ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
30312bbc03897a3fefb25b6e7847be6577ba90c6
prowler/docs/user-guide/compliance/tutorials/threatscore.mdx
Hugo Pereira Brito 30312bbc03 fix(docs): remove wrong threatscore warning (#9276)
2025-11-20 09:03:15 +01:00

488 lines
20 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "Prowler ThreatScore Documentation"
---
## Introduction
The **Prowler ThreatScore** is a comprehensive compliance scoring system that provides a unified metric for assessing your organization's security posture across compliance frameworks. It aggregates findings from individual security checks into a single, normalized score ranging from 0 to 100.
### Purpose
- **Unified View**: Get a single metric representing overall compliance health
- **Risk Prioritization**: Understand which areas pose the highest security risks
- **Progress Tracking**: Monitor improvements in compliance posture over time
- **Executive Reporting**: Provide clear, quantifiable security metrics to stakeholders
## How ThreatScore Works
The ThreatScore calculation considers four critical factors for each compliance requirement:
### 1. Pass Rate (`rate_i`)
The percentage of security checks that passed for a specific requirement:
```
Pass Rate = (Number of PASS findings) / (Total findings)
```
### 2. Total Findings (`total_i`)
The total number of checks performed (both PASS and FAIL) for a requirement. This represents the amount of evidence available - more findings provide greater confidence in the assessment.
### 3. Weight (`weight_i`)
A numerical value (1-1000) representing the business importance or criticality of the requirement within your organization's context.
### 4. Risk Level (`risk_i`)
A severity rating (1-5) indicating the potential impact of non-compliance with this requirement.
## Score Interpretation Guidelines
| ThreatScore | Interpretation | Recommended Actions |
|------------------|----------------|-------------------|
| 90-100% | Excellent | Maintain current controls, focus on continuous improvement |
| 80-89% | Good | Address remaining gaps, prepare for compliance audits |
| 70-79% | Acceptable | Prioritize high-risk failures, develop improvement plan |
| 60-69% | Needs Improvement | Immediate attention required, may not pass compliance audit |
| Below 60% | Critical | Emergency response needed, potential regulatory issues |
## Mathematical Formula
The ThreatScore uses a weighted average formula that accounts for all four factors:
```
ThreatScore = (Σ(rate_i × total_i × weight_i × risk_i) / Σ(total_i × weight_i × risk_i)) × 100
```
### Formula Properties
- **Normalization**: Always produces a score between 0 and 100
- **Evidence-weighted**: Requirements with more findings have proportionally greater influence
- **Risk-sensitive**: Higher risk requirements impact the score more significantly
- **Business-aligned**: Weight values allow customization based on organizational priorities
## Parameters Explained
### Weight Values (1-1000)
The weight parameter allows customization of ThreatScore calculation based on organizational priorities and regulatory requirements.
#### Weight Assignment Guidelines
| Weight Range | Priority Level | Use Cases |
|--------------|----------------|-----------|
| 1-100 | Low | Optional or nice-to-have controls |
| 101-300 | Medium | Standard security practices |
| 301-600 | High | Important security controls |
| 601-850 | Critical | Regulatory compliance requirements |
| 851-1000 | Maximum | Mission-critical security controls |
#### Weight Selection Strategy
1. **Regulatory Mapping**: Assign higher weights to controls required by industry regulations
2. **Business Impact**: Consider the potential business impact of control failures
3. **Risk Tolerance**: Align weights with organizational risk appetite
4. **Stakeholder Input**: Involve compliance and business teams in weight decisions
### Risk Levels (1-5)
Risk levels represent the potential security impact of non-compliance with a requirement.
| Risk Level | Severity | Impact Description |
|------------|----------|-------------------|
| 1 | Very Low | Minimal security impact, informational |
| 2 | Low | Limited exposure, low probability of exploitation |
| 3 | Medium | Moderate security risk, potential for limited damage |
| 4 | High | Significant security risk, high probability of impact |
| 5 | Critical | Severe security risk, immediate threat to organization |
#### Risk Level Assessment Criteria
- **Confidentiality Impact**: Data exposure potential
- **Integrity Impact**: Risk of unauthorized data modification
- **Availability Impact**: Service disruption potential
- **Compliance Impact**: Regulatory violation consequences
- **Exploitability**: Ease of exploitation by threat actors
## Security Pillars and Subpillars
Prowler organizes security requirements into a hierarchical structure of pillars and subpillars, providing a comprehensive framework for security assessment and compliance evaluation.
