Prioritization and Deployment Bots

Most patching programs need one bot each for critical, high, and medium vulnerabilities. You can use CVSS Severity or VPR Severity to define them. Tenable recommends VPR, since VPR scores are affected by exploit activity. A critical VPR vulnerability is a much higher risk to you than the typical critical CVSS vulnerability.

To create a deployment bot:

1. Navigate to Bots > Patch Deployment Bots from the menu on the left.

2. Click New and follow the steps.

   1. Create a bot for critical vulnerabilities.

   2. Choose CVSS or VPR as appropriate.

   3. Repeat for high, medium, and (optionally) low vulnerabilities.

3. Navigate back to Strategy > Patching Strategies and choose a patching strategy to edit.

4. Scroll down to Deployment Settings.

5. Add the bots you created.

At this point, you have all the components in place you need to automate the desired outcomes from a simple CVSS-based or VPR-based Exposure Response initiative.

All that is left is to prove the concept, and then add more products to the strategy to gain more coverage. Windows, Microsoft Office, and the major web browsers are good places to start. With those vulnerabilities closed, navigate to Tenable > CVE Coverage and scroll down to the section marked Missing From Strategy to find vulnerable products in your environment you aren’t patching and need to be added to a patching strategy. You can click each item and use the Actions menu to add them to at least one of your enabled strategies.