Risk Scoring Models in Network Detection and Response (NDR)

Risk scoring models in NDR define how network threats are evaluated and ranked based on a combination of metrics. These models help security teams focus on high-impact, high-confidence threats while reducing noise from false alarms.

Risk scoring models in NDR (Network Detection and Response) are frameworks used to quantify and prioritize security threats based on a combination of behavioral analysis, threat intelligence, asset context, and attack sophistication.

What Is a Risk Scoring Model?

A risk scoring model is a framework used by NDR platforms to:

• Assign scores to network events, hosts, or users

• Quantify the severity, confidence, and context

• Categorize risk levels (Low, Medium, High, Critical)

• Drive automated response or alert prioritization

Common Risk Scoring Models in NDR

1. Static Threshold-Based Model

• Predefined scores are assigned based on fixed criteria.

• Easy to implement, but can lack nuance or adaptability.

Example:

• Port scan = 10 points

• Lateral movement = 40 points

• Data exfiltration = 70 points

Thresholds:

• <30 = Low

• 30–59 = Medium

• 60–89 = High

• 90+ = Critical

2. Weighted Scoring Model

• Each factor (threat type, asset value, etc.) is assigned a weight.

• Scores are calculated as a sum of weighted factors.

Sample Formula:

Pros: More balanced and adaptable
Cons: Requires tuning and domain knowledge

3. Machine Learning-Based Model

• NDR solutions uses supervised or unsupervised ML to dynamically learn risk patterns.

• Continuously updates based on new behavior and threat intelligence.

Key Components:

• Behavioral baselining (normal vs. abnormal)

• Cluster analysis (grouping related events)

• Feedback loops (analyst decisions improve the model)

4. Weighted Scoring Model (Rule-Based)

Description:

A manual, deterministic model where each factor contributing to risk (e.g., anomaly severity, asset criticality) is assigned a weight, and a final score is calculated using a formula.

Characteristics:

• Transparent

• Easy to customize

• Great for regulatory and audit use

5. Threat Intelligence Enrichment Model

Description:

In this case, NDR solutions risk scores are adjusted based on correlation with known Indicators of Compromise (IOCs) from threat intelligence feeds.

Characteristics:

• Adds external context to local events

• Helps identify known malware, C2 servers, botnets, etc.

Summary

Risk scoring models in NDR are essential to streamline threat detection and response by ranking alerts based on:

• Threat behavior

• Threat intelligence

• System sensitivity

• Attack progression

• Historical and contextual data

A modern NDR solutions system typically uses a hybrid approach combining deterministic and adaptive techniques to deliver precise, real-time prioritization.