What is the Risk Score?
Resolution Intelligence Cloud’s scoring mechanism includes multiple signals detected from source systems and correlates them into a Situation in which each signal arrives with a specific score depending on the threshold set by an SOC analyst.
The scoring system is derived from well-known machine learning algorithms include - trained supervised models, active-learning models, and unsupervised models.
How is it calculated in Resolution Intelligence Cloud?
Risk Score is quantified based on the three components mainly – Likelihood, Confidence, and Impact. Let us look at each of these components how they determine risk value of an asset within your organization.
A. Risk Quantification – What is the Confidence of an observed behaviour?
In general, confidence refers to certainty of a situation in real-time analysis. For example, predicting rain on the given conditions - strong winds, thick clouds, and heavy thunders, my confidence will be 95% that it rains today. Range of Confidence measure varies from 0% to 100% based on the given conditions in real-time situation.
The main intent of confidence measure is to reduce the false positives and detect the incoming signal does really possess a potential risk to your organization. Resolution Intelligence Cloud achieves this by combining active learning, statistical modelling, and unsupervised learning.
There are three prominent factors that contribute to a confidence measure in Resolution Intelligence Cloud.
- Signal Confidence aggregates indicators from external tools and detection rules to gauge the “confidence measure” by external systems and rules.
- Past feedback to similar situations is an active learning (a branch of machine learning) model that feedbacks expert response to anomalies in the past and factors it in evaluating the current signal’s confidence i.e., was a similar signal marked as relevant by an expert?
- Prevalent analysis looks for prevalence of the incoming signals against the organization’s past instances. This helps identify a signal frequency—an outlier or not—adapt the scoring, and keep away any biases, to the organization’s context. Resolution Intelligence carries out time-series (trend analysis) and statistical analysis (shape analysis) to determine prevalence.
The combined factors allow Resolution Intelligence Cloud to extract real-time expert behaviors and be a closed-loop system in measuring the true positivity of a signal.
B. Risk Quantification – What is the likelihood of an event?
In general, likelihood of an event refers to a chance of it occurring in real-time in a given timeframe. Understanding the likelihood of an event is crucial for decision making, risk assessment, and proactive measures.
Once the confidence level of Situation is determined, Resolution Intelligence Cloud performs the likelihood analysis of an incoming signal to determine its nature (i.e carries with a potential risk or not). Likelihood analysis involves the examining the historical data, patterns, and other contextual details of an event to determine the future attack.
Resolution Intelligence Cloud performs the following key steps to determine the likelihood of an attack:
Data Correlation: Examine the incoming signals and map them with tactics and techniques of a MITRE matrix to determine the nature of the attack. Resolution Intelligence Cloud scrapes not only the internal data but also the events from external environment to identify the likelihood of a potential attack.
Extraction of Contextual information: Consider the broader context includes threat land scape, industry trends, and other motives behind the attack to better understand likelihood.
Qualitative Assessment: Uses qualitative techniques include, statistical regression, and risk modelling to calculate the likelihood score of a situation.
C. Risk Quantification – What is the impact?
Impact refers to the harm or damage caused to your IT infrastructure due to the external cyber-attack. After determining the true nature and confidence level of a threat, it is essential to identify the level of damage caused by the external threat.
Impact of the threat is categorized into two sections in the Resolution Intelligence Cloud.
- Functional impact of the threat: Impact from the business functionality that these systems provide and the negative impact to the users of those systems— what is the direct or likely impact on your mission? (e.g., business operations, employees, customers, users)
- Informational impact of the threat: Incidents may affect the confidentiality, integrity, and availability of the organization’s information. What is the direct or likely impact on your information/data, particularly anything sensitive? example, a malicious agent may exfiltrate sensitive information.
The evidence contributing to each of confidence, likelihood, and impact is exposed to SOC teams allowing them to customize criticality for each piece of the evidence. Evidence are dimensional attributes of the scoring function on which teams can simply customize its importance/criticality. E.g., imagine setting criticality—low, medium, or high—for a CXO laptop or a jump server or a specific behavior, etc...
The custom criticalities are then factored into the final scoring by Resolution Intelligence’s adaptive learning curve-fitting model.
How is it associated with an ActOn?
As evidence roll up to confidence, likelihood, and impact scores, SOC teams can define policies on top of each of these dimensions to denote “what combinations of these three should constitute a threat.”
To illustrate, here below are instances of three different SOC teams defining what they must ActOn:
|In this instance, the team considers any alert with a confidence and impact score greater than 90 as a threat; irrespective of its likelihood.
e.g. A CFO getting a phishing email. Though, in this case, the likelihood of the phishing threat is minimal, the confidence and impact are high and so is raised as a threat.
|The SOC team wants to be alerted for any anomaly with a high likelihood and impact even though the possibility of a false positive is high from low confidence score.
|In this instance, a medium-high posture on all three dimensions is considered a threat by the SOC team.
How do we determine the default priority of an ActOn?
Initially, the default priority of an ActOn is defined by the internal algorithm based on the ontology of multiple signal(s). If new signals are added to an ActOn with multiple priorities, then the internal algorithm recomputes the priority levels and an updated priority will be assigned to an ActOn.
However, you can change the default priority of an ActOn to your desired one manually by configuring the Processing Rules at signal level or ActOn Policies at Situation level.
What is the mapping that determine whether an ActOn will be tagged to P0, P1, P2 or other priorities when marked as an ActOn?
ActOn will be assigned with the same priority as the Situation when it is converted to an ActOn.
How do we determine likelihood and impact of a Situation?
Refer to the Risk score using likelihood, impact, and confidence.
How do you check the priority of a Situation?
The Situations relevant to Security will not have any priority levels untill it is converted to an ActOn. However, the Situations relevant to DigitalOps have multiple priority levels assigned to them based on the score evidence. For more information, refer to score evidence in Situations.