Better Prioritization: New “Urgent” Severity Level

NopSec’s ongoing mission is to help organizations improve their overall risk posture and to reduce the risk that is introduced by critical vulnerabilities actively being exploited today. One way that this is achieved is through vulnerability prioritization with Unified VRM. In an effort to increase focus on vulnerabilities with active exploits, and reduce the time it takes to remediate them, NopSec is updating the severity ratings in Unified VRM.  Starting 09-09-2020, Unified VRM will feature a new severity level called “Urgent”, which prioritizes vulnerabilities that pose the highest immediate risk. 

Background Information: Severity Levels and The NopSec Risk Score 

With its proprietary machine learning and daily ingestion of threat intelligence feeds, Unified VRM removes the manual analysis that goes into deciding which vulnerabilities to remediate. The NopSec Risk Score is calculated by looking at the likelihood of targeted attacks, the impact on the IT environment, and the risk reduction provided by compensating controls. After this calculation, each detected vulnerability ingested by Unified VRM ends up with a NopSec Risk Score between 0 and 100. The numerical Risk Score corresponds to a severity rating (Critical, High, Medium, Low) and Risk Grade (A, B, C, D).  

One feature of NopSec’s machine learning algorithm is to determine if a detected vulnerability has any active threats (Malware, Ransomware, Trojan, Exploit Kit, or Targeted Attack) associated with it. Active threats are vulnerabilities that are currently being used in the wild today by attackers. Visibility into this information is provided in Unified VRM through the Vulnerability Instance Description and with InstantSearch (threat:true). 

The Urgent Severity Level  

The new Urgent severity level will consist of vulnerabilities that have the following attributes: 

• NopSec Risk Score = 100 
• Active Threat = True 
• Risk Grade = D

Severity Levels: Before & After 

Below is a table view of the vulnerability severity levels before and after the prioritization improvement. 

Searching for Urgent Vulnerabilities with InstantSearch:  

Searching for Urgent vulnerabilities with InstantSearch will be the same as searching for vulnerabilities with any severity level. This can be done in the Infrastructure Vulns module with the following InstantSearch search term: vulnerability-grade:urgent. 

Reporting on Urgent Vulnerabilities with Custom Metrics Dashboard: 

Reporting on Urgent vulnerabilities with the Custom Metrics Dashboard will be the same as filtering for vulnerabilities with any severity level. This can be done in the Metrics module by selecting ‘Urgent’ under the Vuln Risk Grade filter section. 

Updated Severity Levels and NopSec Risk Grade 

The NopSec Risk Grades (A, B, C, D) will not be affected by the new Urgent severity level. All vulnerabilities with a NopSec Risk Score greater than 75 (Urgent & Critical vulnerabilities) will have a Risk Grade of D. 

Vulnerability Counts: Before and After  

When comparing the vulnerability counts before and after the addition of the Urgent category, there is a 1:1 relationship between vulnerability counts for High, Medium, Low and None vulnerabilities. The vulnerability counts for these severity levels will not be impacted. The number of vulnerabilities in the original Critical group will be equal to the sum of the vulnerabilities in the new Urgent and Critical groups. For example, if there were 1,000 vulnerabilities in the Critical group before the addition of Urgent group, then there are 1,000 vulnerabilities in the new Urgent and Critical group combined (e.g. 150 Urgent + 850 Critical vulnerabilities). 

If you have any questions about the new Urgent severity level or how it may impact your reporting or remediation workflow, please contact support@nopsec.com.