Know Your Asset Vulnerability Risk
William GroveJul 11, 2019
What is asset vulnerability risk? It may be a new phrase to some security teams, but the concept has been around since the first cyberattack. It’s a way to understand the likelihood of a critical asset being compromised in an attack. And new capabilities from Skybox make it easier than ever to assess and mitigate asset vulnerability risk.
Scoring Asset Vulnerability Risk with Skybox 10
Skybox recently launched our new product version, Skybox 10, to tackle the problems of complexity head-on. Our latest features help CISOs and their teams to navigate ever-evolving cybersecurity needs with ease. New risk scoring is one of those features, providing straightforward, objective scores to gauge and track risk on vulnerabilities, assets and asset groups.
A dashboard in Vulnerability Control highlighting assets with a critical risk score and are directly exposed
In our vulnerability management module, Skybox® Vulnerability Control, users can customize a variety of factors, so risk scores are relevant their unique organization and prioritize the protection of mission-critical assets.
We approached the development of our new risk scoring with the knowledge that each organization has unique needs, assets and priorities. This understanding is enshrined in its design. With Skybox 10, each organization can determine which factors (including asset importance, exposure, exploitability, etc.) will be included and weighted in the flexible risk formula.
Learn more about risk scoring in our tech brief.
The Motivation Behind Skybox 10’s New Risk Scoring
Most risk scoring systems assign severity ratings which are designed to help organizations decide which vulnerabilities should be fixed first. In theory, this system sounds great: if a vulnerability is listed as ‘severe’, it makes sense, at least at a surface level, to remediate it quickly. In practice, this one-size-fits-all approach simply doesn’t work as well as it should.
Generally, severity scoring systems like CVSS only consider a limited number of factors — they don’t take the unique attributes of an organization’s security environment into account. They understand neither the importance of each vulnerable asset nor its exposure within the infrastructure, meaning that a lot of critical data is left overlooked. This isn’t good enough.
This long-held approach means that vulnerable exposed assets may be exploited long before they’re patched, particularly if they are listed as having ‘medium’ or lower levels of severity. Organizations are wading through an ocean of vulnerabilities every day — the latest Vulnerability and Threat Trends report shows that 16,412 new vulnerabilities were reported in 2018 alone, and security teams can have backlogs in the thousands or even millions of vulnerability occurrences. To focus action in the right place, they need to have context-rich insight that helps them to effectively prioritize remediation based on asset vulnerability risk.
Know Your Asset Vulnerability Risk
The insight provided by Skybox 10’s risk scoring enables organizations to quickly determine asset vulnerability risk to a singular asset or a group of assets — be they business units, networks, geographic locations or any other grouping that makes sense in your organization. Our insight to the network infrastructure also allows you to see whether an existing security control can be used to protect against an attack — even if a patch has yet to be published. Skybox 10 quantifies and qualifies exposure and exploitability, making it possible for security teams to accurately prioritize mitigation strategies based on the actual risk that each vulnerability poses to their environment.
With Skybox 10, you stop working within vague and ineffective parameters. The solution encourages users to focus, instead, on the typically less than one percent of vulnerabilities which are exposed or exploitable within an organization. It not only increases efficiency by automating asset vulnerability analysis, but also improves the impact security teams have on risk reduction.
To learn more about scoring asset vulnerability risk and other features of Skybox 10, click here.