Enhancing Server and Container Risk Score Analysis in Power BI by info.odysseyx@gmail.com October 22, 2024 written by info.odysseyx@gmail.com October 22, 2024 0 comment 9 views 9 Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVE). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), which provides a standardized numeric score ranging from 0.0 to 10.0, which is translated into a severity rating of low, medium, high, or critical. Microsoft Defender for the Cloud provides a robust risk level assessment for each resource, but there are opportunities to improve this by incorporating additional factors, such as the exploitability of each CVE, how long since it was disclosed, and whether the CVE is zero. Work vulnerability. Additionally, the resources themselves have contextual factors, such as the number of attack vectors, which can have a significant impact on overall risk. The Power BI solution integrates many of these elements to build on the capabilities of Defender for Cloud, providing a more comprehensive risk score for each resource and enhancing prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources that require attention. This model is based on: deterministic approachThis means that the conditions and assumptions used to calculate the final risk score use finite values defined and fixed by the report consumer. It’s not a perfect science, but it gives more depth to understanding how resources are ranked. End users are free to change the fixed values (weights) as needed, giving them the flexibility to tailor the model to their specific requirements. Download the report file here – aka.ms/pbiSrvCntRisk Key factors in risk correlation between servers and containers In the Power BI solution, a scoring model was developed that generates a risk score by correlating the CVE severity, exploit information, and contextual risk level for each resource. This will help you create a priority list of which servers or container images should be modified first. Here’s how the model achieves this: CVE Severity (CVSS Score Weight)Each CVE is assigned a score based on its severity. critical: 40 points high: 30 points middle: 20 points low: 10 points Exploit information (exploitability weight)Additional points are added if the CVE has characteristics that make it highly exploitable. remote attack: +10 points Exploit kits exist: +15 points Exploit Kit Confirmed: +20 points Publicly exploitable: +25 points Contextual resource risk levelThe risk level for each resource is calculated based on several factors in Defender for Cloud, including exposure to the Internet and the presence of sensitive data. important resources: +40 points danger: +30 points medium risk: +20 points low risk: +10 points Attack vector weight (server exposure)For servers, the number of attack vectors is also included. 6+ vectors: +30 points 3 to 5 vectors: +20 points 1 or 2 vectors: +10 points Vulnerability Age (CVE Age)The age of a CVE (the time since it was disclosed) plays an important role in prioritization. Older CVEs are considered more dangerous if left unpatched because attackers have had more time to develop exploits. TotalVulnerabilityScore is adjusted by a multiplier based on the duration of the CVE. less than 30 days: 1.1 multiplier 30~180 days: 1.3 multiple 180 days or more: 1.5 multiple Handling multiple CVEs and prioritizing risks Server and container images often have multiple, sometimes hundreds, of CVEs, which has a significant impact on risk score calculation and prioritization. Here’s how the scoring model adapts to this situation: CVE Score Aggregation: All CVE scores for each resource are aggregated to derive a comprehensive risk score. This helps highlight resources with a greater number of vulnerabilities. Log Scaling for Excessive CVEs: A logarithmic scaling factor has been introduced to prevent the scores of resources with a high number of CVEs from being disproportionately high. For example, logarithmic functions (e.g. log10) adjust to keep score increases manageable while reflecting increased risk. Dynamic classification using percentiles To make CombinedRiskScore more understandable, the scores are dynamically categorized into risk levels using percentile-based thresholds. serious danger: Top 25% of scores. danger: Between 50th and 75th percentile. medium risk: Between the 25th and 50th percentiles. low risk: Bottom 25%. Extensions for Usability To make the CombinedRiskScore user-friendly and easy to interpret, a percentile-based approach was used for classification. Scores are also scaled down (e.g. divided by 1000) to prevent end users from seeing overly large numbers, making the information easier to understand. Visualization in Power BI Power BI dashboards allow users to easily view and prioritize remediation efforts across server and container images. Here’s how to visualize the scoring model: Risk level by category: Each server and container image is classified into a risk level (e.g. risk, high, medium, low) based on its aggregated risk score. This classification is done dynamically using percentile thresholds that adjust depending on the data set, ensuring adaptability as new vulnerabilities are discovered. Conditional formatting and interactive filtering: Conditional formatting is applied to highlight important resources, and slicers are added to allow users to filter by Entra ID, subscription, cloud environment (for servers), and registry repository (for containers). Risk Score Ranking: A numerical ranking of each resource’s risk score is displayed, providing top-down context on how it compares to other resources, allowing you to understand the relative risk level of each server or container. Example of combined risk score calculation For specific servers: CVE Severity: High (30 points) Exploit information: Remote exploit (10 points) + Exploit kit presence (15 points) + Public exploit (25 points) resource risk level: High risk (30 points) Attack Path Weight: 4 attack vectors (20 points) CVE Age: 180 days or more (multiple of 1.5) total score: (30 (CVE severity) + 10 (remote attacks) + 15 (exploit kits) + 25 (overt attack) + 30 (resource risk) + 20 (attack vectors)) * 1.5 (CVE duration multiplier) = 195 points conclusion This Power BI solution is built for server and container risk score analysis, leveraging both standardized vulnerability scores and contextual risk factors to provide a holistic view of risk across your cloud resources. By integrating CVE severity, exploitability, resource risk context, and CVE age, security teams can effectively prioritize remediation efforts and focus on the most critical vulnerabilities first. The combination of detailed numerical risk scores, percentile rankings, and user-friendly classifications ensures that the information presented is actionable and understandable, allowing security teams to efficiently strengthen their cloud security posture. Additional Microsoft Defender for Cloud resources reviewer Yuri Diogenes, Senior PM Manager, CxE Defender for Cloud Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Celebrating MVPs Achieving their 10 Year Milestone next post OpenUSD: Bridging the gap between the physical and digital worlds You may also like The Sonos Arc Ultra raises the bar for home theater audio December 5, 2024 Aptera Motors will showcase its solar EV at CES 2025 December 3, 2024 How Chromebook tools strengthen school cybersecurity December 2, 2024 Nvidia unveils the ‘Swiss Army Knife’ of AI audio tools: Fugato November 26, 2024 Nvidia Blackwell and the future of data center cooling November 25, 2024 Enterprise productivity is the easiest AI sell November 20, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.