Graylog Risk Based Scoring

Importance of Assets

 

Evaluating Asset Criticality

In this case, there’s two: how important are those assets? Are they critical? Are they medium? Is Dan a guy in the mail room, or is Dan the CEO of the company? So, he’s neither of those things in that scenario, um, there we go.

 

Summing Up Risk Scores on Assets

 

Event Risk Scores and Asset Association

So, that’s the risk score for events. We have now summed that all up and put that on the assets. What happens is we’re taking all of those event risk scores on the asset, you can see all the associated events here, mind the formatting.

Different Machines, Different Risk Scores

But what happens is let’s say the same event hits two machines, right? One of those machines was patched recently, and one of those machines was not patched recently. Okay, so the vulnerability count is going to be wildly different on those, which means the risk score is going to be different on those, right? The machine that is not patched is going to have a higher risk score, even though the event is basically exactly the same.

 

Amplifying Risk Scores with Vulnerability Information

 

Vulnerability Data’s Impact on Risk Scores

So, that’s what this risk score is trying to do. We amplify the existing event risk scores with the vulnerability information that we have, and that gives us our Asset Risk score.

 

Risk Scoring for Users

 

User Risk Scores Without Vulnerability Data

Same thing we’re doing similar to users. We do have a risk score on the user assets, but we don’t take into play the vulnerability data. This is more just: what is your risk score on your highest events? Your highest criticality events? That would be the risk score.

 

Prioritization and Risk Severity

 

Triage of Events Based on Risk Severity

But the idea here is you’ll be able to again prioritize rather than having to triage every single event that comes in. We can look at the higher severity risk scores.

Severity Levels and Color Coding

And just for a screenshot to show you, they’ll actually be highlighted in different colors depending on the severity level. So, we bucket it: low, medium, high, critical, right? 25, 50, 75, 100.

 

Smoothing Out Risk Scores

 

0 to 100 Scale for Risk Scores

And this, that’s another thing Dan worked very hard on, uh, smoothing out these risk scores. So we are now all in a 0 to 100 scale.

Leveling Off the Risk Score Growth

What happens is, as the risk scores grow, it actually levels off to the 100 score. So, we smooth off the top end, so that we’re not seeing kind of exponential numbers on the risk score there: 0 to 100 score. So everyone can see, can recognize the great, the criticality, and then we badge it with the color here.

 

User Interface and Workflow

 

Functionality of the UI in Risk Scoring

The other thing I just want to mention because the UI, um, although it’s still in flux, we can still do a lot of our work from this page. We don’t have to jump back to security events or back to investigations.

Workflow Integration Within the UI

So, if I go to a security event, I click it, another drawer opens. I can actually replay my search in here. That pops up here. We can do stuff from the search window in here. We can add to an investigation from here.

 

Avoiding Tab Switching

 

Streamlining Workflow with Minimal Tab Switching

So, we’re trying to avoid a lot of that switching off of this tab, going to other tabs. You can do all your work to triage and apply and add here.

 

Future Improvements

 

Enhancements in Workflow

We’re going to be improving this some more with some—not to go too much into 62—but we’re going to start looking at more bulk actions and more things that we can do that aren’t so many clicks.

 

Final Thoughts on the UI

 

Efficiency and Versatility of the Current UI

But I think this UI is looking pretty good so far. We’re able to do a lot from a lot of different places, right? So, like from security events, I can add to investigations, from assets, depending on whatever angle you want to look at your security data, we’ll be able to do our work from that page.

 

Conclusion

That’s it for me.