Cloud Resources (Tenable Cloud Security)

Vulnerability Priority Rating

When calculating the VPR for Cloud policy violations (detections), Tenable uses the NIST Common Configuration Scoring System (CCSS). This scoring system addresses software security configuration issues. CCSS is largely based on CVSS and CMSS, and it is intended to complement them. The CCSS metrics are organized into three groups: base, temporal, and environmental. Base metrics describe the characteristics of a configuration issue that are constant over time and across user environments. Temporal metrics describe the characteristics of configuration issues that can change over time but remain constant across user environments. Tenable uses environmental metrics to customize the base and temporal scores based on the characteristics of a specific user environment.

For each policy category, such as Encryption and Key Management, Tenable derives the confidentiality, integrity, and availability (CIA) impact and exploitability parameters based on the nature of the configuration issue. In CCSS, the Exploitation Method metric can be either Active (A) or Passive (P). Active misconfigurations can be actively exploited by an attacker (e.g., unencrypted S3 bucket) while passive misconfigurations make life tougher for defenders (e.g., logging is disabled). For Temporal & Environmental metrics, Tenable derives the exploit level using external threat sources while the remediation level is based on internal policy violation data.

Asset Criticality Rating

For ACR, Tenable maps cloud assets to higher level categories of exposure based on the resource type and features (properties) extracted from cloud resource configuration data:

• Access Exposure

• Key/Data Exposure

• Private/Internal Exposure

• Public Exposure

• VPC Misconfig

• Potential Vulnerabilities

Tenable assigns weights to these exposure categories based on publicly available incident data.