Tenable One Scoring Explained: Overview

The building blocks for the Cyber Exposure Score (CES) in the Tenable One Exposure Management Platform are similar to those used for years in Tenable products (e.g., Tenable Vulnerability Management, Tenable Lumin). These mechanisms have to date only been used for vulnerability management data. Tenable One expands these concepts into new realms of the attack surface: Web Applications (Tenable Web App Scanning), Cloud Resources (Tenable Cloud Security), and Identity (Tenable Identity Exposure).

The following concepts are foundational to the scoring utilized in Tenable One:

  • Vulnerability Priority Rating (VPR): The severity and exploitability of a given vulnerability. A vulnerability’s VPR is expressed as a number from 0.1 to 10, with higher values corresponding to higher likelihood of the vulnerability leading to a compromise and a higher impact on the asset.

  • Asset Criticality Rating (ACR): Rates the criticality of an asset to the organization. An asset’s ACR is expressed as an integer from 1 to 10, with higher values corresponding to the asset being more critical to the business.

  • Asset Exposure Score (AES): A combination of the VPR and ACR of a given asset.

You can view more information about these concepts or view a detailed description of the math behind the Cyber Exposure Score.

The first step in the scoring process is to calculate the AES of assets, which are then aggregated to the CES by taking an average of the AES values across a group of assets.

For Tenable One, a consistent approach for computing the AES across the categories involves the following:

  1. Calculate the Vulnerability Density for an asset based on whatever weaknesses are present and the associated severity of those weaknesses. Vulnerability Density is defined as the number of vulnerabilities on that asset, their severity as reflected in the VPR scores and whether or not those vulnerabilities are remotely discoverable.

  2. Combine this result with the ACR which can be model-generated or user-defined in the case of VM assets and then scale the result to produce the AES.

In addition to a CES for each of the categories, a Global CES is also generated by considering the AES across the entire attack surface assessed by Tenable One (i.e. assets from Tenable Vulnerability Management, Tenable Web App Scanning, Tenable Identity Exposure, and Tenable Cloud Security). Such scores are updated within hours of running a scan.