Risk Score
Page Layout
The RiskScore uses the common facet-workspace layout used throughout Fluency. This page can display a list of RiskScore records or present a single record selected by a search. The default behavior of the page is to show a list and provide navigation. However, when a user navigates to the page by clicking on a notification, the search is performed to match that notification by the source network address and the network time of the event.
Fluency RiskScore is a scoring process that prioritizes events based on the supporting facts and statistics. It mimics the human process of looking for supporting information to determine which events are most likely to be correct in detecting unwanted activity.
RiskScore performs set theory on each event as it enters the system. It groups these sets in a hierarchy of a communication source, and subsets of destination couplings. Scoring in a coupling gives stronger weight to unique information and information related to the malicious activity. This means RiskScore gives priority to groups of events – not a single event. It then groups with the malicious activity that shows supporting anomalies are prioritized.
The result is that alerts that demonstrate supporting issues are prioritized to the top for further validation and automated response. The RiskScore system is a must, as the amount of information being collected is staggering. Due to how Internet communications work, even small customers generate millions of events.
Using RiskScore
Each RiskScore card contains a significant amount of data:
- RiskScore confidence number
- Major Vector Chart
- Scores by Flows
- Alerts
- URLs
- Vectors
From the RiskScore card the user can navigate to flows, summaries and events. The RiskScore card is an important part of the response process.
What Does the RiskScore Mean?
Fluency uses a patented approach to scoring risk. The RiskScore is based on the number of unique alerts and alert sources that a correlated event has. Every infrastructure is different, and the range of scoring by customers change due to this fact. In general, after a week of use, levels of confidence appear for each system.
To make an analogy, it is like shooting an arrow. While shooting each arrow requires the same basic motion, the path of the arrow changes based on the environment, distance and height of the target. After each shot, we review where the arrow lands and make adjustments until we have adapted to the situation. Just like this analogy, when the environment changes, such as the addition of new security controls, the number ranges need to be re-evaluated.
Examining the Event
The presented flows are sorted by confidence (risk score).
Common actions are to:
- Pin the page so that clicks will open up new pages and let us do further searches without losing our place.
- Examine the content of interesting flows by clicking the chevron to see all their details.
- Select the hostname or destination IP address to examine the flows.
Risk Vectors
Risk Vectors are a detection category. The scoring system focuses on issues that have multiple vectors. The vectors appear on two places:
- On the top of the card, they are the red colored boxes that highlight that this type of risk is present in the fused record.
- Clicking a flow, vectors appear as red-bordered tags with red lettering.
In the example above, the top boxes show that there are domain risks, signature alerts and location alerts. In the first connection group, their reputation tags highlight which of the card alerts apply to this connection (site with no reputation, machine learned attribute: new domain, and the geographic alert).
Note that there is a "more" chevron above the alerts, URLs and risks. This occurs when there is more data to view. In the case of the risks, there is a file download, virus total domain, snort Trojan, and snort policy.
Common Risks
The vectors on the top of the card are general, while those in the connection list are detailed. The risk vectors that show are dependent on the sources of logs and 3rd party systems available.
Common risk tags are:
| Risk Tag | Reason |
|---|---|
| Reputation Site Unknown | Amazon’s Alexa ranking tells how popular a site is. A site not listed in the top 10 million is considered not to have a reputation. This is an anomaly and malicious sites often are not listed |
| ML New Domain | Risks that start with ML mean that they are machine learned. This is computed by looking at the last 30 days of data. Like Alexa, this highlights host anomalies |
| Metaflow Suspicious GEO | This is an alert from the metaflow engine and highlights international connections that are not common for the domain. |
| Metaflow File Download | This means that a file was downloaded. If this file is known to be malicious by Virus Total, another vector will highlight that. |
| VT Domain Hit | The domain is listed as having been involved with malicious activity recently. |
| VT File Hit | A file is listed as being malicious by Virus Total |
| ML New Alert | Machine Learned activity, there is alert that has been triggered that has never triggered before. |
| Alert High Confidence | This alert is considered very accurate, and requires a review regardless of other vectors. |
| Alert Snort Trojan | An IDS alert was triggered that is related to Trojan or command & control activity. |
| Alert Normal | This is an alert that was not given a category. |
| Alert Snort Policy | There is an alert that is not about an attack, but is related to something that is normally not a good policy to allow. |
| Block FW | Firewall rule triggered a block |
| VT Positive | Virus Total triggered with at least one hit on a file that was seen. |
| VT Malicious | A majority of virus vendors have a signature to alert on this file. |
| Alert DNS | A DNS Filter triggered to prevent communication |