Extreme Risk Score Makeover: InsightVM Edition - Looking for input/suggestions

The Goal: Apply custom criticality or calculate custom risk scores based on a number of attributes not currently inherent with IVM tags or capabilities. The desire to adjust risk scores dynamically so that teams can prioritize patching based on “real-life” risk (honestly something almost as close as if you’d actually perform a manual risk assessment on each individual vulnerability finding). The environment includes AWS moderately ephemeral (a few thousand instances get rolled daily) - total instance count = 10k+.

The running list of attributes we’d like to contribute to scoring currently looks like:

  • External Exposure
    • Direct
    • Indirect
    • Specific Subnets
  • Internal Exposure
    • Directly from VPN?
    • Jump host only?
    • Branch offices (Direct VPN)
  • Known exploit
  • Compliance Level (How bad is the asset holistically)
  • Compliance Scope?
  • Current Patching Mechanism
  • Data Classifications
  • Revenue Risk
  • Service Tier
  • Container Exposure
  • Compensating Control Strength (How easy is it to bypass the thing that you said is blocking it)
  • Vulnerable Feature/Service/Library in use?

Of all those, it looks like only 1 item IVM actually knows about - Known Exploit.

Let’s just assume I can bring in the other attributes through a custom tag for each asset.

The problem I’m seeing is that, I don’t have the ability to group assets statically - they are going to be in dynamic asset groups that populate based off of those custom tags. It appears I’m restricted from adjusting criticality through dynamic asset groups due to circular reference protection. Does that mean I’d have to create sites for each individual attribute and populate those with the dynamic asset groups?

I’m looking for input from anyone who has really dug into either custom risk strategies or setting up a complex set of criticality multipliers based off of such a large list of attributes.

Also, does anyone know where to find documentation on the custom risk strategy XML and its capabilities? The online docs literally just say “It is recommended that you refer to the XML files of the built-in strategies as models for the structure and content of the VulnerabilityRiskStrategy sub-element.” The existing strategy files are pretty sparse, with the exception of real_risk, which only shows logic based off of the CVSS vector attributes, exploit, and malware counts. Is it even possible to leverage any of the stuff I’m looking for into a custom risk XML?

One of the solutions on the table is to literally export the IVM dataset out and run my risk calculations there, but that seems like a bigger-hammer approach - I’d like to keep it all inside IVM if possible.

Thanks in advance!