### Security Pillars Overview
The ThreatScore calculation considers requirements organized within the following security pillars:
#### 1. IAM (Identity and Access Management)
**Purpose**: Controls who can access what resources and under what conditions
**Subpillars**:
- **1.1 Authentication**: Verifying user and system identities
- **1.2 Authorization**: Controlling access to resources based on authenticated identity
- **1.3 Privilege Escalation**: Preventing unauthorized elevation of permissions
#### 2. Attack Surface
**Purpose**: Minimizing exposure points that could be exploited by threat actors across network, storage, and application layers
**Subpillars**:
- **2.1 Network**: Network infrastructure security, segmentation, firewall rules, VPC configurations, and traffic controls
- **2.2 Storage**: Data storage systems security, database security, file system permissions, backup security, and storage encryption
- **2.3 Application**: Application-level controls and configurations, application security settings, code security, runtime protections
#### 3. Logging and Monitoring
**Purpose**: Ensuring comprehensive visibility and audit capabilities
**Subpillars**:
- **3.1 Logging**: Capturing security-relevant events and activities
- **3.2 Retention**: Maintaining logs for appropriate time periods
- **3.3 Monitoring**: Active surveillance and alerting on security events
#### 4. Encryption
**Purpose**: Protecting data confidentiality through cryptographic controls
**Subpillars**:
- **4.1 In-Transit**: Encrypting data during transmission
- **4.2 At-Rest**: Encrypting stored data
### Pillar Hierarchy and ThreatScore Impact
#### Hierarchy Structure
```
Security Framework
├── 1. IAM
│ ├── 1.1 Authentication
│ ├── 1.2 Authorization
│ └── 1.3 Privilege Escalation
├── 2. Attack Surface
│ ├── 2.1 Network
│ ├── 2.2 Storage
│ └── 2.3 Application
├── 3. Logging and Monitoring
│ ├── 3.1 Logging
│ ├── 3.2 Retention
│ └── 3.3 Monitoring
└── 4. Encryption
├── 4.1 In-Transit
└── 4.2 At-Rest
Example Requirement Structure:
├── Pillar: 1. IAM
│ ├── Subpillar: 1.1 Authentication
│ │ ├── Requirement: MFA Implementation
│ │ │ ├── Check 1: Admin accounts use MFA
│ │ │ ├── Check 2: Regular users use MFA
│ │ │ └── Check 3: Service accounts use MFA
│ │ └── [Additional Requirements]
│ └── [Additional Subpillars: Authorization, Privilege Escalation]
```
#### Weight and Risk Assignment by Pillar
Different pillars typically receive different weight and risk assignments based on their security impact:
| Pillar | Typical Weight Range | Typical Risk Range | Rationale |
|--------|---------------------|-------------------|-----------|
| 1. IAM | 800-1000 | 4-5 | Critical for access control, high impact if compromised |
| 2. Attack Surface | 500-900 | 3-5 | Highly dependent on exposure and criticality across network, storage, and application layers |
| 3. Logging and Monitoring | 600-800 | 3-4 | Important for detection and compliance, moderate direct impact |
| 4. Encryption | 700-950 | 4-5 | Essential for data protection, regulatory compliance |
**Subpillar Weight Considerations**:
- **2.1 Network (Attack Surface)**: 500-800, Risk 3-4 - Network perimeter defense
- **2.2 Storage (Attack Surface)**: 600-900, Risk 4-5 - Data exposure impact
- **2.3 Application (Attack Surface)**: 400-700, Risk 2-4 - Varies by application criticality
### Pillar-Specific Scoring Considerations
#### High-Impact Pillars (1. IAM, 4. Encryption)
- **Characteristics**: Direct impact on data protection and access control
- **ThreatScore Impact**: Failures in these pillars significantly lower overall score
- **Weight Strategy**: Assign maximum weights (800-1000) to critical requirements
- **Risk Strategy**: Most requirements rated 4-5 due to severe consequences
