All Collections
S2PARTNER
Other
S2Score Changes in Vulnerability Scanning
S2Score Changes in Vulnerability Scanning

Summary of recent changes to the internal vulnerability scan calculations

Caitlin Fox avatar
Written by Caitlin Fox
Updated over a week ago

Vulnerability Remediation and the S2Score

A common misunderstanding in risk management is that the remediation of vulnerabilities will automatically result in less risk. This is generally true; however, there are times when significant threats emerge:

  • That apply to vulnerabilities other than the ones that were remediated, and/or,

  • That affect vulnerabilities in different ways. For instance, when a vulnerability by itself means much less than when it’s taken into context with all the other systems in the environment.

There are times when the remediation of vulnerabilities does not necessarily or always result in a better S2Scores. This document is written to explain this rare occurrence.

Explanation

There are two parts to the information security risk equation, threats and vulnerabilities. An organization’s S2Score, our measurement of information security risk, can and will change based upon how these two variables play on/off each other. Our clients run vulnerability scans and often address vulnerabilities that were discovered. Clients can effect change on the existence of vulnerabilities;

however, we have little, if any control over threats.

Not being able to control threats can be frustrating for some of us who invest time and money in the reduction (or remediation) of our vulnerabilities, especially when the work doesn’t get reflected in a better S2Score. The reason for a lower score in these instances is mostly likely related to changes in real-world threats.

There are two options for dealing with paradigm shifts related to threats:

  1. Ignore threat changes, stick to the existing threat model, and produce consistent, but less accurate risk representations (or S2Scores)

  2. Account for threat changes in new threat models, giving our customers the most accurate reflection of risk we can.

At SecurityStudio, we have opted for the latter, and we’ve done so because our customers deserve to know the truth and have confidence that an S2Score is a true reflection of information security risk.

Effects on S2Scores

As customers make improvements to their information security by reducing the number of vulnerabilities, it can become frustrating for them to find that their S2Score may have dropped. This happens, but it’s rare (occurring once every few years, or when a threat model changes).

There are two types of changes that occur based upon real world threats:

1) Threat Model Changes

A threat model change is one where we’ve made a significant, wholesale change to the way threats are applied to vulnerabilities. Threat model changes are very rare, but they’re made when we determine that there’s a shift in the way threats (often attackers) are foot printing or attacking vulnerabilities. Threat model changes have significant effects on S2Scores.

2) Threat Weight Changes

A weight is changed for a threat’s applicability to a vulnerability when real world events reflect that a particular vulnerability is being targeted. Threat weight changes are less significant and often go unnoticed by customers. Weight changes are likely to affect S2Scores, but the changes are minor.

Recent Change

The most recent change made to internal vulnerability scanning was a threat modelling change, and S2Scores are more likely to be impacted significantly. Although the current S2Scores are a much better reflection of true risk, we have encountered incidents where clients have improved their vulnerability management practices yet obtain lower scores. While significant improvements may have been made in vulnerability reduction in terms of aggregate number of vulnerabilities, the remaining vulnerabilities are more susceptible to current real-world threats.

Current S2Scores, using the new threat modelling, represent risk better by applying threats more accurately to critical and high-severity vulnerabilities, especially those with known exploits. More emphasis has been placed on vulnerability distribution because current threats operate by finding the low hanging fruit first, then pivot within the environment to more lucrative targets.

Example

For 50 hosts (same applies for any number of hosts):

  • 10 of them have one critical-severity vulnerability

  • 40 of them are patched perfectly

Older Threat Model:

  • The resulting cumulative CVSS score would be 100, or an average of 2 per host.

  • These results would indicate almost zero risk.

New Threat Model:

  • 20% of the hosts have a critical severity vulnerability

  • This is a significant risk considering how current threats are targeting technical vulnerabilities in active environments. Attackers are more likely to discover a single exploitable vulnerability if 20% of the hosts are vulnerable versus five or ten percent.

We understand that this change may cause confusion or concern with some clients. If you need help with an explanation or would like further information, please contact SecurityStudio at support@securitystudio.com.

We do not anticipate any additional threat model changes in the foreseeable future. In the future, if we are planning to make any significant changes, we will ask for guidance from our partners and follow the appropriate communication channels that have since been developed.

Did this answer your question?