Home NewsX Enhancing Server and Container Risk Score Analysis in Power BI

Enhancing Server and Container Risk Score Analysis in Power BI

by info.odysseyx@gmail.com
0 comment 9 views


Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVE). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), which provides a standardized numeric score ranging from 0.0 to 10.0, which is translated into a severity rating of low, medium, high, or critical. Microsoft Defender for the Cloud provides a robust risk level assessment for each resource, but there are opportunities to improve this by incorporating additional factors, such as the exploitability of each CVE, how long since it was disclosed, and whether the CVE is zero. Work vulnerability. Additionally, the resources themselves have contextual factors, such as the number of attack vectors, which can have a significant impact on overall risk. The Power BI solution integrates many of these elements to build on the capabilities of Defender for Cloud, providing a more comprehensive risk score for each resource and enhancing prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources that require attention.

This model is based on: deterministic approachThis means that the conditions and assumptions used to calculate the final risk score use finite values ​​defined and fixed by the report consumer. It’s not a perfect science, but it gives more depth to understanding how resources are ranked. End users are free to change the fixed values ​​(weights) as needed, giving them the flexibility to tailor the model to their specific requirements.

gastori_0-1729602911832.png

gastori_1-1729602919764.png

Download the report file here – aka.ms/pbiSrvCntRisk

Key factors in risk correlation between servers and containers

In the Power BI solution, a scoring model was developed that generates a risk score by correlating the CVE severity, exploit information, and contextual risk level for each resource. This will help you create a priority list of which servers or container images should be modified first. Here’s how the model achieves this:

  1. CVE Severity (CVSS Score Weight)
    Each CVE is assigned a score based on its severity.
  • critical: 40 points
  • high: 30 points
  • middle: 20 points
  • low: 10 points
  • Exploit information (exploitability weight)
    Additional points are added if the CVE has characteristics that make it highly exploitable.
    • remote attack: +10 points
    • Exploit kits exist: +15 points
    • Exploit Kit Confirmed: +20 points
    • Publicly exploitable: +25 points
  • Contextual resource risk level
    The risk level for each resource is calculated based on several factors in Defender for Cloud, including exposure to the Internet and the presence of sensitive data.
    • important resources: +40 points
    • danger: +30 points
    • medium risk: +20 points
    • low risk: +10 points
  • Attack vector weight (server exposure)
    For servers, the number of attack vectors is also included.
    • 6+ vectors: +30 points
    • 3 to 5 vectors: +20 points
    • 1 or 2 vectors: +10 points
  • Vulnerability Age (CVE Age)
    The age of a CVE (the time since it was disclosed) plays an important role in prioritization. Older CVEs are considered more dangerous if left unpatched because attackers have had more time to develop exploits. TotalVulnerabilityScore is adjusted by a multiplier based on the duration of the CVE.
    • less than 30 days: 1.1 multiplier
    • 30~180 days: 1.3 multiple
    • 180 days or more: 1.5 multiple

    Handling multiple CVEs and prioritizing risks

    Server and container images often have multiple, sometimes hundreds, of CVEs, which has a significant impact on risk score calculation and prioritization. Here’s how the scoring model adapts to this situation:

    • CVE Score Aggregation: All CVE scores for each resource are aggregated to derive a comprehensive risk score. This helps highlight resources with a greater number of vulnerabilities.
    • Log Scaling for Excessive CVEs: A logarithmic scaling factor has been introduced to prevent the scores of resources with a high number of CVEs from being disproportionately high. For example, logarithmic functions (e.g. log10) adjust to keep score increases manageable while reflecting increased risk.

    Dynamic classification using percentiles

    To make CombinedRiskScore more understandable, the scores are dynamically categorized into risk levels using percentile-based thresholds.

    • serious danger: Top 25% of scores.
    • danger: Between 50th and 75th percentile.
    • medium risk: Between the 25th and 50th percentiles.
    • low risk: Bottom 25%.

    Extensions for Usability

    To make the CombinedRiskScore user-friendly and easy to interpret, a percentile-based approach was used for classification. Scores are also scaled down (e.g. divided by 1000) to prevent end users from seeing overly large numbers, making the information easier to understand.

    Visualization in Power BI

    Power BI dashboards allow users to easily view and prioritize remediation efforts across server and container images. Here’s how to visualize the scoring model:

    1. Risk level by category: Each server and container image is classified into a risk level (e.g. risk, high, medium, low) based on its aggregated risk score. This classification is done dynamically using percentile thresholds that adjust depending on the data set, ensuring adaptability as new vulnerabilities are discovered.
    2. Conditional formatting and interactive filtering: Conditional formatting is applied to highlight important resources, and slicers are added to allow users to filter by Entra ID, subscription, cloud environment (for servers), and registry repository (for containers).
    3. Risk Score Ranking: A numerical ranking of each resource’s risk score is displayed, providing top-down context on how it compares to other resources, allowing you to understand the relative risk level of each server or container.

    Example of combined risk score calculation

    For specific servers:

    • CVE Severity: High (30 points)
    • Exploit information: Remote exploit (10 points) + Exploit kit presence (15 points) + Public exploit (25 points)
    • resource risk level: High risk (30 points)
    • Attack Path Weight: 4 attack vectors (20 points)
    • CVE Age: 180 days or more (multiple of 1.5)

    total score: (30 (CVE severity) + 10 (remote attacks) + 15 (exploit kits) + 25 (overt attack) + 30 (resource risk) + 20 (attack vectors)) * 1.5 (CVE duration multiplier) = 195 points

    conclusion

    This Power BI solution is built for server and container risk score analysis, leveraging both standardized vulnerability scores and contextual risk factors to provide a holistic view of risk across your cloud resources. By integrating CVE severity, exploitability, resource risk context, and CVE age, security teams can effectively prioritize remediation efforts and focus on the most critical vulnerabilities first.

    The combination of detailed numerical risk scores, percentile rankings, and user-friendly classifications ensures that the information presented is actionable and understandable, allowing security teams to efficiently strengthen their cloud security posture.

    Additional Microsoft Defender for Cloud resources

    reviewer

    Yuri Diogenes, Senior PM Manager, CxE Defender for Cloud





    Source link

    You may also like

    Leave a Comment

    Our Company

    Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

    Newsletter

    Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

    Laest News

    @2024 – All Right Reserved. Designed and Developed by OdysseyX