Importance of Assets
Evaluating Asset Criticality
In this case, there’s two: how important are those assets? Are they critical? Are they medium? Is Dan a guy in the mail room, or is Dan the CEO of the company? So, he’s neither of those things in that scenario, um, there we go.
Summing Up Risk Scores on Assets
Event Risk Scores and Asset Association
So, that’s the risk score for events. We have now summed that all up and put that on the assets. What happens is we’re taking all of those event risk scores on the asset, you can see all the associated events here, mind the formatting.
Different Machines, Different Risk Scores
But what happens is let’s say the same event hits two machines, right? One of those machines was patched recently, and one of those machines was not patched recently. Okay, so the vulnerability count is going to be wildly different on those, which means the risk score is going to be different on those, right? The machine that is not patched is going to have a higher risk score, even though the event is basically exactly the same.
Amplifying Risk Scores with Vulnerability Information
Vulnerability Data’s Impact on Risk Scores
So, that’s what this risk score is trying to do. We amplify the existing event risk scores with the vulnerability information that we have, and that gives us our Asset Risk score.
Risk Scoring for Users
User Risk Scores Without Vulnerability Data
Same thing we’re doing similar to users. We do have a risk score on the user assets, but we don’t take into play the vulnerability data. This is more just: what is your risk score on your highest events? Your highest criticality events? That would be the risk score.
Prioritization and Risk Severity
Triage of Events Based on Risk Severity
But the idea here is you’ll be able to again prioritize rather than having to triage every single event that comes in. We can look at the higher severity risk scores.
Severity Levels and Color Coding
And just for a screenshot to show you, they’ll actually be highlighted in different colors depending on the severity level. So, we bucket it: low, medium, high, critical, right? 25, 50, 75, 100.
Smoothing Out Risk Scores
0 to 100 Scale for Risk Scores
And this, that’s another thing Dan worked very hard on, uh, smoothing out these risk scores. So we are now all in a 0 to 100 scale.
Leveling Off the Risk Score Growth
What happens is, as the risk scores grow, it actually levels off to the 100 score. So, we smooth off the top end, so that we’re not seeing kind of exponential numbers on the risk score there: 0 to 100 score. So everyone can see, can recognize the great, the criticality, and then we badge it with the color here.
User Interface and Workflow
Functionality of the UI in Risk Scoring
The other thing I just want to mention because the UI, um, although it’s still in flux, we can still do a lot of our work from this page. We don’t have to jump back to security events or back to investigations.
Workflow Integration Within the UI
So, if I go to a security event, I click it, another drawer opens. I can actually replay my search in here. That pops up here. We can do stuff from the search window in here. We can add to an investigation from here.
Avoiding Tab Switching
Streamlining Workflow with Minimal Tab Switching
So, we’re trying to avoid a lot of that switching off of this tab, going to other tabs. You can do all your work to triage and apply and add here.
Future Improvements
Enhancements in Workflow
We’re going to be improving this some more with some—not to go too much into 62—but we’re going to start looking at more bulk actions and more things that we can do that aren’t so many clicks.
Final Thoughts on the UI
Efficiency and Versatility of the Current UI
But I think this UI is looking pretty good so far. We’re able to do a lot from a lot of different places, right? So, like from security events, I can add to investigations, from assets, depending on whatever angle you want to look at your security data, we’ll be able to do our work from that page.
Conclusion
That’s it for me.