#### Variable-Impact Pillar (2. Attack Surface)
- **Characteristics**: Impact varies significantly across subpillars (Network, Storage, Application)
- **ThreatScore Impact**: Depends on specific subpillar and business context
- **Weight Strategy**:
- 2.1 Network subpillar: 500-800 (perimeter defense importance)
- 2.2 Storage subpillar: 600-900 (data exposure risk)
- 2.3 Application subpillar: 400-700 (application-specific criticality)
- **Risk Strategy**: Wide range (2-5) based on exposure, data sensitivity, and business criticality
#### Monitoring Pillar (3. Logging and Monitoring)
- **Characteristics**: Essential for compliance and incident response
- **ThreatScore Impact**: Moderate influence, critical for audit requirements
- **Weight Strategy**: Consistent weights (600-800) across logging, retention, and monitoring subpillars
- **Risk Strategy**: Moderate risk levels (3-4) with emphasis on compliance impact
### Cross-Pillar Dependencies
#### Authentication ↔ Authorization (IAM)
- Strong authentication enables effective authorization controls
- Weight both subpillars highly as they're interdependent
#### Logging ↔ Monitoring (Logging and Monitoring)
- Logging provides the data that monitoring systems analyze
- Balance weights to ensure both data collection and analysis are prioritized
#### In-Transit ↔ At-Rest (Encryption)
- Comprehensive data protection requires both encryption types
- Consider data flow patterns when assigning relative weights
### Pillar Coverage in ThreatScore
#### Complete Coverage Benefits
- **Comprehensive Assessment**: All security domains represented in score
- **Balanced View**: Prevents over-emphasis on single security aspect
- **Regulatory Alignment**: Covers requirements across major compliance frameworks
#### Partial Coverage Considerations
- **Focused Assessment**: Target specific security domains
- **Resource Optimization**: Concentrate efforts on high-priority areas
- **Gradual Implementation**: Phase in additional pillars over time
## Scoring Examples
### Example 1: Basic Two-Requirement Scenario
Consider a compliance framework with two requirements:
**Requirement 1: Encryption at Rest**
- Findings: 200 PASS, 500 FAIL (total = 700)
- Pass Rate: 200/700 = 0.286 (28.6%)
- Weight: 500 (High priority - data protection)
- Risk Level: 4 (High risk - data exposure)
**Requirement 2: Access Logging**
- Findings: 300 PASS, 100 FAIL (total = 400)
- Pass Rate: 300/400 = 0.75 (75%)
- Weight: 800 (Critical for audit compliance)
- Risk Level: 3 (Medium risk - audit trail)
**Calculation:**
```
Numerator = (0.286 × 700 × 500 × 4) + (0.75 × 400 × 800 × 3)
= (400,400) + (720,000)
= 1,120,400
Denominator = (700 × 500 × 4) + (400 × 800 × 3)
= 1,400,000 + 960,000
= 2,360,000
ThreatScore = (1,120,400 / 2,360,000) × 100 = 47.5%
```
### Example 2: Enterprise Scenario with Pillar Structure
This example demonstrates how pillar organization affects ThreatScore calculation:
| Pillar | Subpillar | Requirement | Pass | Fail | Total | Weight | Risk | Pass Rate |
|--------|-----------|-------------|------|------|-------|--------|------|-----------|
| 1. IAM | 1.2 Authorization | Access Controls | 280 | 120 | 400 | 800 | 4 | 70% |
| 2. Attack Surface | 2.1 Network | Network Segmentation | 150 | 50 | 200 | 750 | 4 | 75% |
| 2. Attack Surface | 2.2 Storage | Backup Security | 200 | 100 | 300 | 600 | 3 | 66.7% |
| 3. Logging and Monitoring | 3.1 Logging | Audit Logging | 350 | 50 | 400 | 700 | 3 | 87.5% |
| 4. Encryption | 4.2 At-Rest | Encryption | 450 | 50 | 500 | 950 | 5 | 90% |
**Step-by-step Calculation:**
1. **Calculate weighted contributions for each requirement:**
```
Numerator = Σ(rate_i × total_i × weight_i × risk_i)
```
