This document describes how to use Farsight in Appsec.
The Likelihood feature in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.
By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.
Risk classification of assets and services serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster.
Risk Score - Likelihood
Likelihood is a risk indicator that shows how many times more likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Likelihood column in the Findings view. The value can go from 1 to 100 where 100 is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months. The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood. It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 100 as it has been exploited already.
Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.
How to Use Farsight
To use Farsight you first need to enable the function in your subscription. Contact support for more information on how you can enable the Farsight function.
Once enabled, go to Findings > Vulnerabilities and and open the filters and settings panel. Enable the Likelihood, Likelihood delta and Threat Activity columns by selecting the respective checkbox.
Farsight risk, Farsight risk delta, and Farsight risk update date present the likelihood values in an 0-1 (0-100%) format.
|Likelihood||Ranges from 1 to 38.46. the higher value the greater risk.|
|Likelihood delta||Is the difference between the current and the former likelihood values.|
|Threat Activity||Last time date when threat activity has been detected by the watcher community.|
This is a normalized representation of Likelihood where the range 1-38.5 is mapped to the range 0-1 (0 to 100%).
|Farsight risk delta||The change in Farsight risk delta similar to Likelihood delta but with the new range.|
|Farsight risk update date||Date when the Farsight Risk value was updated.|
How to Use
The first option is to filter on the the Likelihood column using the filter function which provides relevant ratings on finding with high likelihood of exploitation.
For example, Likelihood >5 highlights all vulnerabilities that exist where the likelihood is greater than 5 times.
Farsight's goal is to replace the reliance on CVSS scoring through the use of threat intelligence, exposure and business impact. It also offers the ability to predict the likelihood of a vulnerability being exploited. When considering the presence of an exploit (Exploit available) it is highly probable that you will miss a number of high risk vulnerabilities that meet your likelihood score but do not have current exploits available.
© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.