Prioritization
Prioritization overview
Prioritization is a core part of Nanitor. All assets and issues have a priority rating which indicates the relative importance of this asset or issue, on a scale of 1 to 10, and asset and issue priority ratings are combined to calculate the Nanitor Prioritization Score (NPS), a score from 1-100 which is used to prioritize issues by their current impact on your system.
Priority categories
The priority rating for a given asset or issue has three categories, Confidentiality (C), Integrity (I) and Availability (A), which are shown as separate numbers when viewing the issue or asset. Within the Nanitor system, the highest of these three values is generally treated as the issue or asset's overall priority rating. Confidentiality refers to the risk of confidential information being leaked, Integrity refers to the risk of data being corrupted or manipulated, and Availability refers to the risk of critical systems becoming unavailable. Thus, for example, an asset with a high Confidentiality rating would be an asset with important sensitive data that must be protected against leaks, while an issue with a high Confidentiality rating would be an issue that could result in data being leaked to unauthorized parties.
A Nanitor Prioritization Score is calculated for every issue on every asset that the issue is found on, by multiplying together the priority ratings in each category for the issue and the asset. The highest of these prioritization scores for any asset the issue exists on is considered the issue's overall prioritization score, and this is the value Nanitor uses to prioritize the issue list.
For example, imagine asset A has a Confidentiality rating of 9.6, an Integrity rating of 8.6, and an Availability rating of 5.4. This might for instance be a database that stores sensitive data. Meanwhile, issue X, an exploit that enables unauthorized read access to data and can disrupt other access, has a Confidentiality rating of 8.4, an Integrity rating of 3.8, and an Availability rating of 5.6. If issue X is found on asset A, then its prioritization scores on that asset will be
Confidentiality: 9.6 * 8.4 = 80.64
Integrity: 8.6 * 3.8 = 32.68
Availability: 5.4 * 5.6 = 30.24
This issue has a very high impact on this asset - this is a database of sensitive data, and this issue means the data could be leaked to attackers. This is reflected in how, since the Confidentiality rating is high both on the asset and the issue, the Confidentiality score is very high. Since the overall prioritization score on the asset is the highest of the three, the overall prioritization score for X on asset A will be 80.64, showing this is a critical, high-priority issue that should be fixed as soon as possible.
Meanwhile, another issue Y has a Confidentiality rating of 1 and an Integrity rating of 2.4, but a high Availability rating of 9.8 - perhaps a vulnerability that enables a critical denial-of-service attack vector, but leaks no data to the attacker. If this issue is found on asset A, then the resulting prioritization scores will be
Confidentiality: 9.6 * 1 = 9.6
Integrity: 8.6 * 2.4 = 20.64
Availability: 5.4 * 9.8 = 52.92
Since availability, what this issue targets, isn’t nearly as important on this asset, the overall prioritization score for issue Y on this asset is only 52.92, even though issue Y’s highest priority rating is higher than issue X’s.
If A is the only asset issue Y is found on, then 52.92 will be issue Y’s NPS, and it will be ranked as less important than issue X, because its potential impact is lower. If issue Y came up on another asset B with a higher Availability rating, on the other hand, asset B would wind up with a higher prioritization score for issue Y, and that would become issue Y’s NPS.
The Issue Prioritization page
If you click Issues -> Diamond in the top menu of the Nanitor solution, you will navigate to the Issue prioritization page. This page shows summaries of your most important issues in two formats, both as a tilted table called the Nanitor Diamond and as a series of lists labeled P0, P1 and P2.
Users belonging to multiple organizations can also use the Diamond overview dashboard to get information about issues across all organizations.
The Nanitor Diamond
The Nanitor Diamond is a visualization of the priority ratings of your issues and the assets they exist on. You can think of it as a graph with two axes, rotated 45 degrees:
The two axes are the dynamic asset priority and the dynamic issue priority, with each square representing a particular combination of asset and issue priority and showing a count of open issues with those priorities. Issue and asset priority ratings each consist of three factors as explained above, and can be fractional, but for the purposes of the diamond, the priority is regarded as the highest of the individual priority categories, rounded to the nearest integer. For instance, if an issue's highest priority rating is 9.8, and the highest priority rating on any of the assets it exists on is 9.4, then that issue will be counted towards the total in the square corresponding to issue priority 10 and asset priority 9 - the square just below and to the right side of the top square in the screenshot below.