- **Access Controls (1.2 Authorization)**: 0.70 × 400 × 800 × 4 = 896,000
- **Network Segmentation (2.1 Network)**: 0.75 × 200 × 750 × 4 = 450,000
- **Backup Security (2.2 Storage)**: 0.667 × 300 × 600 × 3 = 360,060
- **Audit Logging (3.1 Logging)**: 0.875 × 400 × 700 × 3 = 735,000
- **Encryption (4.2 At-Rest)**: 0.90 × 500 × 950 × 5 = 2,137,500
2. **Sum numerator:** 2,137,500 + 896,000 + 735,000 + 360,060 + 450,000 = **4,578,560**
3. **Calculate total weights for each requirement:**
```
Denominator = Σ(total_i × weight_i × risk_i)
```
- **Access Controls (1.2 Authorization)**: 400 × 800 × 4 = 1,280,000
- **Network Segmentation (2.1 Network)**: 200 × 750 × 4 = 600,000
- **Backup Security (2.2 Storage)**: 300 × 600 × 3 = 540,000
- **Audit Logging (3.1 Logging)**: 400 × 700 × 3 = 840,000
- **Encryption (4.2 At-Rest)**: 500 × 950 × 5 = 2,375,000
4. **Sum denominator:** 2,375,000 + 1,280,000 + 840,000 + 540,000 + 600,000 = **5,635,000**
5. **Final ThreatScore calculation:**
```
ThreatScore = (Numerator / Denominator) × 100
ThreatScore = (4,578,560 / 5,635,000) × 100 = 81.2%
```
**Pillar-Level Analysis:**
- **1. IAM pillar (1.2 Authorization)**: Significant impact despite lower pass rate (70%) due to high weight (800)
- **2. Attack Surface pillar (2.1 Network)**: Strong performance (75%) with high weight (750) balances the score
- **2. Attack Surface pillar (2.2 Storage)**: Lowest performance (66.7%) but limited impact due to moderate weight (600)
- **3. Logging and Monitoring pillar (3.1 Logging)**: Moderate contribution with good performance (87.5%)
- **4. Encryption pillar (4.2 At-Rest)**: Highest contribution due to maximum weight (950) and risk (5)
### Example 3: Multi-Pillar Comprehensive Scenario
| Pillar | Subpillar | Requirement | Pass | Fail | Weight | Risk | Pass Rate |
|--------|-----------|-------------|------|------|--------|------|-----------|
| 1. IAM | 1.1 Authentication | MFA Implementation | 180 | 20 | 900 | 5 | 90% |
| 1. IAM | 1.2 Authorization | Least Privilege Access | 150 | 50 | 850 | 4 | 75% |
| 1. IAM | 1.3 Privilege Escalation | Admin Account Controls | 95 | 5 | 950 | 5 | 95% |
| 2. Attack Surface | 2.1 Network | Firewall Configuration | 400 | 100 | 600 | 3 | 80% |
| 2. Attack Surface | 2.1 Network | Public Endpoint Security | 80 | 20 | 700 | 4 | 80% |
| 2. Attack Surface | 2.2 Storage | Data Classification | 300 | 100 | 650 | 3 | 75% |
| 2. Attack Surface | 2.3 Application | Input Validation | 150 | 50 | 500 | 3 | 75% |
| 3. Logging and Monitoring | 3.1 Logging | Transaction Logging | 500 | 50 | 750 | 3 | 90.9% |
| 3. Logging and Monitoring | 3.3 Monitoring | Real-time Alerts | 200 | 50 | 700 | 4 | 80% |
| 4. Encryption | 4.2 At-Rest | Database Encryption | 300 | 20 | 900 | 5 | 93.8% |
| 4. Encryption | 4.1 In-Transit | API/Web Encryption | 250 | 10 | 800 | 4 | 96.2% |
**Pillar Performance Summary**:
- **1. IAM Pillar Average**: ~87% (weighted by findings across Authentication, Authorization, and Privilege Escalation subpillars)
- **2. Attack Surface Pillar Average**: ~77% (weighted across Network, Storage, and Application subpillars)
- 2.1 Network subpillar: ~80% average
- 2.2 Storage subpillar: 75%
- 2.3 Application subpillar: 75%
- **3. Logging and Monitoring Average**: ~87% (weighted by findings across Logging and Monitoring subpillars)
- **4. Encryption Pillar Average**: ~94% (weighted by findings across In-Transit and At-Rest subpillars)
**Overall ThreatScore**: ~85.3%
This comprehensive example demonstrates how:
- High-performing, high-weight pillars (4. Encryption, 1. IAM) significantly boost the score
- The 2. Attack Surface pillar shows how diverse subpillars (Network, Storage, Application) are aggregated
- Multiple requirements within pillars provide detailed granular assessment
