Lacework (LW) Risk Score

Overview

The Lacework (LW) Risk Score enables you to prioritize vulnerability remediation actions. The risk score generated by Lacework lets you isolate and sort vulnerabilities and assets based on risk factors specific to your environment. This helps you identify and fix high-risk as well as vulnerable assets.

The LW Risk Score feature provides the following:

• Risk scores for vulnerable hosts, container images, and packages based on the number of vulnerabilities present.
• Risk impact scores for discovered vulnerabilities (CVEs) based on risk factors (including number of hosts, container images, and packages affected by the vulnerability).
• Capability to output a prioritized list of vulnerabilities to remediate/fix.

Lacework applies the proprietary LW Risk Score at the host, container image, package, and vulnerability (CVE) levels. Initial risk factors considered for the LW Risk Score are CVE/CVSS and the number of entities affected.

Prioritize Hosts, Container Images, and Packages

Manage vulnerabilities and prioritize hosts to patch and container images to upgrade based on actionable data such as number of vulnerabilities present, CVE severity, CVSS score, and more.

You can isolate and sort vulnerable hosts, images, and packages based on the LW Risk Score.

Lacework also provides the capability to output a prioritized list of vulnerable hosts, images, and packages to fix or update.

Prioritize Vulnerabilities (CVEs)

Manage vulnerabilities and prioritize CVEs to fix based on actionable data such as number of assets affected, vulnerability severity, level of exposure, and more.

Risk Factors

A high or low LW Risk Score is based on these factors:

• Prevalence in the environment (number of assets affected)
• Vulnerability and scoring information from sources, including CVE, CVSS, and others

Host Scoring

The host risk for a host is impacted by:

• Number of vulnerabilities found on the host.
• Vulnerability and scoring information from sources, including CVE, CVSS, and others.
• Internet exposure of the host.
• Known existence of exploits.
• Active exploits in the wild.
• Package status.

The calculation follows this process:

1. For each unique vulnerability on the host, Lacework determines a probability of successful exploit, considering whether the vulnerabilities are in actively executing packages.
2. Considering the vulnerabilities on the host, Lacework determines a probability that at least one exploit attempt is successful to obtain an overall probability of compromise for that host.
3. The probability of host compromise is potentially reduced depending on the host's internet exposure.
4. Lacework multiplies the final probability by 10 to produce a host risk score.

Container Image Scoring

The image risk for a container image is impacted by:

• Number of vulnerabilities found in the image.
• Vulnerability and scoring information from sources, including CVE, CVSS, and others.
• Internet exposure of image containers.
• Active exploits in the wild.
• Number of active containers.
• Active package status.

The calculation follows this process:

1. For each unique vulnerability on the container image, Lacework determines a probability of successful exploit, considering whether the vulnerabilities are in actively executing packages (if this feature is enabled).
2. Considering the vulnerabilities on the image, Lacework determines a probability that at least one exploit attempt is successful to obtain an overall probability of compromise for that image.
3. The probability of image compromise is potentially reduced depending on the internet exposure and active status of containers based on that image.
4. Lacework multiplies the final probability by 10 to produce an image risk score.

Package Scoring

The package risk for a package is impacted by:

• Number of vulnerabilities found in the package.
  • CVE severity of each vulnerability.
  • CVSS score of each vulnerability.
• Number of hosts or container images with the package installed.
• Number of hosts actively using the package.

Vulnerability (CVE) Scoring

The vulnerability impact for a vulnerability (CVE) is impacted by:

• Number of hosts or container images affected.
• Number of packages affected.

When are Risk Scores Calculated?

Lacework runs daily calculations for risk scores at midnight (00:00) Pacific Time.

New integrations may show -/10 for LW Risk Scores until the new round of calculations is complete.

Time Ranges and Risk Scores

If you have selected a specific time range on the Container or Host Vulnerability pages, the LW Risk Scores displayed are the latest ones available in that time range.

For example:

• Time range set between 4th June 9:00am PT - 11th June 9:00am PT.
• For each assessment, the risk score calculated at 00:00am PT on 11th June is displayed.

Configure Risk Score Factors

PREVIEW FEATURE

This section describes functionality that is currently in preview.

Select which factors are taken into consideration when calculating the LW Risk Score by going to Settings > Configuration: Risk scores.

Use the toggles to enable or disable the risk score factors listed in the following sections:

• CVE severity
• Internet exposure of hosts/containers
• Active exploits in the wild
• Known exploit available
• Package status

note

For details about how each risk factor is weighted, contact Lacework.

CVE Severity

Whether to include the CVSS v2 or CVSS v3 severity of a vulnerability in the risk score calculation.

Internet exposure of hosts/containers

note

Only applicable to AWS and Google Cloud infrastructures and customers with Attack Path Analysis enablement.

Whether to include the internet exposure probability of a host or container in the risk score calculation.

Active exploits in the wild

Whether to include the active exploit factor for a vulnerability in the risk score calculation. There are separate weightings for known exploit attempts and no known exploit attempts.

Known exploit availability

Whether to include the known exploit factor for a vulnerability in the risk score calculation. There are separate weightings for different classifications of exploits.

Package status

note

Only applicable to hosts and containers with Active Package Detection enabled.

Whether to include active package detection in the risk score calculation.

See Package Status for a definition of each status type.

View LW Risk Scores

Group by Host

Select Group by Host when in the Host Vulnerabilities page (Vulnerabilities > Hosts) to view the host risk score.

Host Assessment Drawer

Click a host in the list to view the Host Assessment drawer, which displays the host risk analysis.

Group by Image ID

Select Group by Image ID when in the Container Vulnerabilities page (Vulnerabilities > Containers) to view the image risk score.

Click an image to display the list of vulnerabilities and CVEs to prioritize for remediation.

Image Assessment Drawer

Click an image in the list to view the Image Assessment drawer, which displays the image risk analysis.

Group by Package Name

In the Group by drop-down, select Package Name to filter by packages and obtain the package risk for each image.

This displays packages, each with its own package risk score.

Similarly, you can group by Package Namespace to view the list of CVEs in each package namespace.

Group by CVE

Select Group by CVE in either Host or Container Vulnerabilities to view the vulnerability impact for each CVE.

CVE Assessment Drawer

Click a CVE in the list to view the CVE Assessment drawer, which displays the vulnerability impact analysis.

Risk Score vs CVSS Score

	LW Risk Score	CVSS Score
Description	The LW Risk Score is a proprietary score that incorporates risk factors such as: vulnerability prevalence in the environment, CVSS score, and CVE severity. The LW Risk Score represents the asset risk or vulnerability impact from 1 - 10. You can use it to prioritize which vulnerabilities to remediate.	The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It represents the severity of data vulnerability from 1 - 10. You can use it to compare and remediate vulnerabilities.
How is it calculated?	Computes a score specific to your environment, accounting for potential impact and vulnerability severity levels.	Independent of any specific environment
How it is applied?	The LW Risk Score is specifically applied to the following entities/assets: images, hosts, packages, vulnerabilities	Generic score that spans all vulnerabilities
How it is updated?	Dynamically updated	Static
What does it apply to?	Risk scores are computed per individual host, image, package, and vulnerability.	Each vulnerability has its own score.

User Scenarios

Scenario: There is a high severity vulnerability that is not found in your environment.
Outcome: The CVSS score would be high, but your LW Risk Score will be low.
Reason: It does not directly impact your specific environment.

Scenario: There is a low severity vulnerability that has been detected on a large portion of your environment or on a public-facing system.
Outcome: The CVSS score would be low, but your LW Risk Score will be high.
Reason: A higher number of vulnerable assets may increase the probability of attack.