If we look at these reddest squares at the top of the diamond, we can get a quick overview of how many high-priority issues exist on our high-priority assets - for instance, here we can see that we have 56 issues with priority ~10 detected on assets with priority ~9. (Note that each issue is only counted towards one square, even if it exists on assets of many different priorities - the issue always counts in the square corresponding to the highest asset priority where that issue has been detected!)
Since these are critical issues (high issue priority) that exist on important assets (high asset priority), these issues are likely to be particularly urgent and should be prioritized ahead of other issues that are less critical or only occur on less important assets.
Meanwhile, for instance, on the right side of the diamond, we might see some issues with a high issue priority but low asset priority:
While these are significant issues, they only exist on assets with the lowest possible significance. This means they likely have low impact and are not as pressing as the issues near the top of the diamond, but are still more worth keeping an eye on than those that land near the bottom.
You can click on the number in a given square of the diamond to see a full list of the issues counted in that square.
Priority groups
The three lists on the right side of the issue prioritization view are a little different. They are lists of issues ordered by their Nanitor Prioritization Score, organized into three priority groups. The P0 priority group shows issues with an NPS of 81+, the P1 priority group shows issues with an NPS of 64-81, and the P2 priority group shows those with an NPS of 49-64.
The organization should strive to act immediately to resolve any issues in the P0 group when they come up, to act within 30 days for issues in the P1 group, or within 60 days for issues in the P2 group. Issues not in any of these three groups should not require immediate action, but it is nonetheless recommended to address them when higher-priority issues have been resolved.
A full filterable and searchable list of issues ordered by NPS can be found by navigating to Issues -> List. Note that the top of the list may not match exactly with the issues at the top of the diamond, as the diamond is arranged by the highest issue and asset priorities separately, while the NPS can take into account when e.g. an issue mainly affects availability but the assets it has been found on have low availability ratings. This means the NPS is a little more holistic and may prioritize an issue lower than its position in the diamond would indicate.
Static and dynamic priority
Each issue and asset in the system has both a static priority, an assigned static rating for this asset or issue (split into the three categories), as well as a dynamic priority, which is the rating shown in the issue diamond and used to calculate prioritization scores. The dynamic priority is based on the static priority but may modify it based on various factors, according to Nanitor’s intelligent risk adjustment algorithm. For instance, if the Issue priority age scaling option is enabled (available from Organization management -> issue configuration), an issue’s dynamic priority will rise over time if the issue isn’t addressed, since an issue going unfixed for some time gives attackers a wider window to discover the issue and exploit it. Meanwhile, an asset’s dynamic priority will be raised if the asset shares a domain, user or subnet with another asset that has a higher static priority, as access to this asset may then provide attackers with easier access to the more critical asset.
Static priorities are designed to be adjusted and overridden by Nanitor administrators to best reflect the organization’s security policies for different assets and issues. Static priorities are unlikely to change except as directed by Nanitor administrators, or if an asset’s labels or benchmarks change. The dynamic priority, on the other hand, will be adjusted automatically on the fly by the Nanitor system, based on the assigned static priority rating and the dynamic factors affecting the rating (further details below).
Setting static asset priorities
When setting up your Nanitor instance, you need to perform a risk assessment of your assets to assign static priority ratings to each asset. The success of Nanitor’s prioritization system depends on priority ratings being assigned appropriately to your assets.
By default, each asset’s priority rating is set based on its assigned benchmark. On a clean install, every benchmark will assign a 5/5/5 (Confidentiality/Integrity/Availability) priority rating, but this can be changed for each benchmark under Organization Management → Benchmark settings, depending on the organization’s security requirements.
The recommended way to set asset priorities is to override them for certain asset labels under Organization Management → Labels and labeling rules:
When an asset has multiple labels, it will be assigned the highest priority rating any of its labels have in each category.