- Cross-pillar balance prevents single points of failure in security posture
### Example 4: Impact of Parameter Changes
Using the scenario, let's see how parameter changes affect the score:
#### Scenario A: Increase Encryption Risk Level
Change Encryption risk from 5 to 3:
- **New ThreatScore: 77.8%** (decrease of 3.4 points)
- **Impact**: Lower risk weighting reduces the influence of high-performing critical controls
#### Scenario B: Improve Access Controls Pass Rate
Change Access Controls from 70% to 90% pass rate:
- **New ThreatScore: 85.1%** (increase of 3.9 points)
- **Impact**: Improving performance on high-weight requirements has significant score impact
#### Scenario C: Add New Low-Weight Requirement
Add "Documentation Completeness" (50 PASS, 10 FAIL, weight=100, risk=1):
- **New ThreatScore: 81.3%** (minimal change of 0.1 points)
- **Impact**: Low-weight requirements have minimal impact on overall score
## Implementation Details
### Edge Cases and Special Conditions
#### Zero Findings Scenario
When a requirement has `total_i = 0` (no findings):
- **Behavior**: Requirement is completely excluded from calculation
- **Rationale**: No evidence means no contribution to confidence in the score
- **Impact**: Other requirements receive proportionally more influence
#### Perfect Score Scenario
When all requirements have 100% pass rate:
- **Result**: ThreatScore = 100%
- **Interpretation**: All implemented security checks are passing
#### Zero Pass Rate Scenario
When all requirements have 0% pass rate:
- **Result**: ThreatScore = 0%
- **Interpretation**: Critical security failures across all requirements
#### Single Requirement Framework
For frameworks with only one requirement:
- **Formula simplification**: ThreatScore = pass_rate × 100
- **Impact**: Weight and risk values become irrelevant for score calculation
### Performance Considerations
#### Computational Complexity
- **Time Complexity**: O(n) where n = number of requirements
- **Space Complexity**: O(1) - constant space for accumulation
- **Scalability**: Efficiently handles frameworks with thousands of requirements
#### Calculation Precision
- **Floating Point**: Use double precision for intermediate calculations
- **Rounding**: Final score rounded to 1 decimal place for display
- **Overflow Protection**: Validate that weight × risk × total values don't exceed system limits
### Data Requirements
#### Minimum Data Set
For each requirement, the following data must be available:
- **pass_count**: Number of PASS findings (integer ≥ 0)
- **fail_count**: Number of FAIL findings (integer ≥ 0)
- **weight**: Business importance (integer 1-1000)
- **risk**: Risk level (integer 1-5)
#### Data Validation Rules
```
total_i = pass_i + fail_i
rate_i = pass_i / total_i (when total_i > 0)
1 ≤ weight_i ≤ 1000
1 ≤ risk_i ≤ 5
```
#### Handling Invalid Data
- **Negative values**: Treat as 0 and log warning
- **Out-of-range weights/risk**: Clamp to valid range and log warning
- **Missing data**: Exclude requirement from calculation and log warning
## Best Practices
### Monitoring and Trending
1. **Establish Baseline**
- Record initial ThreatScore after implementing measurement
- Set realistic improvement targets based on organizational capacity
- Track score changes over time to identify trends
2. **Regular Reporting**
- Generate monthly ThreatScore reports for stakeholders
- Highlight significant score changes and their causes
- Include requirement-level breakdowns for detailed analysis
3. **Continuous Improvement**
- Use score trends to identify systematic issues
- Correlate score changes with security incidents or changes
- Adjust weights and risk levels based on lessons learned
Reference in New Issue View Git Blame Copy Permalink