Using Farsight in Netsec
Purpose
This document describes how to use Farsight in Netsec.
Introduction
The Likelihood feature in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.
By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.
Risk classification of assets and services serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster.
Risk Score - Likelihood
Likelihood is a risk indicator that shows how many times more likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Likelihood column in the Findings view. The value can go from 1 to 100 where 100 is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months. The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood. It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 100 as it has been exploited already.
Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.
How to Use Farsight
Prerequisites
To use Farsight you first need to enable the function in your subscription. Contact support for more information on how you can enable the Farsight function.
Once enabled, go to Main Menu > Netsec > Reporting Tools and enable the Likelihood, Likelihood delta, and Threat Activity columns by clicking the down arrow in any column and selecting Columns.
Farsight risk, Farsight risk delta, and Farsight risk update date present the likelihood values in an 0-1 (0-100%) format.
Option | Description |
---|---|
Likelihood | Ranges from 1 to 38.46. the higher value the greater risk. |
Likelihood delta | Is the difference between the current and the former likelihood values. |
Threat Activity | Last time date when threat activity has been detected by the watcher community. |
Farsight risk | This is a normalized representation of Likelihood where the range 1-38.5 is mapped to the range 0-1 (0 to 100%). |
Farsight risk delta | The change in Farsight risk delta similar to Likelihood delta but with the new range. |
Farsight risk update date | Date when the Farsight Risk value was updated. |
How to Use
The first option is to filter on the the Likelihood column using the filter function which provides relevant ratings on finding with high likelihood of exploitation.
For example, Likelihood > 25 highlights all vulnerabilities that exist where the likelihood is greater than 25 times.
For more information see the Netsec Filters document.
Farsight's goal is to replace the reliance on CVSS scoring through the use of threat intelligence, exposure and business impact. It also offers the ability to predict the likelihood of a vulnerability being exploited. When considering the presence of an exploit (Exploit available) it is highly probable that you will miss a number of high risk vulnerabilities that meet your likelihood score but do not have current exploits available.
The second option is to build one or more dynamic groups. These groups can highlight assets that have vulnerabilities with likelihood based on the filtered values you set. By their nature these groups change over time as the likelihood values change.
For more information see Dynamic Target Groups.
In both Filtering and Dynamic grouping, your organizations risk appetite determines the acceptable thresholds for these.
Examples
When considering likelihood, bear in mind ANY value over 1.0 could be assumed to have an increased risk to the organization. Likelihood allows a more aggressive risk strategy when setting filters and dynamic groups.
Likelihood > X i.e 25
At the simplest level this provides a view of vulnerabilities that match likelihood threshold. This does not consider the presence (or not) of an exploit.
Likelihood > X and CVSS > Y (i.e 25 and CVSS > 8)
Adding CVSS to the Likelihood allows you to consider only those vulnerabilities that are trending as likely to be exploited where the CVSS score is above a particular value, in other words, 9 or 10. We are still not considering the presence of an exploit as a separate risk indicator.
Likelihood > X and Exploits available
With this option you filter down the likelihood to only those vulnerabilities that have exploits available. This will significantly reduce the number of vulnerabilities to be remediated, as you are focusing less on the predictive risk score by adding a known attribute (exploit present).
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.