Vulnerabilities by ACR

Asset Criticality Rating (ACR) establishes the priority of each asset based on indicators of business value and criticality. ACR is based on several key metrics such as business purpose, asset type, location, connectivity, capabilities, and third-party data. ACRs range from 0 to 10. Assets with a low ACR are not considered business critical. Assets with a high ACR are considered to be the organization’s most critical and carry the greater business impact if compromised. This section displays risk by ACR, Common Vulnerability Scoring System (CVSS), exploitability by Attack Vector and Framework.

The Asset Count by ACR widget helps track assets in the environment by grouping them based on their Asset Criticality Score (ACR). The bars are split by showing assets with an ACR score of 1-5 and then one bar per score 6 to 10. The requirements for this widget are: Tenable Vulnerability Management, Tenable Web App Scanning, and Tenable Cloud Security.

Navigate to the Assets page and select an asset to view the asset details and the ACR key driver information for any asset. In the lower left corner of the assets details page reference the Asset Criticality Rating information and click More.

The key drivers are displayed, as shown in the following image:

Tenable Security Center has several ACR Summary components available to organizations, including the ACR Summary - Highlighted Patches (VPR and ACR 7-10) which provides security teams with a risk reduction plan that reduces the greatest risk when patching the highest risk vulnerabilities on the most business-critical assets. This component leverages the VPR 7-10 and ACR 7-10 filters in conjunction with the Remediation Summary tool to provide a focused view of patches that should be considered at a higher priority than other patches. The columns display recommended solutions with the greatest risk reduction at the top, as well as the associated risk reduction percentage and the host count included in the solution. Each solution can include one or more patches to be applied to one or more hosts. The Remediation Summary tool, in conjunction with the ACR filter, enables Security Teams to prioritize which vulnerabilities to remediate first for an immediate impact on the organization’s vulnerability posture

Click on View Data > or navigate to the Analysis page and select a vulnerability to view the asset details and the ACR key driver information for any asset. In the upper right corner of the details page reference the Asset Criticality Rating information and Key Drivers.

Tenable assigns an ACR to each asset on the network to represent the relative criticality of the asset as an integer from 1 to 10. A higher ACR indicates higher criticality. Tenable Lumin customers have the ability to adjust the default Tenable ACR to more accurately reflect organizational risk. Refer to the Edit an ACR Manually page for more information.

Note: For customers without Tenable Lumin, the ACR is set to 0, and is reflected accordingly. Leveraging Tenable Lumin provides context of the risk per asset, making the vulnerability management program more effective.

Temporal metrics are metrics that change over time. Factors that can alter the Temporal score are: Exploit Code Maturity, Remediation Level, and Report Confidence. If a vendor has created a patch, which is widely available, the Temporal score is lower, likewise if known exploits are widely available, the score will be higher. Environmental metrics are specific to the organization, and include attributes related to the business criticality of the exposed asset, and any mitigation measures or compensating controls that are in place. Organizations can modify Environmental attributes if compensating controls are in place, thereby modifying the overall CVSS Score. The core concern is that incorrectly used Environmental score changes have a significant impact. For example, a vulnerability with a CVSS Base Score of 9.9 (Critical) and a CVSS Temporal Score of 9.9 (also Critical) has an overall score of 9.9. Combine these scores with a CVSS Environmental score of 3.2 and the Overall Score is reduced to 3.2 (Low). This is an extreme example, but illustrates what may occur if the CVSS Environmental score is modified incorrectly.

These critical pieces of information are included in ACRs, and help organizations to effectively prioritize remediation and enhance CVSS Base scores.