Introduction

Background

To quantify the risk status of all the assets involved in our customers’ cloud environment, Plerion introduces a comprehensive scoring system that meticulously evaluates all assets, utilizing the identified findings to assign a Risk Score — a numerical representation that underscores the severity of the identified risks.

The Plerion Risk Score (PRS) serves as a pivotal indicator to highlight and prioritize the importance of risks identified by Plerion. This score is generated through Plerion's robust risk calculation engine, an integral component of the Plerion Protection Platform.

Terminologies

To better understand PRS, let's clarify some key terms:

  • Risk: Any potential adverse event that might happen, as measured by a risk score or risk rating which is typically derived from the likelihood that it might occur and the adverse impact it would have if it did happen.

  • Risk description: A detailed explanation of any potential risk. Example: "A system compromise due to exploitation of Amazon EC2 instance with remote code execution vulnerability"

  • Finding: A technical description of the condition of assets found after their evaluation, which may or may not result in a risk. Example: "Publicly accessible Amazon S3 bucket"

  • Check: A condition that an asset is being tested for. Checks help identify assets at potential risks. Example: "Identify publicly accessible Amazon S3 buckets"

  • Control: A condition that an asset should conform to, in order to mitigate any risks. Example: "Ensure Amazon S3 buckets are not publicly accessible"

  • Likelihood: A quantified measure of the possibility of a risk being actualized, influenced by various factors. The value of likelihood ranges from 1 to 5, 1 being 'rare' and 5 being 'almost certain'. Example: "Likelihood of a publicly accessible Amazon S3 bucket = 4, Likelihood of an Amazon S3 bucket that is not encrypted at rest = 2"

  • Impact: A quantified measure of the adverse consequence of the risk being actualized, taking into account potential severity. The value of impact ranges from 1 to 5, 1 being 'insignificant' and 5 being 'severe'. Example: "Impact of a publicly accessible Amazon RDS DB server = 4, Impact of an Amazon RDS DB server that does not have auto-upgrade of engine versions = 2"

  • Risk Score: An ultimate numerical representation of the overall risk associated with an asset defined by Plerion based on the combination of likelihood and impact of the risks involved, along with the modifier values applied. For workloads it will also include vulnerabilities. The value can be a precise decimal of up to two decimal places and can range from 0 to 10, 0 being the least and 10 being the most critical risk score.

    Note: Plerion Risk Score (PRS) takes into account the context of the asset in question by using modifiers to the baseline impact and likelihood values and thus, differs from CVE severity or CVSS scores. While CVE severity is calculated on a worst-case scenario, Plerion severity attempts to provide a higher fidelity calculation based on the asset context available.

  • Risk Rating: A category of the severity level of any risk as a combination of likelihood and impact. It can be any of the following: None, Low, Medium, High, Critical. The categories are defined as follows as per the Plerion Risk Calculator:

Risk Rating by Impact and Likelihood

  • Modifier Attributes: Modifier attributes are defined as context for an asset that incrementally adjusts impact, likelihood, or both, impacting its calculated severity score. Example: "hasOverlyPermissivePrivileges", "isPubliclyExposed"

  • Modifier Value: The value by which the impact and likelihood vary from the baseline values is given by the modifier values set in the detection configuration level. Based on the modifier attributes present on an asset and their modifier values, the score of severity differs. Example: If an asset has "Overly Permissive Privileges" and has an incremental modifier value of 2 for incrementalLikelihood for its associated detection (this is set by Plerion), the baseline likelihood score would be increased by 2 during the calculation of the severity level (if the asset is Overly Permissive), leading to its higher severity.

SettingsAsset Risk Score