Skip to content

VIDEO

Contextualized Risk Scoring

This demonstration showcases PlexTrac’s risk prioritization module, which addresses a critical challenge in cybersecurity: determining which vulnerabilities to fix first among numerous identified exposures. The presenter explains how PlexTrac’s custom risk scoring system goes beyond traditional severity ratings by incorporating business context such as asset criticality and instance severity. Through a live walkthrough of the platform, they demonstrate how risk scores are calculated using weighted variables and can be adjusted in real-time based on changing criteria. The system allows organizations to create customized scoring models similar to a college syllabus, with different weighted categories contributing to a final risk score. The demo shows how findings can be sorted by risk score rather than just severity, enabling more informed prioritization decisions. The presenter concludes by encouraging viewers to visit plextrac.com to learn more about bringing business-context risk prioritization to their cybersecurity operations.

Request a Demo

Series: PlexTrac Demos

   BACK TO VIDEOS

Transcript

Within the world of exposure management, we all know that the challenges related to tracking and remediation and prioritization of the issues is more of the issue rather than actually getting the the sources of data to identify those exposures.

Show full transcript Hide transcript

Within the world of cybersecurity, we have a lot of ways to identify risks, identify exposures, and collect information from a variety of sources like vulnerability scanners, application code scanners, penetration testing. The challenge is actually knowing which items to prioritize first for remediation. That is why PlexTrac has generated a its own form of custom risk scoring within your environment to provide the context that you need to actually be able to prioritize your risks and this is what we call our risk prioritization module and our ability to score.

So as you can see here in our exposure management module, we have lots of different findings of different severities. I’ve sorted out a specific client or department within the organization, and you can see here that based on the risk score column, we have actually one high that is actually rated above the some of the more critical ones. So let’s dive in and understand why this is. As you can see here, this is a this is a finding and we’ve got this risk score of sixty two.

And it’s calculated using the the Wayne Enterprises risk scoring, calculation. Here, this is what actually composes that risk score, and I’ll jump to there in a second. But as you can see, it’s based on the instance severity and asset criticality really composes seventy percent of that weight of that score weighted calculation.

So if I was to actually come in and edit this, I could either change, you know, it’s based on the asset criticality itself. So this asset is actually known as a critical asset. If I change that asset criticality, it would actually reduce or increase depending on what I changed it to the the severity of the instance itself.

Also, I were actually to come in here and say, like, hey, instead of this being a high, let’s go ahead and set it to a medium.

We’ll save this and then we’ll resort based on on that.

Nope. And we’ll also filter back on Wayne Enterprises here.

And so now you can see that this privilege escalation with Mimi Katz on that critical asset dropped down to a forty two. If we come back in and edit it again and let’s let’s actually bump it up to a critical this time, remember as a high was in the seventies, and we will sort that again. Now it’s back up to seventy two. So you can see that by just by changing some of the criteria within the finding itself, the risk score does change calculation.

Now let’s dive into how we actually calculated this. If we come into our in our our admin dashboard under exposure risk management exposure management risk scoring, we can see this score. We can come in and we can actually edit it, and you can do this on a per client or enterprise basis and you can you can specify which which which, you know, what weighting the the specific variables what you want them to have and you can also have rules sets within it of how it calculates, how it accumulates the points within each weighting. Think of this similar to like a college syllabus where you have exams and assignments and homework and all of those add up to different weight weighted categories within your final score for, for the for the class.

Very similar notion here with PlexTrac in our risk scoring calculations. You can add multiple variables. You can be based on the assets and the instances themselves as well as any custom fields that live on those on those instances that you set up within your environment. So very flexible to add the context that you actually want to have to be able to prioritize the issues appropriately. As you can see, we’ve within this risk calculation, we’ve we’ve really emphasized, you know, hey, is it is it on critical assets and what is the actual source of that what does the source say the risk is?

And that that is helping determine a majority of the score. If it was used if it is being used in a known ransomware campaign or it has a different type of asset, those will also accumulate points towards that risk score as well.

So now that we have a way to provide the business context that we need for the risk scoring, we can actually sort and identify what are the most important findings that we should be fixing first and flow straight into our our remediation management. We also have the ability to group these into priorities. So let’s say we have a majority of the same types of findings, those can then be grouped into specific priorities and and the priority itself will have a risk score that is averaged based on the instances that that live within it as well. So this is how we how we approach risk prioritization within PlexTrac. I hope you’ll check us out.

Go to plex track dot com and learn more, request a demo, but you finally have the power in your fingertips to bring risk prioritization into the context of your business and start being able to tackle the the myriad numbers of of findings that you have in your environment and truly get an idea for like what should we be prioritizing first and what is most important to our business.