SecludIT has introduced Key Risk Indicators in version 6 of its innovative solution Elastic Detector for continuous monitoring and operational risk evaluation. These KRIs are based on the security assessment operated by the embedded vulnerability scanner combined to well known security guidance such as French ANSSI, OWASP or PCI-DSS.
Lots of people are wondering how this magic is done by SecludIT in an automated way. Our R&D department answers this critical question.
Combining Vulnerabilities to Security Guidance
In order to build KRIs from a security assessment, the first first is to link those vulnerabilities and the rules defined in the security guidance. SecludIT has build a proprietary association table that can achieve this. This association is based on the facts that:
A vulnerability contains several informations such as CVSS, Description, and a specific security point to check
A rule from a guidance contains lots of informations such as Description, and a security point or several security point to check
The association table, then contains relation between a vulnerability and a rule from a guidance based on this security point to check.
Here is a visualization for a better understanding.
With such an association table, any guidance rule can be link to one or several vulnerabilities and their CVSS, meaning that any guidance rule can be scored.
If you want to have more details and a technical explanation do not hesitate to read the KRI white paper on the subject or to contact us.
Here is one example with the French ANSSI security guidance.
SSL/TLS vulnerabilities (protocol, ciphers, certificate) are linked to “Data Integrity”, and Private IP leak in HTTP header are also linked to “Data Integrity”. As a result of this, the KRI in terms of “Data Integrity” is calculated taking into account those types of vulnerabilities resulting in a score of 3.9 whereas the max CVSS of the vulnerabilities is 4.3 and the min is 2.6.
Once we have explained how to build KRIs for specific security guidance, one question remains when we have a closer look at some KRIs. How can the overall KRI can be more than the max of each sub section of the guidance.
Calculating overall KRIs for a security guidance
In order to build the overall KRI of a security guidance, we at SecludIT choose to take into account the number of impact and not only the subsection or rules of the security guidance.
In a few words, it means that some vulnerabilities have a greater risk impact when they concern several rules of a security guidance.
Let’s give a try to visualize this.
This is the basic principle on how KRIs are based in Elastic Detector. Of course, a complex mathematical function is used to properly calculate the Risk using the CVSS score of the vulnerabilities as input and keeping in mind that the risk is in range 0-10.
In the previous sample, the SSL/TLS vulnerabilities also impact the “Outdated Software” rule of the security guidance. This is why the overall Risk for ANSSI guidance is greater than each Risk of each rule of the ANSSI security guidance.
This small article should give you the key to understand how SecludIT has built its KRIs in its innovative solution Elastic Detector for continuous monitoring and operational risk evaluation.
If you want to learn more by yourself, you can have a look at the excellent White Paper written by SecludIt about KRI, that you can found here.
If things are still unclear or if you want to know more, please contact us.
In any case, you can give a try to Elastic Detector and let us know your thoughts. 😉