Identity (ID)

Vulnerability Priority Rating

Tenable One assigns the Vulnerability Priority Rating (VPR) for ID weaknesses at the deviance (vulnerability/IOE) level based on the existing severity levels created in Tenable Identity Exposure:

  • Critical: Weaknesses that can be used by an attacker with unprivileged access to compromise the Active Directory.

  • High: Post-exploitation techniques or techniques that require chaining to be dangerous.

  • Medium: Indicates a limited risk for the Active Directory infrastructures.

  • Low: Weaknesses with low impact on the Active Directory. Certain business contexts may allow low-impact weaknesses that do not necessarily affect AD security.

Note: Weaknesses cannot be observed directly on the identity asset type. Instead, the weaknesses on these assets are propagated from related assets (for example, accounts related to the identity, groups which the accounts are members of, tenants/domains which contain the accounts).

Asset Criticality Rating

Tenable Identity Exposure calculates the Asset Criticality Rating (ACR) for ID assets using two components:

  • The Hierarchy Component looks at an individual's position within their company hierarchy.

    • This logic relies on the intuition that the higher the position of an individual within the hierarchy, the more access to business critical information they have.

    • This component considers the business title of the user and the scores of the user’s manager and subordinate.

  • The Entitlement Component rates the user based on the level of access they have.

    • This component captures the level of access that an account has over other assets.

    • Accounts with high levels of privileges tend to have control over many resources in the environment, and can usually perform more “severe” actions such as update, delete, or change existing objects.

Tenable One weighs these two components and combines them to generate the ACR.

Asset Exposure Score Computation

Each licensed asset belonging to the ID exposure class that is either a user account or an identity is given a score from 0 to 1000. Tenable One computes these values by weighing the VPR values and the ACR.

The ID exposure class Cyber Exposure Score (CES) is the average of the AES across ONLY Identity assets. Because they already count towards the AES for Identity assets, Account assets are excluded from this calculation.

Likewise, the Global CES calculation for the ID exposure class only includes the Global AES from Identity assets.