For a while now we have been getting feedback that it will be tremendously helpful for consumers to be able to filter on severity of the actual events shared, especially in cases where consumers have to deal with a lot of data across more than 100 reports types. Some cases are easy, other cases are pretty hard on where to identify the different levels of severity of anything from an infection to a particular service or vulnerability exposed.
To make it easier for organizations to consume and prioritize on our daily reports we are therefore introducing report and event severity levels. This will make it possible to filter all our daily reporting based on the severity of the actual event being reported.
For some reports, the severity level for each event will be the same. For other reports, it will vary based on the contents of that event.
The following severity levels will be introduced:
- Critical (Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-auth RCE or modification or leakage sensitive data)
- High (End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole events end up in this category)
- Medium (Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring MITM to exploit, attacker will need to know internal systems/infrastructure in order to exploit it)
- Low (Deviation from best practice – little to no practical way to exploit, but setup is not ideal)
- Info (Informational only. Typically no concerns. However, this category includes the Device Identification report, which may include information on device types that should not be accessible on the public Internet, in which case the individual events in the report may be assigned higher severity levels. Review in accordance with your security policy.)
Each report type will have a severity level introduced by default. A “severity” column with one of the above levels will be added to each report type. Events will inherit this severity level by default, but in some cases the severity level of the individual events may be changed (either increased or decreased).
You can find the current planned mapping of report severity levels in our GitHub.
Every consumer will be able to opt-out of reports for lower severity levels should they choose so (at their own risk). We strongly recommend prompt remediation of events of severity High or Critical!
The changes will come into effect on Nov 25th and will be applied to all existing reports and report consumers as well as be added in future reports.
In addition we will be making a minor cleanup of some fields across our reports, which will plan to implement Nov 18th. For an overview of modifications please visit our GitHub page with the summary.
If you are interested in receiving our free daily threat data feeds and understand your exposure to threats please subscribe here.
Questions or comments? Please feel free to contact us.