Lumin Metrics

Tenable Lumin uses several metrics to help you assess your Cyber Exposure risk.

Cyber Exposure Score (CES)
Vulnerability Priority Rating (VPR)
Asset Criticality Rating (ACR)
Asset Exposure Score (AES)
Tenable Vulnerability Indicator (TVI)

Cyber Exposure Score (CES)

Tenable calculates a dynamic CES that represents Cyber Exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES values indicate higher risk.

You can view CES for different groups of assets, including:

the CES for your entire organization (e.g., the CES displayed in the Cyber Exposure Score widget)
the CES for assets in a specific business context (e.g., the CES displayed in the Cyber Exposure Score by Business Context widget).

To view the CES for your entire organization or tag-specific CES values, view the widgets on the View the Lumin Dashboard.

Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the static data provided by the vulnerability's CVSS score and severity, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (e.g., many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable.io provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable.io automatically provides new and updated VPR values daily.

Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your assets with the highest ACRs.

To view the VPR for a specific vulnerability, view vulnerabilities as described in View All Vulnerabilities in Lumin.

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Note: Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.

Key Driver	Description
Age of Vuln	The number of days since the National Vulnerability Database (NVD) published the vulnerability.
CVSSv3 Impact Score	The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.
Exploit Code Maturity	The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
Product Coverage	The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
Threat Sources	A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
Threat Intensity	The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
Threat Recency	The number of days (0-730) since a threat event occurred for the vulnerability.

Threat Event Examples

Common threat events include:

An exploit of the vulnerability
A posting of the vulnerability exploit code in a public repository
A discussion of the vulnerability in mainstream media
Security research about the vulnerability
A discussion of the vulnerability on social media channels
A discussion of the vulnerability on the dark web and underground
A discussion of the vulnerability on hacker forums

Asset Criticality Rating (ACR)

Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.

Tenable.io provides an ACR value the first time you scan an asset on your network. Then, Tenable.io automatically provides new and updated ACR values daily.

Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if necessary. You can customize ACR values to reflect the unique infrastructure or needs of your organization, as described in Edit an ACR.

To view the ACR for a specific asset, view the asset details as described in View Asset Details.

ACR Key Drivers

Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.

Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global threat landscape associated with the asset's characteristics.

Key Driver	Description
device_type	The device type. For example: hypervisor — The device is a Type-1 hypervisor that hosts a virtual machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen). printer — The device is a networked printer or a printing server.
device_capability	The device's business purpose. For example: file_server — The device is a server that provides file sharing services (e.g., an FTP, SMB, NFS, or NAS server). mail_server — The device is a server designated for sending and receiving emails.
internet_exposure	The device's location on your network and proximity to the internet. For example: internal — The device is located within your local area network (LAN), possibly behind a firewall. external — The device is located outside your LAN and not behind a firewall.

Key Driver

Description

device_type

The device type. For example:

hypervisor — The device is a Type-1 hypervisor that hosts a virtual machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen).
printer — The device is a networked printer or a printing server.

device_capability

The device's business purpose. For example:

file_server — The device is a server that provides file sharing services (e.g., an FTP, SMB, NFS, or NAS server).
mail_server — The device is a server designated for sending and receiving emails.

internet_exposure

The device's location on your network and proximity to the internet. For example:

internal — The device is located within your local area network (LAN), possibly behind a firewall.
external — The device is located outside your LAN and not behind a firewall.

Asset Exposure Score (AES)

Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs associated with the asset.

Tenable Vulnerability Indicator (TVI)

Tenable assigns a TVI (TVI-####-#####) to all unique, publicly disclosed vulnerabilities to uniquely identify an individual vulnerability on your network.

Vulnerabilities With TVIs	Vulnerabilities Without TVIs
Vulnerabilities that are CVE-published Vulnerabilities that are not CVE-published Vulnerabilities that are covered by Tenable plugins Vulnerabilities that are not covered by Tenable plugins	General security weaknesses (e.g., unsupported software) Vulnerabilities within your in-house, custom applications

Tip: Tenable.io identifies a vulnerability by CVE, if available. If no CVE is available, Tenable.io displays the TVI. If no TVI is available, Tenable.io displays the plugin ID.

To view the TVI for a specific vulnerability, view the vulnerability details as described in View Vulnerability Details.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.