Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVEs). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), providing a standardized numerical score that ranges from 0.0 to 10.0, translated into severity ratings like Low, Medium, High, or Critical. While Microsoft Defender for Cloud provides a robust risk level assessment for each resource, there is an opportunity to enhance this by integrating additional factors such as the exploitability of each CVE, the age since it was made public, and whether the CVE is a zero-day vulnerability. Additionally, resources themselves have contextual elements such as the number of attack paths, which can significantly impact their overall risk. The Power BI solution builds Defender for Cloud's capabilities by integrating these multiple factors, providing a more comprehensive risk score for each resource and enhancing the prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources needing attention.
This model is based on a Deterministic Approach, meaning that the conditions and assumptions used for calculating the final Risk Score use finite values defined and fixed by the consumer of the report. While it is not perfect science, it provides more depth to understand how to rank the resources. The end user is free to change the fixed values (weights) as needed, allowing flexibility in adapting the model to specific needs.
Download the report file here – aka.ms/pbiSrvCntRisk
Key Factors in Risk Correlation for Servers and Containers
In the Power BI solution, a scoring model was developed to correlate the CVE severity, exploit information, and the contextual risk level of each resource to produce a risk score. This helps generate a prioritized list of which servers or container images should be remediated first. Here’s how the model achieves this:
- CVE Severity (CVSS Score Weight)
Each CVE is assigned a score based on its severity: - Critical: 40 points
- High: 30 points
- Medium: 20 points
- Low: 10 points
- Exploit Information (Exploitability Weight)
If a CVE has characteristics that make it more likely to be exploited, additional points are added: - Remote Exploit: +10 points
- Exploit Kit Exists: +15 points
- Exploit Kit Verified: +20 points
- Public Exploit Available: +25 points
- Contextual Resource Risk Level
The risk level of each resource is calculated based on several factors from Defender for Cloud, such as exposure to the internet and the presence of sensitive data: - Critical Resource: +40 points
- High Risk: +30 points
- Medium Risk: +20 points
- Low Risk: +10 points
- Attack Path Weight (Server Exposure)
For servers, the number of attack vectors is also included: - 6 or more vectors: +30 points
- 3 to 5 vectors: +20 points
- 1 to 2 vectors: +10 points
- Age of Vulnerabilities (CVE Age)
The age of a CVE (time since it was made public) plays a significant role in prioritization. Older CVEs are considered riskier if they remain unpatched, as attackers have had more time to develop exploits. The TotalVulnerabilityScore is adjusted by a multiplier based on the CVE’s age: - Less than 30 days: 1.1 multiplier
- 30 to 180 days: 1.3 multiplier
- More than 180 days: 1.5 multiplier
Handling Multiple CVEs and Risk Prioritization
Servers and container images often have multiple CVEs, sometimes hundreds, which significantly impacts the risk score calculation and prioritization. Here’s how the scoring model adapts to this situation:
- Aggregate CVE Scores: The scores of all CVEs for each resource are aggregated to derive a comprehensive risk score. This helps emphasize resources with a larger number of vulnerabilities.
- Logarithmic Scaling for Excessive CVEs: A logarithmic scaling factor is introduced to avoid disproportionately high scores for resources with a large number of CVEs. For instance, the logarithmic function (e.g., log10) scales the score growth to keep it manageable while still reflecting the increased risk.
Dynamic Classification Using Percentiles
To make the CombinedRiskScore more comprehensible, the scores are dynamically classified into risk levels using percentile-based thresholds:
- Critical Risk: Top 25% of scores.
- High Risk: Between 50th and 75th percentiles.
- Medium Risk: Between 25th and 50th percentiles.
- Low Risk: Bottom 25%.
Scaling for Usability
To make the CombinedRiskScore user-friendly and easier to interpret, a percentile-based approach was used for categorization. The scores are also scaled down (e.g., divided by 1000) to avoid presenting overly large numbers to end users, making the information more digestible.
Visualization in Power BI
The Power BI dashboard allows users to easily view and prioritize remediation efforts across servers and container images. Here’s how the scoring model is visualized:
- Risk Levels by Category: Each server and container image are categorized into risk levels (e.g., Critical, High, Medium, Low) based on its aggregated risk score. This classification is made dynamic by using percentile thresholds that adjust according to the data set, ensuring adaptability as new vulnerabilities are discovered.
- Conditional Formatting and Interactive Filtering: Conditional formatting is applied to highlight critical resources, and slicers are added to allow users to filter by Entra ID, Subscriptions, and Cloud Environment (for Servers) and Registry Repositories (for Containers).
- Score Rank for Risk: The numeric rank of each resource's risk score is displayed to provide the top-down context on how it compares to others, allowing for a relative understanding of each server or container's risk level.
Example of Combined Risk Score Calculation
For a given server:
- CVE Severity: High (30 points)
- Exploit Information: Remote Exploit (10 points) + Exploit Kit Exists (15 points) + Public Exploit (25 points)
- Resource Risk Level: High Risk (30 points)
- Attack Path Weight: 4 attack vectors (20 points)
- CVE Age: More than 180 days (1.5 multiplier)
Total Score: (30 (CVE Severity) + 10 (Remote Exploit) + 15 (Exploit Kit) + 25 (Public Exploit) + 30 (Resource Risk) + 20 (Attack Path)) * 1.5 (CVE Age multiplier) = 195 points
Conclusion
This Power BI solution is built for server and container risk score analysis leverages both standardized vulnerability scoring and contextual risk factors to provide a holistic view of risk across cloud resources. By integrating CVE severity, exploitability, resource risk context, and CVE age, security teams can effectively prioritize their remediation efforts and focus on the most critical vulnerabilities first.
The combination of detailed numerical risk scores, percentile rankings, and user-friendly categorizations ensures that the information presented is both actionable and comprehensible, empowering security teams to enhance their cloud security posture efficiently.
Microsoft Defender for Cloud Additional Resources
- Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP
- Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja
Reviewers
Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud