Risks and Recommendations documentation for IBM Support Insights

Getting a risk overview

Using the Alerts tab of the Risks and Recommendations page, users can get an at-a-glance view of the potential threats to their IT environment and focus on handling them. The views help understand risks, and provide information and insights needed for effective targeting and mitigating the possible negative outcomes associated with the assets in question.

Note, the Asset analysis tab of the Risks and Recommendations page is a Pro feature and further details on its contents may be found in the Pro features page. For information on how to obtain those features, please go to this page.

Risks summary

Risk scores represent the risk to your IT inventory and are driven by the available data regarding your assets including vendor, model, machine type, contract and warranty information, and software levels (OS/firmware version). The overall risk score is a summary score for your entire IT estate - the lower the score, the lower the risk. The color of the risk score dial ranges from teal through purple to red as the score increases. The Risk History graph shows a running summary of risk levels, on a month-to-month basis, for a better understanding of the relative trends in threat exposure.

In addition to the overall risk score value, there is also a risk score delta and a risk score category label. The risk score delta is represented as a percentage value and is located right below the risk score itself. The delta is calculated by taking a historical risk score, most commonly from 12 months ago when available, and comparing it to the latest available risk score, most commonly for the current month. The delta then signifies if the risk score value has increased or decreased within the available time-frame. Note, if a risk score from 12 months ago is not available, the calculation is made using the oldest available historical value within a 12-month period. The next element - the risk score category label - is located immediately after the risk score value and risk score delta, and provides information as to what range the risk value itself falls into. The available risk score category labels depend on the risk score value and range from High to Low, as follows:

  • High (100-91)
  • Medium-High (90-70)
  • Medium (69-50)
  • Medium-Low (49-25)
  • Low (24-0)

Please note, the coverage, hardware and firmware risk calculations do not include virtual assets regardless what state the virtual assets toggle is in.

Selecting inventory

When viewing the Risks and Recommendations page, the default behavior of the application is to show details for the entire inventory. In order to focus on specific groups of assets, use the global filters accessed from the right-hand of the page's header. For more details about setting up global filters, please view the global filters section.

Understanding risk components

The overall risk score comprises risk factors across security vulnerabilities, support coverage, operating system/firmware risks, and hardware risks.

Risk factors

Categories of risk scores are computed using data and insights from a variety of sources and analyses:

  • Security - Common Vulnerabilities and Exposures (CVEs) for known OS and firmware levels
  • Coverage - Contract and warranty expiration events
  • OS/Firmware - Software end-of-support events and OS/firmware diversity
  • Hardware - Hardware end-of-support events and vendor field notices (Cisco only)

Scores are normalized using an advanced technique to show risk relative to a broader, proprietary benchmark that we have developed through years of experience supporting IT equipment. A low score does not signify the lack of risk, but rather less risk than typical. Likewise, a high score does not necessarily mean very high risk, but rather more risk than typical.

Risk scores are data intensive and are calculated using information about the inventory captured in IBM Support Insights. As with the overall risk score, each individual risk score also has a colored dial, a total risk score, a risk delta and a risk label. These elements are positioned for each score in the same manner as they are positioned for the previously outlined overall risk score.

If scores or alerts for different categories are not populated, it is most likely due to lack of sufficient data for calculating a score or populating an alert. In such instances, you may consider augmenting the inventory data by using the manual bulk assets edit option directly in the application or using automated inventory update utilities including the CMDB Connector for ServiceNow or OEM data collectors such as the Cisco Common Service Platform Collector (CSPC). For more on these collectors, please view the data collectors section.

To explore the sources of risk, select one of the risk category dials to see the alerts that are impacting the score.

Selecting risk categories

In order to view alerts for a specific risk category, click on one of the four risk category dials and the specific alerts related to that category will be displayed.

Alert category - detailed view

The OS/Firmware risk category specifically has an additional breakdown included, allowing you to view either all alerts of the type simultaneously or view each of the included sub-categories separately. The selector is presented as an additional horizontal bar located between the risk category selector and the alerts list. Bear in mind, the Microcode sub-category (wherever required technical data is available) and the HIPERs sub-category are Pro functionalities, thus you will only be able to view the alert details, but not the affected inventory and recommendations while using the Standard Support Insights tier. For details on how to upgrade and the benefits of doing so, please go to this page.

