Asset Priority rating
When setting up your Nanitor instance, you need to perform a risk assessment of your assets to assign static priority ratings to each asset. The success of Nanitor’s priority rating system depends on priority ratings being assigned appropriately to your assets.
By default, each asset’s priority rating is set based on its assigned benchmark. On a clean install, every benchmark will assign a 5/5/5 (Confidentiality/Integrity/Availability) priority rating, but this should be changed for each benchmark under Organization Management → Settings → Benchmarks, to match the organization’s security requirements.
Priority ratings can also be overridden for certain asset labels under Organization Management → Labels. It is highly encouraged to customize each label to suit the organization's security requirements.
or for individual assets on the asset detail page:
Creating asset labels for different security requirements and setting priority rating overrides on them is the recommended approach. For more discussion on this see Labeling best practices article.
When an asset has multiple labels, it will be assigned the highest priority rating of its labels in each category, unless it has asset-level overrides.
Dynamic asset priority rating
Dynamic asset priority ratings as calculated as the static priority rating modified by four priority elevators, factors that raise or lower the priority rating:
- If the asset shares a domain with another asset that has a higher static priority rating in any of the three categories, the dynamic priority rating in that category is adjusted upward by 20% of the difference between the two. For instance, if an asset has a static Confidentiality priority rating of 5, and it shares a domain with another asset with a static Confidentiality priority rating of 10, then the first asset’s dynamic Confidentiality priority rating will be adjusted upwards by (10 - 5) * 0.2, or 1, going from 5 to 6.
- If the asset shares a user with another asset that has a higher static priority rating in any of the three categories, the dynamic priority rating in that category is adjusted upward by 30% of the difference between the two. For instance, if an asset has a static Integrity priority rating of 5, and it shares a user with another asset with a static Integrity priority rating of 10, then the first asset’s dynamic Integrity priority rating will be adjusted upwards by (10 - 5) * 0.3, or 1.5, going from 5 to 6.5.
- If the asset shares a subnet with another asset that has a higher static priority rating in any of the three categories, the dynamic priority rating in that category is adjusted upward by 10% of the difference between the two. For instance, if an asset has a static Availability priority rating of 5, and it shares a subnet with another asset with a static Availability priority rating of 10, then the first asset’s dynamic Availability priority rating will be adjusted upwards by (10 - 5) * 0.1, or 0.5, going from 5 to 5.5.
When multiple of the elevators combine, treat each elevator as a multiplier on the gap between the asset’s static priority rating and the highest static priority rating. The domain elevator multiplies the gap by 0.8, the user elevator multiplies the gap by 0.7, and the subnet elevator multiplies it by 0.9. Thus, if asset A with a static Confidentiality priority rating of 5 shares all three with a neighboring asset B with a static Confidentiality priority rating of 10, the gap between the two (10 - 5) will be multiplied by 0.8 * 0.7 * 0.9, or 0.504, resulting in a gap of 2.52, and this is then subtracted from the highest-priority neighbor’s static confidentiality priority of 10 and rounded, resulting in a dynamic Confidentiality priority rating of 7.5.
It’s a little more complicated when the highest-priority domain neighbor, the highest-priority user neighbor, and the highest-priority subnet neighbor are different assets with different static priority ratings. For example, if assets A and B share the same user and subnet but not the same domain, and the highest-priority asset sharing a domain with A is asset C with a static Confidentiality priority rating of 7.5, the domain elevator’s impact will be halved in comparison because the gap between 5 and 7.5 is smaller by half. This will effectively mean the domain elevator’s multiplier becomes 0.9 instead of 0.8 (reduces the gap by 10% instead of 20%), and the priority rating instead becomes 10 - (10 - 5) * 0.9 * 0.7 * 0.9 = 7.2.