Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Introduction

The Likelihood feature, powered by Cyr3con™, in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.

By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.

Note

Risk classification of assets and services serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster. 

Risk Score - Likelihood 

Likelihood is a risk indicator that shows how many times more likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Likelihood column in Reporting Tools and Vulnerability Database. If a vulnerability has a score of 15 it is 15 times more likely to be exploited than a normal vulnerability. The value can go to 38.46 which is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months.

The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood, whether that is 15 times or 30 times.  It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 38.46 as it has been exploited already. 

Note

Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.

How to Use Farsight

Prerequisites

To use Farsight you first need to enable the function in your subscription. Contact support for more information on how you can enable the Farsight function.

Once enabled, go to Main Menu > Netsec > Reporting Tools and enable the Likelihood, Likelihood delta, and Threat Activity columns by clicking the down arrow in any column and selecting Columns.

Farsight risk, Farsight risk delta, and Farsight risk update date present the likelihood values in an 0-1 (0-100%) format.



OptionDescription
LikelihoodRanges from 1 to 38.46. the higher value the greater risk.
Likelihood deltaIs the difference between the current and the former likelihood values.
Threat ActivityLast time date when threat activity has been detected by the watcher community.
Farsight risk

This is a normalized representation of Likelihood where the range 1-38.5 is mapped to the range 0-1 (0 to 100%).
The meaning is the same for the two.

Farsight risk deltaThe change in Farsight risk delta similar to Likelihood delta but with the new range.
Farsight risk update dateDate when the Farsight Risk value was updated.


How to Use

The first option is to filter on the the Likelihood column using the filter function which provides relevant ratings on finding with high likelihood of exploitation. 
For example, Likelihood > 25 highlights all vulnerabilities that exist where the likelihood is greater than 25 times.

For more information see the Filters document.

Farsight's goal is to replace the reliance on CVSS scoring through the use of threat intelligence, exposure and business impact. It also offers the ability to predict the likelihood of a vulnerability being exploited. When considering the presence of an exploit (Exploit available) it is highly probable that you will miss a number of high risk vulnerabilities that meet your likelihood score but do not have current exploits available.

The second option is to build one or more dynamic groups. These groups can highlight assets that have vulnerabilities with likelihood based on the filtered values you set. By their nature these groups change over time as the likelihood values change. 
For more information see Dynamic Target Groups.
In both Filtering and Dynamic grouping, your organizations risk appetite determines the acceptable thresholds for these. 

Examples

When considering likelihood, bear in mind ANY value over 1.0 could be assumed to have an increased risk to the organization. Likelihood allows a more aggressive risk strategy when setting filters and dynamic groups.

  • Likelihood > X i.e 25
    At the simplest level this provides a view of vulnerabilities that match likelihood threshold.  This does not consider the presence (or not) of an exploit.


     
  • Likelihood > X and CVSS > Y  (i.e 25 and CVSS > 8)
    Adding CVSS to the Likelihood allows you to consider only those vulnerabilities that are trending as likely to be exploited where the CVSS score is above a particular value, in other words, 9 or 10.  We are still not considering the presence of an exploit as a separate risk indicator.


     
  • Likelihood > X and Exploits available
    With this option you filter down the likelihood to only those vulnerabilities that have exploits available.  This will significantly reduce the number of vulnerabilities to be remediated, as you are focusing less on the predictive risk score by adding a known attribute (exploit present).