The Risk Scoring Problem in Cybersecurity

Many security solutions assign numerical scores to indicate the risk that a threat poses so that customers can prioritize which issues to fix first. Teams work through endless tickets, trusting blindly that the assigned score accurately represents the (business) risk that a threat poses. 

If all risk scores were created equal (and accurate), then this might be a good approach. But in reality, teams struggle to fix critical risks. Why?

1. 1. Too many critical alerts. Which alerts are more important – a few instances of a 9.7 CVE or 3,279 instances of a 9.5 CVE? Which do you fix first?
   2. Lack of exploitability. Many tools don’t take into account basic environmental context (is a threat internet-facing; is it in production?) when assessing the exploitability of a threat. This creates a ton of noise from excessive alerts and tickets. 
   3. Lack of business context. Many tools don’t understand which business services or data is at risk from a threat or alert. Tickets are deemed critical regardless of their business impact.
   4. Engineers don’t understand the tickets. Security teams have a different vocabulary to software engineers. So when a ticket reaches an engineer and it’s written in unfamiliar terms and lacks contextual information, it creates friction. 
   5. All of the above.

If you answered “e,” you’re correct. All of the above deter and distract teams from focusing on the threats that generate the most risk to the business.  

A Different Approach to Risk Scoring

Business risk is bigger than cybersecurity. It extends across every organization and ultimately drives decision-making at the highest levels. Business risk is so important that we at Bionic decided to do something about it. We think teams need a way to rapidly detect and fix the top business-critical risks that exist in their production applications that could be exploited right now.

Introducing Bionic Business Risk Scoring 

Bionic’s new business risk scoring capability aims to dramatically increase an organization’s application security posture while reducing security alert volumes, false positives, and operator burnout.

To create a business risk score, Bionic calculates two things:

1. Potential business impact of a threat (service impact)
2. Likelihood that a threat could be exploited (service exploitability)

Service impact is the risk to a business service itself. It takes into account the service rating and service classifiers:

Service rating indicates the potential risk of all existing threats within a service. Bionic assigns each threat one of the following severity levels:

• Critical – an extreme threat to your company’s data that should immediately be remediated
• High –  an absolute current threat to your company’s data
• Medium – a possible threat, but potential damage is less severe
• Low – not an active threat, but best practice should be kept

Classifiers evaluate the threat attack surfaces in terms of what services are impacted, and the sensitive data that those services may consume or expose.

Service exploitability is the likelihood of the service impact to occur based on its architecture and environmental context  For example, is the service internet-facing or connected to third-party services?

Bionic Business Risk Scoring in Action

Let’s look at the top two business critical risks that a customer might see. In the Top Services by Risk area of the Bionic dashboard, we can see that the order_admin-ui-1.0 service is the top priority risk with a score of 100. The second highest priority is the order_analytics service with a score of 95. Both of these services are part of the customer’s Order Management application. 

Digging deeper into the top priority risk, the dashboard shows you the service impact and exploitability factors that contribute to its score. Here we see that there’s sensitive data (PII and PCI) present in or connected to the service, the maximum violation severity is critical, and that the service is internet facing.  

Within the service itself, there are multiple violations, three of which are critical. 

Bionic specifies what the violations are and where they are on a map view of your application architecture. On both the dashboard above and in the map view below, Bionic shows that there’s an instance of log4j within the order_admin-ui-1.0 service that has PII and is internet-facing. 

Moving on to the order_analytics service, the dashboard offers the same information that we saw in the previous example. In this example, the service has a risk score of 95. We can see that this service is connected to or contains sensitive (PII) data, the maximum violation severity is critical, and it is not internet facing.  

As we look at the violations within this service, there is one critical violation that involves hardcoded tokens and third-party access. 

With all this context ingrained in our risk score, Bionic is able to surface, prioritize, and fix your top critical business risks without excessive noise.

What does this mean?

Security and engineering teams can focus on fixing 4-5 things each week that will impact the business vs. hundreds or thousands of things that may or may not impact the business.

An organization’s application security posture dramatically increases because teams focus on 5% of the things that makeup 95% of their security posture.

Teams reduce engineering toil and burnout from trying to decipher hundreds or thousands or security alerts or tickets.

Security scales as engineering continuously delivers new applications and services.

Who Cares? 

Aside from the security teams weathering frequent alert storms and manual triage, there are some other people who will benefit. 

• CISOs, who need visibility into their organization’s application security posture and the ability to detect and measure business risk over time.
• AppSec teams, who need to identify, govern, and mitigate the applications and/or services that pose the greatest business risk.
• DevSecOps teams, who need to automate the process of prioritizing risk and feedback loops to engineering teams so that the top business risks can be resolved in hours instead of days or weeks.
• Cloud and network architects, who need to understand how application code changes introduce architecture drift and business risk within the cloud.
• SRE teams, who need to understand microservice dependencies within applications and single points of failure within the application architecture.

If you’re interested in learning more about how Bionic can help you understand your top business-critical risks, get in touch today.