just the CiSA KEVs that exist in our environment. I’m going to go ahead and not enter in all the text, but you know that we can do that. And then I’m going to go ahead and start linking the findings that come from the CISA that we might have that are related to the KEVs. Search the tags and you can see here these are some findings that actually might be related to the two CISA KEVs, right? And so we will go ahead and select several just as an example. But these would be items that are tagged and have known exploitable vulnerabilities associated with them. And so we’ll go ahead and link these findings. And so you can see this is from across all different types of reports that have come in. And then we can also link the assets associated with them as well.

Now I’m going to show you how you can bring in findings from various sources as well as create priorities on the fly as you identify them as part of your continuous assessment lifecycle. So you know that we recently launched the writeups database enhancements that contain all of the CISA KEVs, the known exploitable vulnerabilities. So let’s say we’ve done an assessment where we’ve identified a lot of KEVs related to the known exploitable vulnerabilities and we want to create a priority just to address those specifically. So I’m going to go ahead and just link these immediately to an existing priority or I can actually create my own. So when we go to the link page, we can actually create one. And I’m going to create one just for the known exploitable vulnerabilities. So I’m going to say that this is the CISA KEVs. We’re going to go ahead and call this in process. I’m going to say that this is critical. I’ll leave these alone for now just to kind of highlight how you can do it.

Keep in mind that we do have the basic scoring capabilities of likelihood and impact that you manually can set, but a contextual score will also be assigned to these as we create it. So I’ve now linked those and there are no assets at this point related to those findings because we just brought them in as an example. But if there were assets connected to that priority, I would have the ability to link them here. And so now we link them to that priority. And if we go back over to the Priorities page, we see that we have these CISA KEVs now. Right now it’s showing that it’s not as high of a risk as maybe we might expect. So we can go and investigate why and we can see what kind of criteria is accounting for that. So right now, because there are no assets associated with this priority, it is getting ranked a little lower. So maybe we want to actually say, like, hey, I know that there are no assets related to those findings, but I do know that we have some assets that we want to incorporate into this. Let’s just say we want to identify some of the high critical assets that might be associated with this. So we’ll just go ahead and select all of these assets that are labeled “critical.” So I have 15 assets. And as I add those assets to this priority as well, the priority score, we’ll see, has now gone up substantially. So you’ll see that the different weighting and the risk-based prioritization in the contextual risk scoring algorithm actually really support our theories around how we should be rating these findings. So it’s really important that you get your algorithm correct so that it validates your concerns. But this is really the power that we provide you with the contextual scoring piece that supports that continuous validation and risk-based prioritization of the findings that are coming in.

Okay, so we’ve shown you how to create priorities, link findings and assets to them, apply a contextual risk score, be able to investigate how the progress of these findings specific to a priority is being addressed. And this really closes the loop on the continuous validation life cycle.

Let’s talk a little bit about how you can continue to show progress over time. What Priorities allows you to do is see progress in real time. You can also update the progress as you feel like you’ve made it, and let’s just say you feel like you’ve closed out all of the issues, you can update that progress in real time. And so now it starts to highlight that the progress with this priority is done. And so it actually starts to highlight, “Hey, we are making an impact on our risk and our progress over time.” And this is a key element to being able to report in a continuous fashion to your stakeholders — whether that’s your board, your executive staff, your auditors, regulatory bodies — you can actually highlight these are the actions that we’ve taken to reduce our risk and close the loop. In that continuous validation framework, we can identify who’s got ownership of these elements and who’s got ownership of the individual findings, and that all bubbles up into our overall risk. Now, what’s also important is that with PlexTrac, all of this is linked together from the different sources, and you can also apply SLAs to the findings not only within the reports but also SLAs within the priorities themselves. So the notification system that exists around SLAs also exists on the findings within priorities.

I hope you’ve enjoyed this brief demo of priorities and how it can start to help you add additional use cases to your service offering. If you’re a service provider, we really believe this can help you expand into the continuous assessment model or enhance your continuous assessment model today. We also believe this can help you with a risk-based approach to your customers and maybe even offer a vCISO type of service offering. If you’re an enterprise, this can definitely help you get a better grasp on your risk posture and how it’s being improved over time. It will enable you to highlight the key vulnerabilities that compose the risk and who has ownership over them. It will enable you to ask, “Are we making progress?”, and, ultimately, be able to say, “We are getting better.” Because the most important aspect that we want to be supporting is a continuous improvement around your security posture and helping you be able to identify the key elements of your risk within the context of your environment — using our contextual scoring algorithm and the unique ability to bring in findings from various sources to give yourself a holistic view of your risk.