Priorities - PlexTrac

Transcript

Hey everyone! I am excited today to show off our Priorities Module, which is the next evolution in the PlexTrac platform that allows you to go beyond penetration test reporting and vulnerability tracking and into a more programmatic area of risk for supporting activities like continuous validation, risk-based prioritization of findings, and being able to help close the loop on the continuous validation lifecycle and truly be able to start showing progress on your security posture over time.

We’re really excited about this capability because it starts to help everyone get a handle on what are the most important things that they should be working on within their environment. We’ve all been in that situation where you have lots of vulnerabilities coming from lots of different sources, whether those are vulnerability scans, red team assessments, penetration tests, risk assessments, you name it. You get a lot of identification of vulnerabilities and findings, but everybody’s trying to understand like, well, what should I work on first, and how do I know if I’m working on the right things, and then how do I know that I’m going to be actually making an impact to our risk versus working on other elements within our security program? So Priorities really starts to empower you to be able to do that. We’re excited about the module, so let’s dive in and kind of show it off as we go.

First off, we’ve integrated priorities throughout the platform. So wherever you see findings or working with findings and assets, you can link those to priorities. You can create new priorities from them as well. So this really starts to support the continuous assessment capabilities as well. When you’re doing continuous assessment and adding those findings to reports, you can also add those to priorities and group them accordingly. But you’ll also see if you’ve been assigned to priorities. You will have those as assignments in your actionable dashboard.

If we go over to the left-hand nav menu, I’ve created an initial priority just to kind of show you what it looks like, and then we’ll walk through how you do this and the capabilities that it has. First and foremost, I want to highlight that Priorities is configurable from a tenant- or a client-level perspective. So you can set priorities to be at the tenant level, or you can have priorities be assigned at the specific client level. And the same thing goes for our contextual scoring piece, which we’re really excited about as well. And I’ll show that off, but you can see here that I’ve created an initial priority, and then we’ll walk through creating a new one.

But if you dive in, I’ve just said that we’ve got some issues related to SNMP. As you can see, I’ve created a description, a recommendation, and a treatment plan for this. I’ve identified who’s responsible for owning this risk and this priority, who’s responsible for the treatment aspects of it, and when our target remediation date is as well. You can also see that I’ve linked 14 findings and five assets and it has been given a contextual priority score — which is our exciting new capability — around contextual risk scoring using the corporate risk equation that I’ve created, and I’ll show you how we got there. But then also when you highlight this is the criteria or the weighting categories that actually generated this score. So what you see is this takes you beyond that kind of black box risk scoring that everybody starts to get annoyed with and leaves the power in your hands for how you’re going to calculate your risk, and with this risk-scoring capability, you can actually go and apply it to different organizations in different ways. So you may have customers or departments within your organization that need to have their risk weighted differently. And you can assign a different category of risk equations to those folks as well. So it leaves the power in your hands, which we always like to do. But as you can see, I’ve also marked the progress. I could come in here and I could update the progress as we move along. We can also view what findings are associated with this priority, and we can do our standard capabilities of adding updates and tracking those as well. But you can also get a picture of who’s responsible for fixing these issues and then what assets are also associated with them.

So let’s kind of dive in on how we go about creating a priority. First, let’s just say we know we have some SSL issues that we need to go deal with. So SSL certificate issues, let’s say, and I’m going to leave this in the status of “open.” I’m going to say that it’s a “medium.” I’m just going to leave myself as the author. And you can have all of these capabilities. We can say that SSL issues represent significant risk. You can have recommendations. You can create a treatment plan. You have all this capability for the metadata around the priority itself. And then as we save this, we can now go and start to assign findings to the risk itself. So we have this handy picker for different findings. I’m just going to search on SSL and I’m going to go ahead and just grab several just as an example. And you can see that this has the different assets associated with it.
And so I can also choose to select those assets, and I could also add additional assets if I wanted to. So we’ll go ahead and continue with these three assets. So you’ll see now, this priority has now been linked with all the different findings and assets related to the SSL issues that I’ve incorporated. So this really speeds up the process of grouping those findings. Now, based on the priority score calculation that we’ve given, it is representing this as a low, and we can actually see how that’s being calculated. So if we wanted to go back into those findings, if we felt like this score might need to be adjusted, we would want to look at the different criteria that it’s being set up as and adjust the findings and assets accordingly to make sure that it aligns with what we’re looking at. But it also gives you an objective view.

When you come back to starting to compare these priorities, which ones actually are being calculated as a higher risk and ones that we should address first and foremost, you can see with this priorities list. Now we start to have a risk-based view of what priorities we should be working on first. And that’s the value of this contextual scoring algorithm, that we may think that something feels more severe or presents a higher risk than something else, but when we apply a somewhat objective algorithm to it, we now have a picture of, like, we should be focusing on these elements first, or if we do feel like they should have a higher risk, we can actually investigate why and how it’s getting calculated. So this not only supports a continuous assessment and a continuous risk-based mindset but also a risk-based prioritization of the findings that are most critical in our organization.

So let’s talk through how you actually create that contextual scoring algorithm that we applied to these findings. If you come over to the Account Administration page, we have a section called Contextual Scoring, and it comes with a default equation, and then you can create your own. So when you come in to edit the equation, you can name it, you can give it a description, and then we have all these variables that play a factor into the overall risk score. This is what’s built out of the box. You can see the asset count itself will account for 25% of the weighted scoring. And these are the different rules. And you can add additional rules as you see fit. So you can see here we’ve got an asset count of less than 25. You’re going to get half of the points available for this category. And if you have an asset count of greater than 25, you’re going to get 100% of the points for this category. So remember, this counts for 25% of this algorithm. So if you have more assets, it’s going to weigh the priority a little bit higher. But the nice thing is that we can add as many criteria as we want and we can also adjust it.

So let’s say that we have an issue with PCI, right? And we want to make sure that we want to weigh assets that have a PCI that are part of the PCI CDE in a much more significant fashion. So we’re going to bump that up to 20%. And you’ll notice I’ve got to bump some other things down. So let’s go ahead and put this at 10%. We will put this at 5%, and we’ll put this at 15%. So now we have our weighting correct. And then we come into tags and we want to say, hey, if this is part of the PCI or this has PCI or PCI CDE implications, we want to get it the full 100 points. And you can see here that I forgot to fill out this rule. So we’ll go ahead and delete that and then we will save it. And so now that algorithm is going to be updated when we go back over to the priorities list. And you can see that now this has even increased this one to even higher and the SSL one to even lower. So this is what’s nice about being able to apply some objective criteria, is it really does start to give a picture for what you should be focused on.

So that’s a general overview of priorities and creating a priority, linking findings and assets to it, and then utilizing the contextual scoring algorithm to provide a risk-based prioritization view of the priorities and the findings that are composed within them.

I hope you’ve enjoyed this brief demo of priorities and how it can start to help you add additional use cases to your service offering. If you’re a service provider, we really believe this can help you expand into the continuous assessment model or enhance your continuous assessment model today. We also believe this can help you with a risk-based approach to your customers and maybe even offer a vCISO type of service offering. If you’re an enterprise, this can definitely help you get a better grasp on your risk posture and how it’s being improved over time. It will enable you to highlight the key vulnerabilities that compose the risk and who has ownership over them. It will enable you to ask, “Are we making progress?”, and, ultimately, be able to say, “We are getting better.” Because the most important aspect that we want to be supporting is a continuous improvement around your security posture and helping you be able to identify the key elements of your risk within the context of your environment — using our contextual scoring algorithm and the unique ability to bring in findings from various sources to give yourself a holistic view of your risk.