To override the static asset priority ratings, open the Asset Details view and then on the Overview tab, navigate to the Priority section and click the Edit icon in the section header.
Setting static issue priorities
For issues, the default static priority rating is set based on its issue type, and Nanitor system admins can often customize what issues are created and how important they should be for the organization, depending on the type:
-
Vulnerability: The default static priority rating is defined by its CVSS (Common Vulnerability Scoring System) score, its presence in the CISA Known Exploited Vulnerabilities Catalog, and the likelihood of exposure defined by its EPSS (Exploit Prediction Scoring System) score. Vulnerability management can be turned off (resulting in no vulnerability issues being created) under Organization Management → General organization settings. Please note, that for suborganizations the Enable vulnerability checking and management option state is inherited from the parent organization settings and cannot be changed.
-
Misconfiguration: The default static priority in all categories is based on the criticality rating in the CIS benchmark (low = 1, medium = 3, high = 6, and critical = 9). Individual benchmark rules can be removed from or added to the technical policy baseline or have their priority changed when viewing a given benchmark from the Organization Management → Benchmark settings page.
-
Patch: The default static priority rating in all categories is 7 unless the patch is marked as fixing vulnerabilities with a priority higher than that, in which case the patch will inherit the highest vulnerability rating in each category.
-
Software: The default static priority rating in all categories is 5. Specific software can be whitelisted or blacklisted, either on the entire system or for particular asset labels, under Inventory → Software in the top menu.
-
PII: The feature can be turned on and off for all assets or particular labels, as well as setting a priority rating for each PII type, under Organization Management → PII settings. The Organization Management → PII ignore list allows you to define exceptions for PII checks.
-
Identity and Device: Each type of possible problem detected by Nanitor can be enabled or disabled (through the “in baseline” checkbox), and a criticality rating of low/medium/high/critical can be set for each (which will assign priority ratings by the same logic as for misconfigurations), under Organization Management → Issue configuration. Adding to that, static priority ratings for user issues are higher the more assets the given user can access, as this increases the risk of the user being compromised. For instance, if a user has an expired password, and that issue is in the baseline with a High severity, then the static issue priority for that issue will generally be 6 (in all categories). However, if the user has access to more than one asset, it is multiplied by 1.1 to become 6.6; if they have access to more than two it will be multiplied by 1.2 and become 7.2; if they have access to more than 10 it will be multiplied by 1.3 and become 7.8; and if they have access to more than 50 it will be multiplied by 1.4 and become 8.4.
Furthermore, under Organization Management → Issue configuration, a priority scaling factor can be applied to each issue type individually. If your company considers a certain type of issue more or less important relative to others than the default scores assigned by Nanitor suggest, you can adjust their relative weights by altering these values.
To override the static asset priority ratings, open the Issue Details view and then on the Overview tab, navigate to the Priority section and click the Edit icon in the section header.
Dynamic asset priorities
Dynamic asset priorities are calculated as the static priority modified by three priority elevators, factors that may raise the priority rating:
- If the asset shares a domain with another asset that has a higher static priority rating in any of the three categories, the dynamic priority rating in that category is adjusted upward by 20% of the difference between the two. For instance, if an asset has a static Confidentiality priority rating of 5, and it shares a domain with another asset with a static Confidentiality priority rating of 10, then the first asset’s dynamic Confidentiality priority rating will be adjusted upwards by (10 - 5) * 0.2, or 1, going from 5 to 6.
- If the asset shares a user with another asset that has a higher static priority rating in any of the three categories, the dynamic priority rating in that category is adjusted upward by 30% of the difference between the two. For instance, if an asset has a static Integrity priority rating of 5, and it shares a user with another asset with a static Integrity priority rating of 10, then the first asset’s dynamic Integrity priority rating will be adjusted upwards by (10 - 5) * 0.3, or 1.5, going from 5 to 6.5.
