Why Itâs Time To Make Risk Scoring, Not Security Events, The Tip Of The Spear>
Forbes – Saryu Nayyar
Aggregating data feeds from these various sources in a centralized data lake is the first step toward implementing risk scoring. By bringing all the information together in one place where it can be normalized, correlated and contextualized, the analysis becomes much more effective and efficient.

Next, several elements must be used to derive a risk score.

The first is access, which is a fundamental part of risk scoring. The second element is behavior, which covers what users and entities are doing and why and how it compares to their peers. Users and entities are the next element. These are basically servers, workstations, laptops and any other network-connected devices, all of which exhibit some characteristic behaviors that can be used to identify them. Meanwhile, other resources (databases, individual files, records, etc.) get their own risk profiles. These, in turn, are tied to the risk scores of users and entities. Once a risk-scoring infrastructure is in place, it can provide the intelligence needed to support incident detection and response, forensics, and threat hunting.

Risk scoring also provides a valuable advantage for forensic investigations, giving analysts a reliable starting point for digging into the details of what happened. The events associated with a risk score identify which machines need to be torn down and what analysts should be looking for as they clear the environment. While there’s still plenty of manual investigation to be performed beyond the intelligence provided by risk scores, they give analysts a big head start.

Finally, for threat hunters who are charged with discovering latent threats lurking in the environment, risk scores again provide a valuable starting point.
Link: https://www.forbes.com/sites/forbestechcouncil/2021/01/22/why-its-time-to-make-risk-scoring-not-security-events-the-tip-of-the-spear/?sh=a07593057dc0