Upcoming updates to Qualys TruRisk Algorithm

Amir Mukeri

On Oct 3rd, 2022, Qualys TruRisk algorithm will be updated to include the following changes to Qualys Vulnerability Score (QVS), Asset Risk Score (ARS) and Qualys Detection Score (QDS).  

  • Assets with multiple vulnerabilities will be ranked higher compared to assets with only one vulnerability. For example, an asset with weighted average of critical of vulnerabilities of 95 from 2 vulnerabilities, will be ranked higher than an asset with only one critical vulnerability of weighted average of 95.   
  • Vulnerabilities with only Proof-of-Concept exploit available will be further lowered in the TruRisk ranking. 
  • Vulnerabilities with exploit code weaponized or with evidence of active exploitation will be ranked even higher than before (>=95). 
  • Exploit Prediction Scoring System (EPSS) from first.org will be one of the contributing factors for Qualys TruRisk. 
  • For the QIDs with no published CVEs, QVS will be calculated based on the Real-time Threat Indicators (RTI’s) such as Zero-day, Active Attacks, Ransomware, Wormable, etc. 

What to Expect? 

  • Vulnerabilities with only a Proof-of-Concept exploit available that were previously classified as Critical/High may now be classified as Medium/Low. 
  • Assets with a higher number of vulnerabilities will be ranked higher than assets with fewer vulnerabilities of the same severity and Asset Criticality Score (ACS). 
  • Externally facing/exposed assets have a higher-ranking Asset Risk Score (ARS) than internal assets with a similar number and severity of vulnerabilities. 
Share your Comments

Comments

Your email address will not be published. Required fields are marked *