- If the asset shares a subnet with another asset that has a higher static priority rating in any of the three categories, the dynamic priority rating in that category is adjusted upward by 10% of the difference between the two. For instance, if an asset has a static Availability priority rating of 5, and it shares a subnet with another asset with a static Availability priority rating of 10, then the first asset’s dynamic Availability priority rating will be adjusted upwards by (10 - 5) * 0.1, or 0.5, going from 5 to 5.5.
When more than one elevator applies, treat each elevator as a multiplier on the gap between the asset’s static priority rating and the highest static priority in the relevant set of assets. The domain elevator multiplies the gap by 0.8, the user elevator multiplies the gap by 0.7, and the subnet elevator multiplies it by 0.9. Thus, if asset A, with a static Confidentiality rating of 5, shares all three with a neighboring asset B, which has a static Confidentiality rating of 10, then the gap between the two (10 - 5) will be multiplied by 0.8 * 0.7 * 0.9, or 0.504, resulting in a gap of 2.52, and this is then subtracted from the highest neighboring static Confidentiality rating of 10 and rounded, resulting in a dynamic Confidentiality rating of 7.5.
This becomes a little more complicated when the highest rating for the domain, user and subnet are different. For example, if assets A and B share the same user and subnet but not the same domain, and the highest-priority asset sharing a domain with A is asset C with a static Confidentiality rating of 7.5, the domain elevator’s impact will be halved, because the gap between 5 and 7.5 is smaller by half. This will effectively mean the domain elevator’s multiplier becomes 0.9 instead of 0.8 (reduces the gap by 10% instead of 20%), and the dynamic priority rating instead becomes 10 - (10 - 5) * 0.9 * 0.7 * 0.9 = 7.2.
Dynamic issue priorities
If the "Issue age priority scaling" setting is turned off, the dynamic priority rating for an issue will match its static priority rating.
If the setting is turned on, then the dynamic priority rating for an issue may be different for each asset the issue exists on. On each asset, the dynamic issue priority consists of the static issue priority for that issue multiplied by 1.000595^(the number of hours since the issue was found on this asset), capping out at a month (720 hours). This means that as issues remain open on an asset without being addressed, their dynamic priority rating will steadily increase, up to a multiplier of ~1.53x.
The dynamic priority rating in a category for an issue as a whole, as listed on the issue detail page, is the dynamic issue priority rating on the asset where the issue has the highest overall prioritization score in that category. This means effectively that the priority rating is adjusted by how long it has been present on its most critical asset.
For instance, suppose that issue X, with a Confidentiality rating of 8.4, an Integrity rating of 3.8, and an Availability rating of 5.6 has been present on asset A for seven days but on asset B for 30 days. Asset A has Confidentiality 9.6, Integrity 8.6 and Availability 5.4, while asset B has Confidentiality 3, Integrity 5.3 and Availability 7.6.
On asset A, X’s dynamic priority rating will be multiplied by 1.1051 (1.000595^(7*24)), for Confidentiality 8.4 → 9.3, Integrity 3.8 → 4.2 and Availability 5.6 → 6.2. The prioritization scores will be:
Confidentiality: 9.3 * 9.6 = 89.28
Integrity: 4.2 * 8.6 = 36.12
Availability: 6.2 * 5.4 = 33.48
Meanwhile, on asset B, X’s dynamic priority rating will be multiplied by 1.5346 (1.000595^(30*24)). This makes X’s Confidentiality rating 8.4 → 10 (priority ratings cannot go higher than 10), the Integrity rating 3.8 → 5.8, and the Availability rating 5.6 → 8.6. The prioritization scores on B will be:
Confidentiality: 10 * 3 = 30
Integrity: 5.8 * 5.3 = 30.74
Availability: 8.6 * 7.6 = 65.36
The overall prioritization score of X will be 89.28 (the highest of all six prioritization scores), but the dynamic issue priority as listed in the issue detail will be Confidentiality 9.3 (from most critical asset A), Integrity 4.2 (from most critical asset A) and Availability 8.6 (from most critical asset B).
The prioritization score for an issue only takes into account assets where the issue currently exists. When a prioritization score is displayed for an issue that has already been fully resolved on all assets, it will show the highest prioritization score on any of the assets where it has previously existed.