As security leaders align their goals with business outcomes, risk-based vulnerability management becomes more focused on having enough relevant context. Leaders drive efficiency by making sure whoever is responsible for fixing a security issue has the information and authority to make good decisions and act accordingly. 

Alert fatigue plagues security teams large and small. In fact, research from Cyentia Institute shows that a typical organization will have capacity to patch only 10% of their vulnerabilities within a given month. Not all vulnerabilities have the same likelihood of being exploited. Not all cloud assets are equally important. Not all data hold the same risk tolerance. While the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS) give us a starting point to score numerically and prioritize risks, there are more contextual clues that can impact the urgency of a fix.

Some cloud security tools take an asset-focused approach, allowing security teams to create rules that describe a particular view of assets with a specific problem. For example, you may have a security issue called “Public Facing VMs with Critical Vulnerability with Sensitive Data” that pulls a list of 100 assets to investigate. While the limited view may be a helpful shortlist, this approach has two key challenges:

  • Inefficient prioritization: Security teams are still tasked to investigate further to really prioritize which assets need to be addressed and how to fix the root problem.
  • Hard to operationalize: There’s no clear way to know who owns the remediation steps, and therefore no easy way to automate and streamline remediation.

Big idea: A risk-based approach for the cloud must have risk scoring that is precise and adapts to the changes in your cloud estate.

Risk scores are meant to rate the urgency of fixing security issues at their root. An alert is simply the associated notification for the specific asset and risk to address.

Static risk scores and their associated alerts reflect a single point-in-time urgency level, usually due to rigid business logic when creating the rules for alerts. 

Dynamic risk scores retain the history of how a security issue has fluctuated in urgency due to changes in the environment.

Two reasons why cloud security needs to evolve from static risk scoring to dynamic risk prioritization

1 – Static risk scores don’t accurately represent business impact for the cloud

Static risk scores may work for certain assets that don’t experience much change. But here are two cloud scenarios that highlight the absurdity of static risk scores for the cloud.

Scenario 1: Change in asset state – Today, you have a critical alert for a cloud asset that’s public facing. Tonight, the configuration of the cloud asset changed to limit internet access. Tomorrow, does this alert truly have the same level of urgency as other live, public-facing assets with the same issue? 

Scenario 2: Attack paths and data sensitivity – Today, you have two critical alerts for two different data stores. When you investigate, you discover that data store #1 has a handful of ways an attacker could gain access to it while data store #2 only has one direct attack path to access it. Additionally, data store #1 contains high value PII while data store #2 only has some non-critical test data. Clearly upon investigation, data store #1 would have a bigger impact on the business if compromised compared to data store #2. So why should the two assets and alerts be marked as equal critical levels?

2 – Static risk scores cause confusion for security teams and erode trust in alert lifecycle management processes

Because the cloud environment is dynamic and changing frequently, the state of your environment at the time of an alert may change by the time someone can tackle the ticket in your vulnerability management process. Outdated, incomplete information is often the source of wasted time and erosion of trust between cloud security teams and your stakeholders. How does your alert lifecycle account for changes in the environment that affect the urgency of an alert? Without updating your tickets with the latest relevant details about your environment, your team has to manually manage the lifecycle of an alert and do a mix of the following:

  • Verify the validity of a ticket created by an alert – Is this a duplicate, a new issue, or an existing issue that escalated?
  • Hunt down the details and communicate them with the appropriate stakeholders
  • Clarify next steps
  • Verify the fix
  • Close out the ticket

The key to efficiency is making sure the person responsible for fixing a security issue has all of the information they need in order to do the work and close out the ticket. Alerts with static risk scores that share outdated contextual information create more confusion than clarity to resolve issues efficiently.

The elements of dynamic risk scoring for the cloud

Dynamic risk scoring for the cloud needs to be extremely clear, yet also rich with granular data in a consumable way to support investigation and remediation. Let’s take a look at a few alerts using the Orca Platform to show how the following factors impact dynamic risk prioritization for the cloud:

  • Asset context
  • Attack paths
  • Data sensitivity 

When we search for CVE-2021-44228, we’ll notice that this vulnerability shows up on multiple assets, each with their own risk score.

A screenshot of Orca security platform showing critical and high-level alerts for Apache Log4j remote code execution vulnerabilities, with associated inventory, accounts, and actions.
The Orca Platform ranks security issues by criticality and a specific numerical score per asset that is affected by the associated vulnerability.

Asset context

When we compare the alerts with scores 9.6 and 7.0, a few of the asset-based factors are different, directly impacting the risk level associated with the vulnerability. Clearly fixing an asset that is running and publicly exposed is more urgent than addressing an asset that is turned off. Other cloud security tools may have this information, but teams have to hunt for it to determine exactly how urgent an issue is.

An example of Orca’s risk scoring prioritizing risk based on asset context like external exposure and state in addition to other common factors like CVSS and EPSS.
Orca’s risk scoring prioritizes risk based on asset context like external exposure and state in addition to other common factors like CVSS and EPSS.

Attack paths

When we compare the alerts with scores 9.6 and 9.1, the number of attack paths Orca discovered differ, also impacting the risk level associated with the vulnerability. Team members could use the Orca Platform to dig into the attack paths to understand target assets, sample sensitive data found on assets, related policies, and more.

A comparison of two Apache Log4j vulnerability alerts (CVE-2021-44228) in Orca security platform, showing score breakdowns with asset and risk-based factors such as external exposure, number of attack paths, and asset lifecycle.
Because of the granular context in the Orca Cloud Security Platform, the risk scoring also factors in the number of attack paths it detects.

Data security

Lastly, Orca SideScanning discovered sensitive data in the assets associated with the alerts with scores 9.6 and 9.1. When we dig into the asset, we can see a redacted sample of what sensitive data was discovered.

A screenshot for the Orca Platform providing samples of any sensitive data it detects through its patented SideScanning technology.
The Orca Platform provides samples of any sensitive data it detects through its patented SideScanning technology.

About the Orca Cloud Security Platform

Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Cloud Security Platform leverages Orca’s patented SideScanning™ Technology to provide complete coverage and comprehensive risk detection. 

Learn More

Want to explore how dynamic risk prioritization can unlock efficiency for your organization? Schedule a personalized 1:1 demo, and we’ll demonstrate how the Orca Cloud Security Platform drives cross-functional efficiency for every team that touches cloud security.