Skip to main content

Lacework (LW) Risk Score

Overview

The Lacework (LW) Risk Score enables you to prioritize vulnerability remediation actions. The risk score generated by Lacework lets you isolate and sort vulnerabilities and assets based on risk factors specific to your environment. This helps you identify and fix high-risk as well as vulnerable assets.

The LW Risk Score feature provides the following:

  • Risk scores for vulnerable hosts, container images, and packages based on the number of vulnerabilities present.
  • Risk impact scores for discovered vulnerabilities (CVEs) based on risk factors (including number of hosts, container images, and packages affected by the vulnerability).
  • Capability to output a prioritized list of vulnerabilities to remediate/fix.

Lacework applies the proprietary LW Risk Score at the host, container image, package, and vulnerability (CVE) levels. Initial risk factors considered for the LW Risk Score are CVE/CVSS and the number of entities affected.

Prioritize Hosts, Container Images, and Packages

Manage vulnerabilities and prioritize hosts to patch and container images to upgrade based on actionable data such as number of vulnerabilities present, CVE severity, CVSS score, and more.

You can isolate and sort vulnerable hosts, images, and packages based on the LW Risk Score.

Lacework also provides the capability to output a prioritized list of vulnerable hosts, images, and packages to fix or update.

Prioritize Vulnerabilities (CVEs)

Manage vulnerabilities and prioritize CVEs to fix based on actionable data such as number of assets affected, vulnerability severity, level of exposure, and more.

Risk Factors

A high or low LW Risk Score is based on these factors:

  • Prevalence in the environment (number of assets affected)
  • Vulnerability (CVE) severity level
  • CVSS scores

Host scoring

The Host risk for a host is impacted by:

  • Number of vulnerabilities found on the host
    • CVE severity of each vulnerability
    • CVSS score of each vulnerability
  • Internet exposure of the host
  • Active exploits in the wild
  • Known exploits
  • Package status

Container Image scoring

The Image risk for a container image is impacted by:

  • Number of vulnerabilities found in the package
    • CVE severity of each vulnerability
    • CVSS score of each vulnerability
  • Internet exposure
  • Active exploits in the wild
  • Known exploits
  • Number of active containers

Secret Scoring

Secret risk ranges from Low to Critical. It is directly based on the severity of the path that incorporates multiple factors, including classification of the target asset and severity of vulnerabilities present on the path.

Resource Scoring

Resource risk ranges from Low to Critical. It considers the risk of all attack paths leading to the resource. This implicitly includes direct exposure, host risk, and container image risk.

Package scoring

The Package risk for a package is impacted by:

  • Number of vulnerabilities found in the package.
    • CVE severity of each vulnerability.
    • CVSS score of each vulnerability.
  • Number of hosts or container images with the package installed.
  • Number of hosts actively using the package.

Vulnerability (CVE) scoring

The Vulnerability impact for a vulnerability (CVE) is impacted by:

  • Number of hosts or container images affected.
  • Number of packages affected.

When are Risk Scores Calculated?

Lacework runs daily calculations for Risk Scores at midnight (00:00) Pacific Time.

New integrations may show -/10 for LW Risk Scores until the new round of calculations is complete.

Time Ranges and Risk Scores

If you have selected a specific time range on the Container or Host Vulnerability pages, the LW Risk Scores displayed are the latest ones available in that time range.

For example:

  • Time range set between 4th June 9:00am PT - 11th June 9:00am PT.
  • For each assessment, the Risk Score calculated at 00:00am PT on 11th June is displayed.

Configure Risk Score Factors

PREVIEW FEATURE

This section describes functionality that is currently in preview.

Select which factors are taken into consideration when calculating the LW Risk Score by going to Settings > Configuration: Risk scores.

See Risk Scores (in Settings) for help in deciding what to enable or disable.

View LW Risk Scores

Group by Host

Select Group by Host when in the Host Vulnerabilities page (Vulnerabilities > Hosts) to view the Host Risk Score.

vuln-hosts-risk-score.png

Host Assessment Drawer

Click on a host in the list to view the Host Assessment drawer, which displays the host risk analysis.

console-host-risk-analysis.png

Group by Image ID

Select Group by Image ID when in the Container Vulnerabilities page (Vulnerabilities > Containers) to view the Image risk Score.

Click an image to display the list of vulnerabilities and CVEs to prioritize for remediation.

vuln-containers-risk-score.png

Image Assessment Drawer

Click on an image in the list to view the Image Assessment drawer, which displays the image risk analysis.

console-image-risk-analysis.png

Group by Package Name

In the Group by drop-down, select Package Name to filter by packages and obtain the Package risk for each image.

Group by drop-down

This displays packages, each with its own Package Risk score.

vuln-package-risk-score.png

Similarly, you can group by Package Namespace to view the list of CVEs in each package namespace.

Group by CVE

Select Group by CVE in either Host or Container Vulnerabilities to view the Vulnerability impact for each CVE.

vuln-cve-risk-score.png

CVE Assessment Drawer

Click on a CVE in the list to view the CVE Assessment drawer, which displays the vulnerability impact analysis.

console-vulnerability-impact-analysis.png

Risk Score vs CVSS Score

LW Risk ScoreCVSS Score
DescriptionThe LW Risk Score is a proprietary score that incorporates risk factors such as: vulnerability prevalence in the environment, CVSS score, and CVE severity. The LW Risk Score represents the asset risk or vulnerability impact from 1 - 10. You can use it to prioritize which vulnerabilities to remediate.The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It represents the severity of data vulnerability from 1 - 10. You can use it to compare and remediate vulnerabilities.
How is it calculated?Computes a score specific to your environment, accounting for potential impact and vulnerability severity levels.Independent of any specific environment
How it is applied?The LW Risk Score is specifically applied to the following entities/assets: images, hosts, packages, vulnerabilitiesGeneric score that spans all vulnerabilities
How it is updated?Dynamically updatedStatic
What does it apply to?Risk scores are computed per individual host, image, package, and vulnerability.Each vulnerability has its own score.

User Scenarios

Scenario: There is a high severity vulnerability that is not found in your environment.
Outcome: The CVSS score would be high, but your LW Risk Score will be low.
Reason: It does not directly impact your specific environment.

Scenario: There is a low severity vulnerability that has been detected on a large portion of your environment or on a public-facing system.
Outcome: The CVSS score would be low, but your LW Risk Score will be high.
Reason: A higher number of vulnerable assets may increase the probability of attack.