Vulnerability Management (VM)

Vulnerability Priority Rating

The prioritization of vulnerabilities in Tenable Vulnerability Management is derived from the Vulnerability Priority Rating (VPR) which takes a risk-based approach to prioritization based on the characteristics of the vulnerability and threat intelligence.

Asset Criticality Rating

The Asset Criticality Rating (ACR) rates the criticality of an asset to the organization. An asset’s ACR is expressed as an integer from 1 to 10, with higher values corresponding to the asset being more critical to the business.

Asset Exposure Score Computation

Each licensed asset belonging to the VM exposure class is given a score from 0 to 1000. Tenable One computes these values by weighing the VPR values of active weaknesses and the ACR.

Enhancements

  • The ACR for VM assets is now based on the Global Asset Profile classification and subclassification of the assets.

  • The Vulnerability Density computation is based on counts of CVE instances rather than plugin instances. CVE IDs provide a standardized enumeration of vulnerabilities.

  • Since the Vulnerability Density computation is based on counts of CVE instances, it no longer makes sense to distinguish between local and remote detections. Instead, it is planned to incorporate whether a CVE can be remotely exploited or not in the VPR algorithm in the near future.

  • Informational plugins are excluded from the Vulnerability Density calculation even if they have an associated CVE.

  • Based on customer and internal feedback, we have adjusted the weakness severity weights used in the Vulnerability Density calculation. The weights for low and medium severity weaknesses have been reduced meaning these weaknesses individually increase the Vulnerability Density to a lesser degree than before. Conversely, the weights for high and critical vulnerabilities have been increased slightly. The result of these changes is that Tenable One highlights assets that have high or critical vulnerabilities to a greater degree than before.

  • Previously, VM benchmarks were the average CES for the relevant group of containers (population or industry). VM benchmarks now consider the percentage of assets that a customer has scanned with authentication. For example, this means that the benchmark each customer sees is relative to their industry (or population) peers who scan a similar percentage of their assets with authentication. As a best practice, Tenable recommends using authenticated and agent-based scans wherever possible to gain a comprehensive insight into exposures.