IoT Risk Assessment
Table of Contents
IoT Risk Assessment
IoT Security assesses risk and assigns a risk score for
devices, device profiles, sites, and organizations.
Assessing risk is a continuous process of discovering
vulnerabilities and detecting threats. During this ongoing process,
IoT Security measures risk and assigns a score for the amount of
risk it observes. In fact, IoT Security measures and scores risk
at four levels, starting from individual IoT devices and expanding
in scope to device profile, site, and finally organization. The
different scores provide a simple means to check the risk posed
at various points and areas of your network.
When assessing risk, IoT Security uses both static and dynamic
factors. Static risks form a baseline and include the following:
- All MDS2 risks (for medical equipment)
- Intrinsic risk factors specific to a profile such as OS, applications, roles, environment
- Trending threats that are hard to mitigate
- The usage behavior specific to a profile or a device
Dynamic risks are added on top of the baseline risk:
- Threats detected in real time (example: alerts)
- Behavioral risks (anomalies, user practice issues) which also trigger alerts
- Vulnerabilities (discovered through passive analysis and detections and through vulnerability scans using integrated third-party vulnerability scanning engines like Qualys and Rapid7)
By collecting and modeling data and analyzing vulnerabilities
and threats, IoT Security calculates risk on a daily basis. The
risk scores it generates consists of alerts, vulnerabilities, behavioral
anomalies, and threat intelligence. When calculating the risk scores
of device profiles, sites, and organizations, IoT Security considers
not only the scores of individual devices within a particular group
but also the percent of risky devices in relation to all devices
in the group.
The following sections provide more information about the risk
scores that IoT Security generates for these four levels: device,
device profile, site, and organization.
Device Risk
IoT Security displays the risk score for each device in the Risk column on the Devices page (). It generates risk scores for devices on a daily basis.
Also see the Device Details page (
>
device-name
> Device Details) where the device risk score is listed
twice—at the top and in the Security summary section. The Risks section includes a
graph that charts changes in the risk score over the specified period of time: day,
week, month, year, or all to date. The graph lets you see how the risk score trends
over time. Hover your cursor over a marker on the line to see a list of alerts for
that point in time. Click a marker to see a list of alerts below the graph.
Device Profile Risk
IoT Security displays risk scores for device profiles in the Risk column on the Profiles page ().
For example, if five devices in the same profile have individual
risk scores of 42, IoT Security would calculate the risk score for
the profile to be 89. In this case, because all of the devices in
the profile are at risk, the profile score becomes higher than you
might have expected at first.
Consider another example, again with five devices in the same
profile. One device is at high risk with a score of 98. The other
four devices are at normal risk each with a score of 30. In this
case, IoT Security calculates the risk score for their profile to
be 64. In such a small set, the one high-risk device has a much
greater impact on the profile score than it would if the scores
of more devices had been involved in the calculation.
Site Risk
See the Risk Score column in the Risk column on the Sites page ().
The formula that IoT Security uses to calculate the risk score
for a site uses a weighted average of device profile risk scores,
the weight for each profile being determined by the number of devices
in the profile and the profile risk level.
Organization Risk
See the Risk Score in the Risk panel on the .
IoT Security uses the same method to calculate the risk score
for an organization as it does for sites.
Risk Scores and Severity Levels
The following explains how the severity of a risk score
is ranked:
| Risk score | Risk severity | Notes |
|---|---|---|
| < 40 | Low | This is a normal risk level. |
| 40-69 | Medium | There might be a few anomalous network behaviors, medium-level alerts, and vulnerabilities with CVSS (Common Vulnerability Scoring System) scores between 4.0 and 6.9. |
| 70-89 | High | There might be multiple highly anomalous behaviors, high-level alerts, and vulnerabilities with CVSS scores between 7.0 and 8.9. |
| 90-100 | Critical | There might be multiple extremely anomalous behaviors, critical alerts (such as a malware attack), and vulnerabilities with the highest CVSS score of 10. |
Adjust Device Risk Scores
It’s possible to adjust how much individual risks contribute to the overall risk score of a
device. On the page, click a number in either the Confirmed Instances or Potential
Instances column to see details of a vulnerability including which devices it
affects or potentially affects. Then click a device name in the Instance column to
open the Device Details page for it.
IoT Security categorizes CVE-based risks differently based on their source.
When IoT Security discovers them through its internal vulnerability-matching
logic (Source = IoT Security Device Software Library) or as a result of a
vulnerability scan, it categorizes them as vulnerabilities. When a firewall applies
Threat Protection and reports them to IoT Security (Alert Source = Firewall),
IoT Security categorizes them as alerts. The Adjust option only appears in
the Action menu for vulnerabilities; or, in other words, for risks not categorized
as alerts.
In the Vulnerabilities section, expand the Actions menu for a vulnerability and then
click Adjust.
Take the severity of this risk and its impact on the organization
into account and adjust how much you think it should contribute
to the overall risk score of the device. Choose whether it makes
a low, medium, or high contribution.
Note that the influence of the change you make on the overall
score depends on the number and severity of other risk factors.
If there are lots of risks, adjusting how much a single risk contributes
to the score might not affect it much if at all. On the other hand,
if there are only a few risks, adjusting the contribution of one
can change the score significantly.
Alerts for Risk Score Changes
When the increase of a risk score causes it to cross
a threshold separating one risk level from another, IoT Security
generates a risk change alert. (Crossing a risk level threshold
as the result of a risk decrease does not trigger an alert.) A risk
increase triggers an alert with differing severity levels depending
on the new severity of the risk:
- Warning when the risk level increases from high to critical
- Caution when the risk level increases from medium to highTo reduce the overall number of alerts generated, no alert is triggered when the risk level increases from low to medium.
In addition to risk scores changing because of a manually adjusted
risk factor, they can also change for the following reasons:
Increased risk
- A daily risk refresh discovers new vulnerabilities or increased CVSS risk scores.
Decreased risk
- A user resolves a risk factor.
- A daily risk refresh discovers reduced vulnerabilities or decreased CVSS scores or mitigated risks.
Resolve Risks
You can resolve vulnerabilities and security alerts
through a workflow built into the IoT Security portal. Essentially,
you resolve them by either mitigating or ignoring the vulnerability
or alert. As a result, the device risk score might be lowered depending
on other contributing factors such as the severity of the risk and
the number and severity of other risks. Resolving a vulnerability
or alert on a device might similarly affect its profile, site, and
organization risk scores depending on how big of an impact the change
makes in relation to the number and risk levels of other devices
in the same group. For information about resolving vulnerabilities
and security alerts, see Vulnerability Details Page and Act on Security Alerts.