CALCULATING QUANTITATIVE ASSET RISK

US 20130191919A1
Filed: 01/19/2012
Published: 07/25/2013
Est. Priority Date: 01/19/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, performed by data processing apparatus, comprising:

identifying a standardized vulnerability score for a particular vulnerability in a plurality of known vulnerabilities, wherein the standardized vulnerability score indicates a relative level of risk associated with the particular vulnerability relative other vulnerabilities in the plurality of known vulnerabilities;

determining a vulnerability detection score indicating an estimated probability that a particular asset possess the particular vulnerability;

determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;

identifying a countermeasure component score, wherein the countermeasure component score indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset; and

determining a risk metric for the particular asset and the particular vulnerability from the vulnerability composite score and the countermeasure component score.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A standardized vulnerability score is identified for a particular vulnerability in a plurality of known vulnerabilities, the standardized vulnerability score indicating a relative level of risk associated with the particular vulnerability relative other vulnerabilities. A vulnerability detection score is determined that indicates an estimated probability that a particular asset possess the particular vulnerability and a vulnerability composite score is determined for the particular asset to the particular vulnerability, the vulnerability composite score derived from the standardized vulnerability score and the vulnerability detection score. A countermeasure component score is identified that indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset. A risk metric for the particular asset and the particular vulnerability is determined from the vulnerability composite score and the countermeasure component score. In some instances, aggregate risk scores can be calculated from a plurality of calculated risk metrics.

141 Citations

28 Claims

1. A computer-implemented method, performed by data processing apparatus, comprising:
- identifying a standardized vulnerability score for a particular vulnerability in a plurality of known vulnerabilities, wherein the standardized vulnerability score indicates a relative level of risk associated with the particular vulnerability relative other vulnerabilities in the plurality of known vulnerabilities;
  
  determining a vulnerability detection score indicating an estimated probability that a particular asset possess the particular vulnerability;
  
  determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  identifying a countermeasure component score, wherein the countermeasure component score indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset; and
  
  determining a risk metric for the particular asset and the particular vulnerability from the vulnerability composite score and the countermeasure component score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the standardized vulnerability score includes a standardized component and an environmental component adjusting the standardized component to features of a particular system including the particular asset.
  - 3. The method of claim 2, wherein the environmental component represents, at least in part, criticality of the particular asset within the particular system.
  - 4. The method of claim 3, wherein the environmental component is derived based on criticality information for the particular asset, wherein the criticality information defining an impact of losing the particular asset.
  - 5. The method of claim 2, wherein each of the standardized component and environmental component include data describing a confidentiality impact to assets based on the particular vulnerability, an integrity impact to assets based on the particular vulnerability, and an availability impact to assets based on the particular vulnerability.
  - 6. The method of claim 2, wherein the standardized component includes a temporal component reflecting changes to risk posed by the particular vulnerability over time.
  - 7. The method of claim 2, wherein the standardized vulnerability score is based, at least in part, on the standard score of the Common Vulnerability Scoring System (CVSS).
  - 8. The method of claim 1, further comprising:
    - receiving vulnerability definition data for the particular vulnerability, the vulnerability definition data including an identification of the particular vulnerability, an identification of one or more countermeasures that reduce a risk that the vulnerability will affect an asset, countermeasure protection data indicating a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability data describing one or more configurations of assets to which the vulnerability applies; and
      
      receiving vulnerability detection data, countermeasure detection data, and configuration data for the particular asset, wherein the vulnerability detection data for the particular asset includes information suggesting whether the vulnerability is possessed by the particular asset, the countermeasure detection data for the asset identifies one or more countermeasures protecting the particular asset, and the configuration data for the particular asset describes a configuration of the particular asset.
  - 9. The method of claim 7, wherein the countermeasure component score is derived from at least the countermeasure protection data and the countermeasure detection data.
  - 10. The method of claim 9, wherein the countermeasure component score is further derived from the configuration data for the particular asset.
  - 11. The method of claim 9, wherein identifying the countermeasure component score includes calculating the countermeasure component score.
  - 12. The method of claim 7, wherein the vulnerability detection score is derived from at least the vulnerability detection data.
  - 13. The method of claim 11, wherein the vulnerability detection score is further derived from the configuration data for the particular asset.
  - 14. The method of claim 1, wherein the determined risk metric for the particular asset is a vulnerability-centric risk metric, the method further comprising determining a threat-centric risk metric for the particular asset, wherein determining a threat-centric risk metric for the particular asset includes:
    - determining a threat factor for the particular asset and particular threat, wherein the threat factor is derived from a threat severity score estimating a severity of the particular threat and an applicability score estimating the applicability of the particular threat to the particular asset;
      
      determining a threat exposure factor for the particular asset and the particular threat, wherein the threat exposure factor is derived from the threat factor, a vulnerability component score, and a threat countermeasure component score, wherein the vulnerability component score indicates whether the particular asset is vulnerable to the particular threat, and the countermeasure component score is derived from an estimate of a likelihood that a second countermeasure will mitigate the effect of an attack on the particular asset relating to the particular threat; and
      
      wherein the threat-centric risk metric for the particular asset and the particular threat is determined from the threat exposure factor and a criticality score for the particular asset, wherein the criticality score represents an impact of losing the asset.
  - 15. The method of claim 14, wherein the particular threat takes advantage of the particular vulnerability, the vulnerability component score is equal to the vulnerability detection score, and the particular countermeasure is the second countermeasure.
  - 16. The method of claim 15, wherein respective calculated values of the determined vulnerability-centric metric and threat-centric metric are different.
  - 17. The method of claim 1, wherein the standardized vulnerability score has a value within a predefined range.
  - 18. The method of claim 1, wherein the standardized countermeasure component score has a value within a predefined range.
  - 19. The method of claim 1, wherein at least some vulnerabilities in the plurality of known vulnerabilities are associated with at least one in a plurality of known threats, and the particular vulnerability is not associated with any of the plurality of known threats.

20. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- identifying a standardized vulnerability score for a particular vulnerability in a plurality of known vulnerabilities, wherein the standardized vulnerability score indicates a relative level of risk associated with the particular vulnerability relative other vulnerabilities in the plurality of known vulnerabilities;
  
  determining a vulnerability detection score indicating an estimated probability that a particular asset possess the particular vulnerability;
  
  determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  identifying a countermeasure component score, wherein the countermeasure component score indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset; and
  
  determining a risk metric for the particular asset and the particular vulnerability from the vulnerability composite score and the countermeasure component score.

21. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  a network monitor, adapted when executed by the at least one processor device to;
  
  identify a standardized vulnerability score for a particular vulnerability in a plurality of known vulnerabilities, wherein the standardized vulnerability score indicates a relative level of risk associated with the particular vulnerability relative other vulnerabilities in the plurality of known vulnerabilities;
  
  determine a vulnerability detection score indicating an estimated probability that a particular asset possess the particular vulnerability;
  
  determine a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  identify a countermeasure component score, wherein the countermeasure component score indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset; and
  
  determine a risk metric for the particular asset and the particular vulnerability from the vulnerability composite score and the countermeasure component score.

22. A method comprising:
- receiving vulnerability definition data including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies;
  
  receiving vulnerability detection data, countermeasure detection data, and configuration data for each of one or more assets, wherein the vulnerability detection data for each asset identifies vulnerabilities applicable to the asset, the countermeasure detection data for each asset identifying one or more countermeasures protecting the asset, and the configuration data for each asset describes a configuration of the asset; and
  
  determining a respective risk metric for each of the one or more assets for each of the one or more vulnerabilities, wherein determining the risk metric includes, for each asset and each vulnerability;
  
  identifying a standardized vulnerability score for the vulnerability, wherein the standardized vulnerability score indicates a relative level of risk associated with the vulnerability relative other vulnerabilities in the plurality of vulnerabilities;
  
  determining a vulnerability detection score for the asset from the vulnerability detection data for the asset;
  
  determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  determining a countermeasure component score from the vulnerability definition data and the countermeasure detection data, wherein determining the countermeasure component score includes analyzing the level of protection afforded by each countermeasure identified in both the vulnerability definition data for the vulnerability and in the countermeasure data as protecting the asset; and
  
  determining the risk metric for the asset and the vulnerability from the vulnerability composite score and the countermeasure component score.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The method of claim 22, further comprising:
    - determining a respective risk metric for the asset and each of the plurality of vulnerabilities; and
      
      determining an aggregate risk metric for the asset from the respective risk metrics for the asset and each of the plurality of vulnerabilities.
  - 24. The method of claim 23, wherein the aggregate risk metric is one of:
    - a sum of the respective risk metrics, a mean of the respective risk metrics, a maximum of the respective risk metrics, a minimum of the respective risk metrics, or a mode of the respective risk metrics.
  - 25. The method of claim 23, further comprising:
    - selecting a group of assets including the asset;
      
      determining an aggregate risk metric for each asset in the group of assets; and
      
      determining an aggregate risk metric for the group of assets from the aggregate risk metric for each asset in the group of assets.
  - 26. The method of claim 22, further comprising:
    - determining a respective risk metric for each of a plurality of assets and the vulnerability; and
      
      determining an aggregate risk metric for the vulnerability from the respective risk metrics for each of the plurality of assets and the vulnerability.
  - 27. The method of claim 22, wherein the risk metric is a vulnerability-centric risk metric and the method further comprises:
    - receiving threat definition data, the threat definition data including, for each of a plurality of threats, an identification of the threat, an identification of one or more countermeasures that reduce a risk that the threat will affect an asset, protection data describing a protection score for each countermeasure for the threat, and applicability data describing one or more configurations of assets to which the threat applies; and
      
      determining a respective threat-centric risk metric, the determining including, for each asset and each threat;
      
      determining an applicability score for the asset and the threat from the applicability data and the configuration data, wherein the applicability score has a first applicability value when the threat is applicable to the configuration of the asset and a different second applicability value when the threat is not applicable to the configuration of the asset;
      
      determining a vulnerability score for the asset and the threat from the vulnerability detection data for the asset;
      
      determining a countermeasure score from the threat definition data and the countermeasure detection data, wherein the generating comprises analyzing the protection score for each countermeasure that is both identified in the threat definition data for the threat and identified in the countermeasure data as protecting the asset, wherein the countermeasure score has a value within a predefined range; and
      
      determining the threat-centric risk metric for the particular asset for the particular threat from the applicability score, the vulnerability score, and the countermeasure score.
  - 28. The method of claim 27, further comprising:
    - determining a respective vulnerability-centric risk metric for the asset and each of the plurality of vulnerabilities;
      
      determining an aggregate vulnerability-centric risk metric for the asset from the respective risk metrics for the asset and each of the plurality of vulnerabilities;
      
      determining a respective threat-centric risk metric for the asset and each of the plurality of threats; and
      
      determining an aggregate threat-centric risk metric for the asset from the respective risk metrics for the asset and each of the plurality of threats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Basavapatna, Prasanna Ganapathi, Kolingivadi, Deepakeshwaran, Schrecker, Sven

Granted Patent

US 8,595,845 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

CALCULATING QUANTITATIVE ASSET RISK

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

141 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

CALCULATING QUANTITATIVE ASSET RISK

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links