Focus on Vulnerability prioritization with Nopsec’s Risk Score

NopSec’s founders, Michelangelo Sidagni and Lisa Xu built the company with one main goal in mind: better prioritization. After years of struggling to prioritize using CVSS alone, they created Unified VRM – powered by automation and machine learning.

Why isn’t CVSS alone effective at prioritizing vulnerabilities?

NopSec’s Risk Score is more accurate at predicting malware or targeted attacks because it takes into account the probability that this vulnerability will be used in the real world and the potential impact on your specific environment.

CVSS does not measure true likelihood of targeted attack. CVSS was designed to measure the technical severity of a vulnerability and does not account for temporal evolution of a vulnerability (existence of exploits, malware, trojans, ransomware, etc.) in real world usage.

It is neither efficient nor safe to prioritize vulnerabilities based on CVSS, as it marks too many vulnerabilities as high or critical while scoring many of the truly dangerous ones as medium or low severity. Read our 2018 State of Vulnerability Report for a more in depth study on the topic.

• CVEs with critical NopSec risk score are  4 ⨉ more likely to have threats associated with them than CVEs with critical CVSS.  
• Critical NopSec risk score is 2 ⨉  better at predicting actual threats than critical CVSS score.

CVSS usage does not take your real environmental impact into account. The CVSS base score does not include any user context and cannot determine if your specific asset is susceptible to that vulnerability. Thus does not reflect the real risk posed by a vulnerability.

For example:

• A high severity SQL injection vulnerability would be very dangerous on a business critical production server but not so dangerous on an internal testing server that is behind a firewall.
• A critical severity java update may be necessary for the CEO’s laptop, but not so necessary for the intern’s old laptop that will be re-imaged soon anyway.

The NopSec Risk Score

The NopSec Risk Score rates vulnerabilities by using machine learning (ML) to combine the context of your unique environment with the likelihood of a targeted attack.    

Likelihood of Targeted Attack: Our technology gathers historical data about vulnerabilities and leverages up-to-date threat intelligence in our ML algorithms to find vulnerabilities most likely to be used in malware or targeted attacks in the wild. This is derived based on hundreds of features including:

• basic vulnerability information,
• vendor and product information,
• vulnerability descriptions,
• exploit information,
• and social media feeds.  

On top of these we incorporate the existence of exploits kits, malware, trojans, ransomware etc. to predict the temporal evolution of a vulnerability.

Impact on your Environment: Knowing the likelihood of a targeted attack is only useful if you know your environment will be susceptible to it. We use the criticality of each asset to predict if it is potentially susceptible to that vulnerability.

NopSec Risk Score: By combining likelihood of attack with environmental impact, NopSec can more accurately predict your true risk posture in an easy to understand A, B, C, D ranking.

Better prioritization

Better prioritization with the NopSec’s risk score dramatically reduces the turnaround time between identification of critical vulnerabilities and remediation. Using it is helping organizations avoid attacks and costly data breaches.

To see a live demo of the NopSec risk score in the Unified VRM interface, join Niki Nichols, our Principal Product Designer for a webinar on May 23rd, 2019.