Prioritization Overview

One of the really important phases of the vulnerability management lifecycle is the prioritization of vulnerabilities. Since Nucleus is designed to help through every stage of the vulnerability management pipeline, we do prioritization automatically for you.

The intent of Nucleus Risk Prioritization is to allow the user to have control over how their vulnerabilities are prioritized based on what is important to you. 

General Theory

The Nucleus Risk Score is based on a scale of 0 - 1000, with the higher the number the higher your perceived risk. 

The Risk Scoring module in Nucleus functions automatically out of the box, but Nucleus allows the user insight and customization in each step of the process, outlined below. The best part is that the vulnerability prioritization is completely customizable so that you can rank your risky vulnerabilities based on your organization's unique situation.

1. We take each vulnerability and assign a score based on vulnerability attributes from the vulnerability scanning tool.
2. The user sets up priorities for the asset weights
3. The user can assign asset attributes (context) to each asset.
4. Nucleus overlays the asset context onto the vulnerability, based on the customizable asset priorities, in order to determine which asset-vulnerability combination poses the most risk. 

Step 1 - Vulnerability Score

Nucleus views each vulnerability independently and based on the severity, and exploitability, from the vulnerability scanning tools. These attributes are all fully customizable in Nucleus, so you can change the severities and exploitability of vulnerabilities on the fly based on your analysis.

Step 2 - Asset Priorities

Nucleus allows the user to customize the priorities of the risk ranking algorithm. You can do this by navigating to Global Administration > Asset Risk Settings or Project Administration > Asset Risk.

On the following page, you can weight the importance to you of each criterion Nucleus uses in the risk score. These attributes are things such as:

• Business criticality of the asset
• Data sensitivity of the data on the asset
• Public-Facing
• Compliance-Scope (Is the asset in scope for a compliance audit).

Users rank these attributes on a scale of 1-10 each to give the Nucleus risk prioritization algorithm the information it needs to customize the risk prioritization. 

Note: Nucleus provides weights out of the box, so you can skip this step if you want. 

Step 3 - Asset Risk Attributes

Nucleus then allows the user to change the attributes on each asset. This gives Nucleus the information it needs to correctly rank the risk of a vulnerability on an asset. Each attribute will have a different effect on the risk score based on the asset priorities set in step 2. 

Asset attributes can be set either manually, or via automated Asset Processing Rules on the Automation Page.

Note: Nucleus automatically determines whether the asset is public-facing or not.

Step 4 - Nucleus Automatically Prioritizes Your Vulnerabilities

Nucleus now will automatically rank your vulnerabilities based on what is important. 

Maybe you have a compliance audit coming up and need to fix issues relevant to that. Or maybe the most important criteria to you is whether the asset is public-facing or not. Nucleus gives you the flexibility to determine this prioritization. 

To see your top risk vulnerabilities, go to the Vulnerabilities > Top Risks Page. This is the page that lists which vulnerability on which asset poses the greatest risk to you based on all the criteria that Nucleus knows. 

The Risk Score is determined by combining the vulnerability score, and the asset score, normalized on a scale of 1-1000. Each vulnerability has a score assigned to it on a scale of 1-100, and each asset has a score on a scale of 1-10 assigned to it based on the combination of risk attributes and asset priorities. 

The vulnerability score and risk score are multiplied together to get the risk score of each asset-vulnerability combination.