Effective incident management within a Security Operations Centre (SOC) relies on prioritising security events based on their potential impact and urgency. To achieve this, SOC teams utilise multiple scoring systems, such as the Real World Risk Score (RWRS), Common Vulnerability Scoring System (CVSS), and Vulnerability Priority Rating (VPR). These scores help determine the severity of vulnerabilities and incidents, ultimately influencing the assignment of SOC priority levels (P1 to P4).
This article explores how these scoring models interact with SOC priority levels, ensuring that incidents and vulnerabilities are managed efficiently to reduce risk, improve response times, and maintain compliance with security standards.
1. Overview of SOC Priority Levels
SOC priority levels are used to categorise incidents based on impact and urgency. These levels guide response efforts by indicating how quickly an incident must be addressed and how many resources should be allocated.
P1 (Priority 1): Critical incidents with immediate, high-impact risks (e.g., active data breaches or ransomware attacks).
P2 (Priority 2): High-priority incidents with significant but not immediate risks.
P3 (Priority 3): Medium-priority incidents with limited impact and urgency.
P4 (Priority 4): Low-priority incidents with minimal risk to operations or security.
The assignment of these priority levels is informed by various risk and vulnerability scoring systems, including RWRS, CVSS, and VPR.
2. The Real World Risk Score (RWRS)
The Real World Risk Score (RWRS) is a custom scoring system designed to prioritise vulnerabilities and incidents based on real-world threat data, such as exploitability, attacker behaviour, and potential impact on the organisation's infrastructure. RWRS is often calculated by combining multiple data sources, including threat intelligence, vulnerability severity, and the criticality of affected assets.
2.1. RWRS and SOC Priority Levels
RWRS helps SOC teams determine the true risk of a vulnerability or incident by providing contextual insights beyond theoretical severity scores. For example:
A high RWRS might trigger a P1 or P2 priority if the vulnerability is being actively exploited by attackers.
A moderate RWRS may result in a P3 priority if the vulnerability is present but has no known active exploits.
A low RWRS might correspond to a P4 priority, indicating minimal urgency.
The RWRS enables SOC analysts to focus on the most pressing threats by filtering out low-risk vulnerabilities that may not require immediate attention.
3. The Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is a widely used framework that assigns a severity score (ranging from 0 to 10) to vulnerabilities based on their technical characteristics. CVSS scores are broken down into three metric groups:
Base Score: Measures the inherent properties of the vulnerability (e.g., attack vector, complexity, and impact).
Temporal Score: Adjusts the base score based on factors such as exploit availability and remediation efforts.
Environmental Score: Customises the score based on the organisation’s unique infrastructure and risk tolerance.
3.1. CVSS and SOC Priority Levels
While CVSS scores provide valuable information about the severity of vulnerabilities, they do not account for real-world exploitability or business context. As a result, SOCs often use CVSS scores in conjunction with other metrics to assign priority levels:
CVSS 9.0+ (Critical severity) may justify a P1 or P2 priority if the vulnerability affects critical systems or services.
CVSS 7.0–8.9 (High severity) could trigger a P2 or P3 priority depending on the presence of mitigating factors, such as network segmentation.
CVSS 4.0–6.9 (Medium severity) typically aligns with P3 or P4 priorities, especially if there are no immediate threats of exploitation.
CVSS alone may over-prioritise vulnerabilities that are theoretically severe but unlikely to be exploited, which is why SOC teams often supplement it with real-world risk data.
4. The Vulnerability Priority Rating (VPR)
The Vulnerability Priority Rating (VPR), developed by security vendors like Tenable, provides a dynamic score that prioritises vulnerabilities based on exploitability, threat intelligence, and business context. VPR scores are updated frequently to reflect changes in the threat landscape, such as newly discovered exploits or shifts in attacker tactics.
4.1. VPR and SOC Priority Levels
VPR scores help SOCs prioritise vulnerabilities that are both severe and exploitable in the real world. This dynamic approach aligns closely with SOC operations:
High VPR scores (e.g., 9.0+) may elevate an incident to P1 or P2, especially if active exploitation is detected.
Moderate VPR scores may lead to P2 or P3 priorities, depending on the criticality of affected assets.
Low VPR scores typically correspond to P4 priorities, indicating that immediate remediation is not necessary.
Because VPR considers both exploitability and real-world threat data, it often provides a more accurate basis for prioritisation than static CVSS scores.
5. Integrating RWRS, CVSS, and VPR in SOC Operations
SOC teams can maximise efficiency by integrating RWRS, CVSS, and VPR into their incident management workflows. Here's how these scores can be used together:
5.1. Step 1: Initial Severity Assessment (CVSS)
CVSS scores provide a baseline understanding of the technical severity of a vulnerability or incident. This initial assessment helps analysts identify high-severity issues that require further evaluation.
5.2. Step 2: Real-World Threat Evaluation (RWRS and VPR)
RWRS and VPR scores add context by incorporating real-world threat intelligence. Analysts can determine whether a high CVSS score is truly urgent based on factors such as active exploitation, threat actor activity, and business impact.
5.3. Step 3: Priority Assignment
SOC analysts assign a priority level (P1 to P4) based on a combination of severity, exploitability, and operational risk. For example:
A CVSS 9.8 vulnerability with a VPR of 9.5 and a high RWRS might be assigned a P1 priority.
A CVSS 9.0 vulnerability with a VPR of 6.0 and a moderate RWRS could be assigned a P2 or P3 priority.
A CVSS 6.5 vulnerability with low exploitability may be classified as P4 despite its technical severity.
6. Benefits of Prioritisation Based on Multiple Scores
Integrating RWRS, CVSS, and VPR scores into SOC operations offers several advantages:
Improved Response Efficiency: SOC teams can focus on the most critical incidents, reducing the risk of overlooking high-impact threats.
Reduced Alert Fatigue: By deprioritising low-risk vulnerabilities, analysts can avoid becoming overwhelmed by false positives or non-urgent alerts.
Enhanced Risk Management: SOCs can align incident priorities with the organisation’s risk tolerance, ensuring that resources are allocated where they are most needed.
Regulatory Compliance: Many frameworks, including IMO Resolution MSC.428(98) and ISO/IEC 27001, require organisations to implement risk-based incident management processes.
7. Conclusion
The relationship between SOC priority levels and risk scores such as RWRS, CVSS, and VPR is essential for effective incident management. While CVSS provides a technical severity baseline, RWRS and VPR offer real-world context that helps SOC teams prioritise incidents based on actual risk. By leveraging these scoring systems, organisations can improve their security posture, optimise response efforts, and ensure compliance with regulatory requirements.
For more guidance on SOC operations, vulnerability prioritisation, or custom risk scoring, contact our cybersecurity experts today.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article