Please note, the remaining three risk categories do not have sub-tabs or additional category breakdowns, as shown in the displayed image.

Understanding alerts list

An alert is a detailed warning of a vulnerability for one or more affected assets that can be proactively addressed.

When a dial is selected, a list view containing all the alerts for the given category is populated on the left-hand side of the screen. The list is sorted by default to show the alerts list from High risk to Low risk. The sorting can be reversed, to display alerts with Low risk first and High risk last, by using the arrow on the right-hand side of the list's header.

Alert list

The list may be filtered to show only unread alerts, as well as only ignored or non-ignored alerts. The default view displays all non-ignored alerts. Clicking on the read/unread button, displayed as a circle on the top right-hand side of the list, toggles between viewing all alerts and only unread alerts. Clicking on the ignore button, displayed as an eye on the top right-hand side of the list, toggles between viewing non-ignored alerts and ignored alerts. For details on how to mark an alert as read/unread and how to ignore/stop ignoring an alert, go to the alerts details section.

Each alert in the list includes the alert type, an alert title, and a risk score. This alert risk score is determined based on the type, priority, and time-frame (immediate versus projected) of the risk. Risk priority levels for alerts are categorized as High, Medium and Low, depending on the risk score, as follows:

  • High (100-70)
  • Medium (69-40)
  • Low (39-0)

Alerts are scored based on the nature of the alert. The higher the value, the more important it is to review and remediate. Sometimes alerts have scores that seem out of line with the category risk score, e.g. many high alerts, but category risk score is lower or vice versa. There are a number of reasons for this disparity including the weighting of individual alerts, impacted inventory, and normalization that occurs in the category risk score.

Exploring alert details

To view an alert's details, click on an alert from the list. The Alert Details tab shows more details about the alert itself in order to help you understand the nature, scope, and inherent risk of the alert.  The information varies depending on the alert type. However, all alerts include: the number of devices impacted, the risk score, and a summary of the nature of the alert. Often the details will include one or more links to additional information about the alert, such as for example NIST CVE, manufacturer's field notice, and others.

Alert details

When you open an alert from the alerts list in order to view its details - it is automatically marked as read. A Mark as unread button is then displayed on the top side of the Alert Details tab - it may be used to mark the specific alert as unread, so that it may be once again displayed in the Unread filtered view of the alerts list. If an alert is marked as unread, it can then be marked as read again, by clicking the same button which will now be displayed as Mark as read and in different color.

Alert details - mark as read

If you navigate to another alert and then go back to the one manually marked as unread - it will automatically become read again.

Additionally, alerts may be ignored using the Ignore button displayed on the top side of the Alert Details tab. When an alert is marked as ignored, it will be hidden from the unfiltered alerts list on the left-hand side of the screen as the list's default view displays only non-ignored alerts. The alert may be marked once again as non-ignored by using the same button, which will now be displayed as Stop ignoring and in different color.

Alert details - mark as unignored

Viewing affected assets

To view the assets affected by an alert, click on the Affected Inventory tab. This shows a list view of all the assets impacted by an alert. The list view shows only a subset of the asset properties relevant to the alert type in order to help make decisions on how best to proceed.

Affected inventory

The icons beside the "Overall Risk" score in the table view are based on the alert ranges:

  • High (100-70) High icon
  • Medium (69-40) Medium icon
  • Low (39-11) Info icon
  • No risk (10-0) No risk icon

The Affected Inventory table allows users to select assets, export assets (export all and export selected), edit asset properties and search within the list of assets. Furthermore, you can select which data points you wish to have in view using the column selector of the table.

Reviewing recommendations

Click the Recommendations tab in order to see guidance for addressing an alert. Recommendations include specific suggestions and options for remediating the issue at hand. Depending on the risk category, the recommendations may include information about patches to apply, versions to upgrade to, advisory replacement options, and others. Not all alerts have specific recommendations, but they generally provide best practice guidance for helping mitigate risk from the alert.

Alert recommendations