Onboarding and Self-Service


Arctic Wolf Unified Portal Security Posture

Updated Dec 21, 2023

NIST compliance

Arctic Wolf® calculates the risk score of an organization based on the Common Vulnerability Scoring System version 2 (CVSSv2). CVSSv2 provides an open framework for communicating the impacts of network vulnerabilities and an objective metric for prioritizing vulnerabilities so that the highest risk vulnerabilities are remediated first.

Arctic Wolf calculates risk scores using these criteria:

  1. Each unmitigated vulnerability found in the network is scored independently.

    The CVSSv2 standard includes several metrics to calculate the base score of a vulnerability. For example:

    • Access vector — The accessibility of the exploitable vulnerability, including local access, adjacent access, and network access.
    • Access complexity — The complexity of the attack required to exploit the vulnerability when the targeted system is accessible.
    • Authentication — The number of times the attacker must authenticate for a targeted system to exploit the vulnerability.
    • Confidentiality impact — The impact on data confidentiality when a vulnerability is successfully exploited. Confidentiality refers to how data is accessed and disclosed, including preventing access to authorized users and disclosing data to unauthorized users.
    • Integrity impact — The impact on data integrity when a vulnerability is successfully exploited. Integrity refers to trustworthiness and the data accuracy.
    • Availability impact — The availability of data when a vulnerability is successfully exploited. Availability refers to the accessibility of the data and resource.

    For more information about CVSS base score calculations, see NIST CVSS Calculator.

  2. All unmitigated vulnerabilities are categorized. For example, as a patch exploit or a configuration issue.

  3. For each risk category, this weighted-average formula is applied to the vulnerability scores within a category:

    risk score ≔ (avg(Low) × α + avg(Med) × β + avg(High) × γ) ÷ (α + β + γ)

    Where:

    • Low ≔ {δ|0 < δ <= 3.9} 
    • Med ≔ {δ|4 <= δ <= 6.9} 
    • High ≔ {δ|7 <= δ <= 10} 
    • δ ≔ {CVSSv2} 
    • α ≔ 1
    • β ≔ 10
    • γ ≔ 50
  4. The same weighted average formula is applied to all risk category scores to determine a final score for the entire network.

Tip: NIST provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real time. Each CVE provides details about a known network vulnerability, including a CVSSv2 score.