RS³ Simulator Guide

Summary: How to access and use the RS³ Simulator in the RiskSense platform to preview your assets' RS³ v2 scores.

Using the RS³ Simulator

In Q3 2020, RiskSense will release an enhancement to the RiskSense Security Score (RS³) scoring model that allows RiskSense to provide you with a greater level of accuracy and actionability in your organization’s security posture than ever before. In order to help facilitate the transition to this new scoring model, users will be provided with an RS³ Simulator in the form of an interactive pop-up view that will allow users to compare an asset’s score under the current model with its projected score under the updated v2 model. This article explains how to access the simulator, defines the various inputs, and shows their impact in the new scoring methodology.

RS3 Simulator - RS3 Simulator View

Invoking the Simulator

Any individual asset may be analyzed using the simulator. To access it, navigate to the Hosts and Applications pages within the RiskSense platform. From the list view, select an asset that you would like to examine, and click its row to invoke the detail pane. At the top of the detail pane, a new Simulate RS³ button is available; click this button to bring up the simulator in a modal pop-up window.

RS3 Simulator - Simulate RS3 Button

The bottom of this pop-up window shows the five-color RS³ score band, from 300 to 850. The selected asset’s current score will be shown, as well as the projected (or “simulated”) score that it will have under the new RS³ v2 scoring model.

Currently, the projected score will be shown only for Hosts which have an RS³; projected scores will be added for Applications with the general availability launch of RS³ v2.

RS3 Simulator - Simulator Scoring

Using the Inputs

There are four input fields provided in the simulator tool.

Greatest VRR Values: The five categories of risk are Critical, High, Medium, Low, and Informational. (Note that Informational findings present zero risk, and thus do not contribute to a score.) Every finding within an organization is assigned a Vulnerability Risk Rating (VRR) as a numerical value that falls into one of these categories, as follows:

Critical: 9.0 ≤ VRR ≤ 10.0
High: 7.0 ≤ VRR < 9.0
Medium: 4.0 ≤ VRR < 7.0
Low: 0.0 < VRR < 4.0
Info: VRR = 0.0

In the updated RS³ v2 methodology, an asset’s score is driven by the largest VRR among findings within each category. For instance, consider an asset with five Critical findings on it. Suppose that four out of those five findings have a VRR of 9.2, while the remaining finding has a VRR of 9.8. In this case, the VRR of 9.8 is the contributing factor to the asset’s RS³. And so on, for the remaining VRR categories.

RS3 Simulator - Greatest VRR Values

Four sliders are presented, corresponding to Critical, High, Medium, and Low VRR values. For each slider, the contributing greatest VRR value within each corresponding category should be selected either by clicking on the value from the slider itself, or manually entering in the numerical value in the provided text field beside each slider.

Each of the four categories carries a certain amount of weight in the scoring methodology, which scales with the amount of risk posed. Critical vulnerabilities reduce an asset’s RS³ substantially, while Low vulnerabilities penalize the score to a much lesser degree.

If an asset contains zero findings within a particular VRR category, the No Findings box below the corresponding slider should be checked.

Total Open Findings on Asset: The number of open findings on an asset helps determine where the vulnerabilities within an organization are concentrated. An asset with a higher number of open findings presents a greater amount of risk and thus will have a lower RS³ compared to an asset with fewer open findings. This number must be at least as large as the number of active sliders in the Greatest VRR Values input section. Note that this number does not include Informational findings.

RS3 Simulator - Total Open Findings on Asset

Select Address Type: An asset’s address may be either Internal or External in its accessibility. Assets with an externally-accessible address pose a greater amount of risk, and thus will have a lower RS³ compared to an internal-facing asset.

RS3 Simulator - Select Address Type

Set Asset Criticality: The importance of a given asset to an organization is designated by its criticality, on a scale of 1 (less important) to 5 (most important). An asset of high criticality will have a lower RS³ when vulnerabilities are present, indicating the increased amount of risk posed to the organization should that asset be compromised through a vulnerability.

RS3 Simulator - Set Asset Criticality

Simulating a Score

When the RS³ simulator is invoked, it will be pre-populated with the input values corresponding to the asset from which it was opened.

This is only applicable for Hosts, as Application scoring data is not yet available. Support for Applications will be available with the general availability launch of RS³ v2.

Its current and new scores will both be shown on the bottom of the window. If a user wishes to see the effects of various input values on the asset’s score, they may adjust each one according to the above descriptions. Once the preferred values for each input have been set, the Simulate RS³ Score button will be highlighted. Clicking this button will run a simulation, and the updated score will now be shown at the bottom of the window. The simulation may be run on any chosen configuration of input values as many times as desired. The chosen asset’s current score will always remain on the score axis for comparison purposes.

RS3 Simulator - Simulate RS3 Score

If the user wishes to reset the input values to their original state corresponding to the chosen asset, they may click the Reset Values button.

Note that any asset that does not currently have an RS³ (such as Metric-Excluded Hosts, or Applications) will display an N/A value as its current RS³.