Announcing TruRisk™ 2.0: Unleashing Next-Level Precision in Cyber Risk Management

Ashish Kar

In cybersecurity, quantifying risk with precision is essential for robust security posture management. At Qualys, we continuously refine our methodologies to meet and exceed the evolving demands of vulnerability management and risk management. In October 2024, the launch of Qualys Enterprise TruRisk™ Management (ETM) will mark a significant enhancement in how risk is calculated and understood across an organization’s cyber security risk posture, and with it, we are introducing the enhanced Qualys TruRisk™ 2.0 scoring system.

Qualys customers who activate the new ETM module will automatically transition to TruRisk™ 2.0 once they sign up for ETM—no additional action is required. New and existing customers who are not signing up for the ETM module will not be impacted. See the Transition and Existing Support for Customers section below.  

A Giant Leap: From 1.0 to 2.0

Since its inception, the TruRisk™ scoring algorithm has been the foundation of our approach to quantifying and communicating cyber security risk. Based on customer feedback and rigorous analysis, TruRiskTM 2.0 offers a more accurate representation of actual security threats.

Enhance Vulnerability Tracking with Global CVE Standardization

In this upgrade, we are empowering the Qualys Enterprise TruRisk™ Management (ETM) platform by enhancing vulnerability tracking from the Qualys Detection ID (QID) system to the globally recognized Common Vulnerabilities and Exposures (CVE) framework, consolidating vulnerabilities from multiple tools into a single, unified platform.

The Qualys QID has been the security powerhouse that has allowed our customers to optimize vulnerability and risk management in the Qualys platform for over two decades. Grouping multiple CVEs under a QID allowed customers to focus and manage risk mitigation in an effective and streamlined manner. However, as we transition to ETM, we allow customers to aggregate risk from third-party sources, which requires us to adopt an industry standard such as CVE ID. TruRisk™ 2.0 strikes a balance by using CVEs to measure the risk but retaining the ability to view and group vulnerabilities using both CVEs and QIDs. You truly get the best of both worlds.

Furthermore, as Qualys adopts CVE identifiers, the platform will score all these CVEs, both Qualys and third-party, using the Qualys Detection Score (QDS), which uses multiple signals, including CVSS, EPSS scores, and real-time threat intelligence from over 25 sources. Qualys customers will still benefit from threat intelligence-based scoring, just as they experienced with QIDs.

The QID view within the VMDR platform will be maintained to ensure that existing workflows and reports remain uninterrupted for customers who rely on established processes and analytics. Preserving the QID capabilities alongside the new CVE capabilities in ETM will help with seamless transition and flexibility so that every customer can adapt to the new system at their own pace without disrupting their current security operations.

Refining Risk Calculation

One of the key evolutions in TruRisk™ 2.0 is how it calculates risk. The previous version of our algorithm used an average of all Qualys Detection Scores (QDS) across all severity buckets. However, this method had a few corner cases, particularly in handling the cluster of risk scores. For instance, fixing a single critical vulnerability with a lower score could paradoxically increase the average score, which becomes counterintuitive, stemming from the averaging process and obscuring the actual risk reduction.

TruRisk™ 2.0 addresses these issues by employing a maximum detection score approach, focusing more acutely on the number and severity of detections. By centering on the most critical vulnerabilities, TruRisk™ 2.0 ensures a clearer, more precise view of your asset’s security posture.

Old Algorithm:

  • Used weighted averages across all severity levels.

New Algorithm:

  • Prioritizes maximum detected risks and their frequency.
  • Ensures low-severity vulnerabilities do not offset high-priority risks, providing a truer representation of an Asset’s security posture.

 Key Enhancements in Risk Scoring with TruRisk™ 2.0

The improvements in TruRisk™ 2.0 bring about significant changes in how risk scores are calculated, enhancing the way risks are assessed and prioritized across assets.

1. Expanded Risk Sources and Risk Factors – In addition to IT Host Assets, TruRisk™ 2.0 supports additional risk sources such as Cloud Resources, Workloads, Containers, Web Applications, GenAI/LLM Models, etc. TruRisk™ 2.0 also expands the risk factors to Misconfigurations, Expired Certificates, Unauthorized Ports, Unauthorized Software, Required but Missing Software, and Custom Rule-based Risk Factors.

2. CVE ID-based vulnerability counts– In order to standardize vulnerability counts, TruRisk™ 2.0 will use CVE IDs for counts. This will allow us to correlate and deduplicate vulnerabilities from third-party sources to provide an aggregated risk score for an Asset.

3. Improved precision in Risk Scoring – This new algorithm emphasizes the maximum detected risks and counts of CVEs to prevent misleading interpretations from the averaging process.

  • Prioritization Based on Severity and Frequency of Detections—The recalibrated scoring mechanism in TruRisk™ 2.0 assesses individual vulnerabilities instead of a group of related vulnerabilities as provided by QID. It considers the maximum criticality (max QDS) across all vulnerabilities and the number of occurrences in critical, high, medium, and low buckets to prioritize remediation.
  • Example of Averaging Process – Consider an asset with two critical vulnerabilities rated at 90 and 100, where 90 gets fixed. TruRisk™ 2.0 focuses on the highest remaining risk and count, so when the 90 QDS is fixed, the max score remains 100, but there is a reduction in the score as one critical vulnerability was fixed. In comparison, with the average, the TruRisk 1.0 score would go up when 90 is fixed, inflating the risk score after remediation of the lower score.
  • Example of Missing Buckets – Consider an asset with vulnerabilities in the critical, medium, and low categories but no detections in the high category. TruRisk™ 2.0 focuses on the maximum risk and the count of vulnerabilities, ensuring that the absence of a bucket does not negatively impact the final score. In contrast, the previous averaging approach calculated an average for each bucket, resulting in artificially low-risk scores when a bucket was missing.
  • Score Capping – To ensure fairness and prevent inflation in risk scores, TruRisk™ 2.0 caps the maximum score at 1000, just like TruRisk 1.0. Additional caps are placed on medium and low vulnerability detection counts, ensuring that these do not disproportionately affect the overall risk assessment.

4. Dynamic Scoring – Risk scores are now dynamically adjusted every hour as new vulnerabilities are detected and existing ones are remediated. This responsiveness allows the scoring to reflect real-time changes in an asset’s risk profile, helping organizations adapt their security measures more effectively.

Transition and Support for Existing Customers

For Qualys customers, the transition to TruRisk™ 2.0 is straightforward. Once you migrate to the new Enterprise TruRisk™ Management (ETM) module, you will also be upgraded to TruRisk™ 2.0, and all its enhancements will be applied automatically. There’s no need for additional action.

For new and existing customers not yet ready to enable ETM and migrate to TruRisk 2.0, ample time and support will be provided to ensure a smooth journey to TruRisk™ 2.0. Over the next few months, by mid-2025, Qualys will make options available in the platform to let customers seamlessly migrate from TruRisk 1.0 to TruRisk 2.0 and benefit from these enhancements.

Qualys CustomerETM EnabledTruRisk™ 1.0TruRisk™ 2.0
ExistingYesAutomatic migration to TruRisk 2.0Activated automatically
ExistingNoActiveAvailable in Mid-2025
NewYesNot ApplicableActive by default
NewNoActiveAvailable in Mid-2025

Please contact your Technical Account Manager (TAM) if you have any questions or comments.


Sign up today for a trial of Qualys Enterprise TruRisk Management.


Contributors

  • Sandeep Potdar, Senior Director, Product Management, VMDR, Qualys
Share your Comments

Comments

Your email address will not be published. Required fields are marked *