FortiSIEM Device Risk Score Computation

Device Risk Score Computation

Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to change the score.

Risk score components

The following factors affect risk score of a device

  1. Device Importance (also called Asset Weight)
  2. Count and CVS Score for non-remediated vulnerabilities found for that device
  3. Severity and Frequency of Security incidents triggering with that device as source or destination
  4. Severity and Frequency of Other (performance, availability and change) incidents triggering on that device

Overall Score (0-100) is a weighted average of 3 components – Vulnerability Score, Security Incident Score and Other Incident Score, computed as follows.

User controllable constants
  1. Device Importance – this can be set in CMDB > Device > Summary. You can select multiple devices and set the Importance in one shot.

Values are

  1. Mission Critical – 10
  2. Critical – 7
  3. Important – 4
  4. Normal – 1
  1. Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the constants are defined in phoenix_config.txt:
    1. vul_weight = 0.6
    2. security_inci_weight = 0.3
    3. security_inci_weight = 0.1
  2. Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score components. These default thresholds are defined in ‘phoenix_config.txt:
    1. vul_threshold = 1
    2. security_inci_threshold = 3
    3. other_inci_threshold = 6
Time varying Risk score

Risk scores are computed for each day. Current risk score is a exponentially weighted average of today’s risk and yesterday’s risk.

The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a weight of 0.7 while new and old but existing vulnerabilities have weight 1

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.