1. home icon for breadcrumbs >
  2. Appendix >
  3. TruRisk Score Model

TruRisk Score Model

We now have two TruRisk score calculation models(TruRisk™ 1.0 and TruRisk™ 2.0) to cater to different applications: TruRisk™ 1.0 for existing VMDR-only users (no changes to the existing scoring) and TruRisk™ 2.0 for ETM users (new scoring methodology).

The existing TruRisk™ 1.0 calculation model is based on Qualys Detection (QID)—where a single QID could contain multiple CVEs.

The new TruRisk™ 2.0 calculation model is based on CVE, and the TruRisk score is calculated based on individual CVE.  This provides more granular risk assessments aligned with individual vulnerabilities.

Once you enableEnterprise TruRisk™ Management (ETM), you are upgraded to TruRisk™ 2.0, and it will be applied automatically. There is no need for additional action.

Refer to the following sections to get more insight into these TruRisk score calculation models.

Existing TruRisk™ 1.0 Score Model 

Vulnerability risk assessment relies on QDS and Qualys IDs (QIDs). The TruRisk scoring model is QID-based and not CVE based. The calculation of the TruRisk Score involves various parameters, such as Asset Criticality, Qualys Detection Score (QDS), and Qualys Vulnerability Score (QVS). This section explains how these various parameters calculate the TruRisk Score. 

Asset Risk Score is renamed to TruRisk Score.

The TruRisk Score calculation also applies to the Qualys CSAM application.

Understanding Asset Criticality Score

It is calculated based on multiple tags assigned to the asset with defined Asset Criticality Scores (ACS). If multiple tags are assigned to the asset, the highest score is considered for the ACS.

For example, if you assign six tags to your asset, the tag with the highest value between 1 and 5 will be considered the contributing factor when calculating the TruRisk Score.

For more information about configuring tags, refer to Configure Tags

Understanding the Qualys Vulnerability Score for CVEs

Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more. It is also computed for vulnerabilities that don’t have Qualys vulnerability detection signatures (QIDs). For the QIDs with no published CVEs by the NVD/Threat Intel Providers (such as Vulnerability Misconfigurations,) QVS will be calculated based on the Real-time Threat Indicators (RTIs) such as Zero-day, Active Attacks, Ransomware, and Wormable.

These QVS scores can be individually queried for insights from our dedicated API endpoint.

QVS is derived from the following factors:

qvs.

  • Vulnerability technical details: This includes CVSS score, EPSS, CISA-KEVs.
  • Vulnerability temporal details: QVS also considers external threat intelligence details for a vulnerability and collects data like Exploit Code Maturity (ECM), malware, active threat actors, and whether a threat is trending. It accounts for any compensating/mitigation controls applied to an asset to reduce the risk score for a given vulnerability. For example, QDS will reduce the risk of a Remote Desktop Protocol (RDP) vulnerability if RDP is disabled.

Understanding the Qualys Detection Score

The Qualys Detection Score (QDS) is assigned to vulnerabilities Qualys detected and assessed at each Qualys Vulnerability Detection Signature (QID) level. QDS selects the highest QVS (Qualys Vulnerability Score) of all the CVEs associated  to that QID

qds.

You can prioritize your vulnerabilities based on the QDS. QDS has a range from 1 to 100 and with four severity levels:

  • Critical: 90-100
  • High: 70-89
  • Medium: 40-69
  • Low: 1-39

We recommend prioritizing vulnerabilities with a TruRisk-QDS score of 70 or higher.

The following table lists the QDS range along with its description:

QDS Range CVSS Category Description
>=95 Critical Exploited in the wild, has a weaponized exploit available, and is a trending risk on social media and the dark web.
90-95 Critical Weaponized exploits are available, and there is evidence of exploitation by malware, threat actors, and ransomware groups.
80-89 Critical Weaponized exploits are available, but there is no evidence of exploitation.
70-79 High Weaponized exploits are available, but there is no evidence of exploitation.
60-69 Critical No exploits are available.
50-60 High A Proof of Concept (PoC) exploit is available.
40-50 High No exploits are available.
30-39 Medium A Proof of Concept (PoC) exploit is available.
1-30 Low Low risk of exploitation.

If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation.

Understanding TruRisk Score

TruRisk Score is the overall risk score assigned to the asset based on the following contributing factors:

  • Asset Criticality Score (ACS)
  • Qualys Detection Score (QDS) scores for each QID level
  • Auto-assigned weighting factor (w) for each criticality level of QIDs

TruRisk Calculation Formula for Managed and Unmanaged Assets

Here are the TruRisk calculation formulas used to calculate the TruRisk score of managed and unmanaged assets. These formulas consider the average value of critical, high, medium, and low detections. 

 There is also another version of the TruRisk calculation formula for calculating the TruRisk score of managed and unmanaged assets. Instead of using average values of critical, high, medium, and low detections, this formula uses the maximum detection value and detection count across critical, high, medium, and low. This formula is not available by default; contact Qualys support if you want to enable it for your subscription.

