Enable Proactive Incident Response With Adaptive Risk Scoring

Proactive, not reactive, incident response powered by new Incident Risk Scoring in Expander

One of the major challenges facing security teams today is the overwhelming volume of alerts that make it difficult to determine where and how to focus remediation efforts. Analysts lack sufficient context around potential threats and waste valuable time trying to figure out what to prioritize. This often puts analysts in a reactive state and slow to respond as attackers have become faster.

According to the 2021 Attack Surface Threat Report, attackers started to scan for exposures within 15 minutes of new remote code execution vulnerabilities being announced. The window to act for defenders is shrinking.

To address this challenge, security teams must prioritize and proactively secure their attack surface. A key to that is the new Incident Risk Scoring capability in Cortex Xpanse’s Active ASM solution. Security teams can now use adaptive risk scores based on threat and exploit intelligence to shift from reactive to proactive attack surface management.

Xpanse’s risk scoring model takes into account several inputs. It starts by fingerprinting the device and pulling any associated Common Vulnerabilities and Exposures (CVE) data for the identified product and version. The Common Vulnerability Scoring System (CVSS) score is then used as part of the overall score assigned to the vulnerability. Along with the CVSS score, Xpanse also uses a dynamically updated Exploit Prediction Scoring System (EPSS) score. EPSS scores represent the probability that a vulnerability will be exploited in the wild and are recognized as the industry standard and best-in-class approach for assessing risk.

Xpanse further enriches that data by adding modifiers developed by our expert team of security researchers called Risk Factors, including whether there’s a significant risk of misconfiguration, if the service allows remote access into a network, or if the unintentional exposure of a login portal or authentication system is likely. Xpanse pulls vulnerability data three times a day, so as a new CVE is announced and a new proof-of-concept code is published, Xpanse adjusts the priority level and alerts customers.

Figure 1: Shows an example of a Risk Score and the Risk Details view for an Insecure OpenSSH server.
Figure 1: Shows an example of a Risk Score and the Risk Details view for an Insecure OpenSSH server.


In addition, Xpanse gives teams the flexibility to modify a risk score to fit their organizational priorities and control how particular devices or applications are prioritized. Users often struggle with the inflexibility of most risk scorers on the market that mandate what they need to fix, even if the asset is unimportant or irrelevant to their specific business context. With Xpanse, customers can also manually override scores to change their priority and make sure that an incident gets the attention it needs.

Organizations should be able to find and manage risks before attackers exploit them. Through scientifically backed inputs and robust modifiers, Xpanse’s risk model narrows down the thousands of incident alerts faced by a security team to a data-driven and targeted list of priorities to remediate. This gives security teams an edge over attackers to prioritize remediation to remediate exposures and mitigate the risk of security incidents.

To learn more about Active Attack Surface Management, read our datasheet.