New and Improved Threat Scores in SVM and SVR

bkelly
Moderator Moderator
Moderator
1 7 690

Exciting new improvements arrive soon to provide even more valuable Threat Scores so you can more accurately focus on those vulnerabilities more likely to be exploited. Specifically, we are planning to publish this update on Thursday, March 11th.

Threat Scores in SVM help you to focus on the patches that will have the biggest impact on lowering your organizations risk in a more impactful way that by criticality alone. When you consider that less than 8% of disclosed vulnerabilities actually see an exploit in the wild, the value of an accurate Threat Score is clear. Further, if you were to focus on CVSS criticality values alone and prioritize those with a score higher than 7, you would miss as much as half the vulnerabilities that are exploited!

SVM provides incredible insights when positioning this valuable data alongside our vulnerability intelligence as well as how frequently (and where) such vulnerabilities exist in your environment. All this to help you do the very important job of prioritizing what patches you will address. SVM now provides the largest patch catalog on the market, so patching everything for you have a patch would be a massive undertaking considering new patches are released regularly. If you are like most enterprises and can only deploy about 1 in 10 patches, so choosing the right 10% is key to ensuring you focus on those most impactful.

This is why we are very excited to be making some significant improvements to this already valuable capability so many of our customers depend upon.

New rules

There are several new rules that may be triggered to increase the value of a Threat Score. The weighting of each is dependent upon if the rule was triggered recently or historically but include the following new additions:

  • Evidence an exploit is known to exist in the wild
  • If a proof of concept is confirmed to exist on how to remotely exploit the vulnerability
  • If a proof of concept is believed to exist on how to remotely exploit the vulnerability
  • If tools to exploit the vulnerability are known to have been developed
  • The existence of verified intelligence

Changes to weighting

As we added more rules that may be triggered, the severity (and value) of many of the existing rules has been carefully adjusted to ensure a valuable score.

To review the rules, their impact to the threat score and to review how they are calculated please see our updated product documentation on Threat Scores. When updated, the details on the rules, their affect and examples of how scores are calculated may be found here in our product documentation.

The result

The updates described will naturally result in changes to existing Threat Scores; some will increase, and others will decrease (and others may remain unchanged). If you have notifications based on Threat Scores, take special note that you may see a fluctuation upon the initial change scheduled for March 11th, 2021.

Threat Score vs CVSS Score

I wanted to toss in a reminder Threat Score is quite independent of criticality. Something can have a very low criticality or a very high criticality and that is a measure of how bad it could be if it were exploited. The Threat Score is distinct from this with a focus on likelihood of exploitability. This means there can be a zero-day vulnerability (a vulnerability disclosed prior to the release of a patch) that has a very low Threat Score when we find no evidence anyone is working to exploit it.

 

Note: this score is dynamic, and changes based upon findings. We are also updating the frequency with which we update the Threat Score from once to twice per day as part of this enhancement.

7 Comments
tim_casey
Flexera beginner

Hi Bob @bkelly , this looks really good. It would be fantastic if you could adjust the CVSS Temporal scores with this information (Exploit Code Maturity) and the patch availability (Remediation Level) information you have. There is information in there at the moment but it has the potential to go stale quickly.

bkelly
Moderator Moderator
Moderator

Excellent feedback @tim_casey , I will investigate our ability to do so!

Shoggi
Active participant

Do we have any time when this will be activated on tenant/cloud level? UK time, US time etc?

bkelly
Moderator Moderator
Moderator

Yes @Shoggi  I should have pointed out our status area highlights planned event like this update: https://status.flexera.com/

In this case: PST at 5am (UTC 1pm, AEST 12pm)

Shoggi
Active participant

@bkelly , I see SVR was updated. https://community.flexera.com/t5/Software-Vulnerability/SVR-March-2021-Update/ba-p/183720

SVM coming as well 5pm 🙂 so we wait

Shoggi
Active participant

@bkelly , do I miss anything? Status page have nothing about SVM scheduled. https://status.flexera.com/ and the SVR was only published yesterday. SVM is nothing yet in relation to this enhancement.

bkelly
Moderator Moderator
Moderator

Sorry for any confusion, as a back end data update, this change took place for the Threat Intelligence module for both SVR and SVM simultaneously. We happened to time it with the release of an SVR update but, as I tried to highlight in the title of this announcement, it affects both SVM and SVR. 

Director, Product Management Charlotte, NC