 Managed Asset

The TruRisk formula for managed assets includes the number of vulnerabilities; the asset with greater vulnerabilities gets a higher score. The TruRisk formula for managed assets has the following features:

  •  The weighing factor (w) is based on the severity of the vulnerability.
  •  The maximum risk score is restricted to 1000.
  • The new formula lists the External Tags.
  • In case of an external asset, the entire TruRisk Score value is multiplied by 1.2

TruRisk Score = MIN( ACS * (wc*Avg(QDSc)*np.power(Count(QDSc), 1/100) +

wh*Avg(QDSh)*np.power(Count(QDSh), 1/100)+

wm*Avg(QDSm)*np.power(Count(QDSm), 1/100)+

wl*Avg(QDSl)*np.power(Count(QDSl), 1/100)),1000)

where:

  • ACS - Asset Criticality Score.
  • w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]
  • Avg(QDS) - Average of Qualys Detection Score for each severity level of QIDs
  • np.power - the value of np.power is constant to 0.01
 Externally Exposed Unmanaged Assets

TruRisk Score = MIN( (Asset exposure) * ACS * (wc* Avg(QVSc) * np.power(Count(QVSc), 1/100) +wh* Avg(QVSh) * np.power(Count(QVSh), 1/100) +wm* Avg(QVSm) * np.power(Count(QVSm), 1/100)+ wl* Avg(QVSl) * np.power(Count(QVSl), 1/100), 1000)

where:

  • ACS - Asset Criticality Score.
  • w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]
  • Avg(QVS) - Average of Qualys Vulnerability Score for each severity level of QVS
  • np.power - the value of np.power is constant to 0.01

Click on the risk score for a particular asset to view the detailed calculation.

New TruRisk™ 2.0 Score Model  

Enterprise TruRisk Management (ETM) integrates with findings data from third-party sources. Third-party tools use Common Vulnerabilities and Exposures (CVEs). CVEs serve as the common denominator for all findings within Qualys and from third-party sources. So, in ETM, vulnerability risk assessment does not rely on Qualys IDs (QIDs). Hence, the TruRisk scoring model for ETM transitions from QID-based approach to CVE-based.

Understanding the Qualys Detection Score

The Qualys Detection Score (QDS) is assigned to vulnerabilities Qualys/third-party detected. You can prioritize your vulnerabilities based on the QDS. QDS has a range from 1 to 100 and with four severity levels:

  • Critical: 90-100
  • High: 70-89
  • Medium: 40-69
  • Low: 1-39

QDS is derived from the following factors:

qds-trurisk 2.0.

  • Vulnerability technical details: This includes CVSS score, EPSS, CISA-KEVs. 
  • Vulnerability temporal details: Along with CVSS score QDS also derived from other  factors such as external threat intelligence details for a vulnerability and collects data like Exploit Code Maturity (ECM), malware, active threat actors, and whether a threat is trending. It accounts for any compensating/mitigation controls applied to an asset to reduce the risk score for a given vulnerability. For example, QDS will reduce the risk of a Remote Desktop Protocol (RDP) vulnerability if RDP is disabled.

We recommend prioritizing vulnerabilities with a TruRisk-QDS score of 70 or higher.

The following table lists the QDS range along with its description:

QDS Range CVSS Category Description
>=95 Critical Exploited in the wild, has a weaponized exploit available, and is a trending risk on social media and the dark web.
90-95 Critical Weaponized exploits are available, and there is evidence of exploitation by malware, threat actors, and ransomware groups.
80-89 Critical Weaponized exploits are available, but there is no evidence of exploitation.
70-79 High Weaponized exploits are available, but there is no evidence of exploitation.
60-69 Critical No exploits are available.
50-60 High A Proof of Concept (PoC) exploit is available.
40-50 High No exploits are available.
30-39 Medium A Proof of Concept (PoC) exploit is available.
1-30 Low Low risk of exploitation.

Understanding TruRisk Score

TruRisk Score is the overall risk score assigned to the asset based on the following contributing factors:

  • Asset Criticality Score (ACS)
  • Qualys Detection Score (QDS) score for each CVE.

 

TruRisk Formula

Here is the TruRisk calculation formula used to calculate the TruRisk score of managed and unmanaged assets.

ARS = {[ACS * External] * [MaxDetectionScore * g(MaxDetectionScore) ] } + numCriticalDetections * WtCrit + numHighDetections * WtHigh + min(numMediumDetections,2000) * WtMed + min(numLowDetections,2000) * WtLow] Final ARS = MIN(ARS, 1000)

Where , 

  • ACS - Asset Criticality Score, 
  • External - If the asset is External (Internet Facing) , score gets 20% higher weight if Asset is Internet Facing,
  • MaxDetectionScore- Highest value of Detection Score among all detections (range 1-100)
  • g(MaxDetectionScore) - To prioritize among detections g_value is introduced which is 1.3 if there are critical Detections , 1.2 if there are HIgh detections and 1 if there are Medium & Low detections.
  • numCriticalDetections - Number of Critical Detections (number of Detections detected with the Detection score greater than 89).
  • numHighDetections - Number of High Detections (Number of Detections detected with Detection score between 70-89).
  • numMediumDetections - Number of Medium Detections (Number of Detections detected with Detection score between 40-69). 
  • numLowDetections - Number of Low Detections (Number of Detections detected with Detection score less than 40).
  • we are capping number of counts for Medium and Low to 2000 to avoid score going very high. 
  • WtCrit, WtHigh, WtMed, WtLow are contributions from each criticality bin , current weights are 0.80, 0.15, 0.03, 0.02, respectively. 
  • Final ARS score will be capped to 1000.

Related Topics

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.