Vulnerability Management (VM)

Vulnerability Priority Rating

The prioritization of vulnerabilities in Tenable Vulnerability Management is derived from the Vulnerability Priority Rating (VPR) which takes a risk-based approach to prioritization based on the characteristics of the vulnerability and threat intelligence.

Asset Criticality Rating

The Asset Criticality Rating (ACR) rates the criticality of an asset to the organization. An asset’s ACR is expressed as an integer from 1 to 10, with higher values corresponding to the asset being more critical to the business.

Asset Exposure Score Computation

Each licensed asset belonging to the VM exposure class is given a score from 0 to 1000. Tenable One computes these values by weighing the VPR values of active weaknesses and the ACR.

Enhancements

Enhancements to Tenable Vulnerability Management scoring include:

  • While CVSS classifies 60% of CVEs as High or Critical, our original VPR reduced this to 3%. VPR (Beta) now pushes this even further, focusing teams on just 1.6% of critical vulnerabilities. This means significantly reduced workloads and higher efficiency without compromising on risk.

  • In addition to existing inputs like NVD and CVSS, VPR now incorporates data from the Tenable Security Response Team, Tenable Vulnerability Intelligence, cybersecurity web articles, and CISA. These provide greater visibility into actively exploited vulnerabilities.

  • (Not supported in FedRAMP environments) Generative AI is now used to read curated web articles at scale and tag CVEs (e.g., targeted by ransomware, exploited in the wild, zero-day), helping predict near-term exploit likelihood. It also provides contextual metadata, including AI-driven threat summaries describing the vulnerability and past threat actor targeting, and remediation summaries detailing steps to take. This AI augments our human research experts, scaling our ability to monitor public data and news while providing clear, human-readable insights.

  • VPR (Beta) provides more detailed information on why each score was assigned, facilitating greater explainability for the end-user. This includes lists of targeted regions and industries based on curated web articles, helping customers prioritize risks most relevant to them.

  • VPR (Beta) places equal weighting on the “threat score” (derived from the likelihood of exploitation) and the “impact score” (from CVSS). This is a minor adjustment to the original VPR which places greater weight on the impact score.

  • The ACR for VM assets is now based on the Global Asset Profile classification and subclassification of the assets.

  • The Vulnerability Density computation is based on counts of CVE instances rather than plugin instances. CVE IDs provide a standardized enumeration of vulnerabilities.

  • Since the Vulnerability Density computation is based on counts of CVE instances, it no longer makes sense to distinguish between local and remote detections. Instead, it is planned to incorporate whether a CVE can be remotely exploited or not in the VPR algorithm in the near future.

  • Informational plugins are excluded from the Vulnerability Density calculation even if they have an associated CVE.

  • Based on customer and internal feedback, we have adjusted the weakness severity weights used in the Vulnerability Density calculation. The weights for low and medium severity weaknesses have been reduced meaning these weaknesses individually increase the Vulnerability Density to a lesser degree than before. Conversely, the weights for high and critical vulnerabilities have been increased slightly. The result of these changes is that Tenable One highlights assets that have high or critical vulnerabilities to a greater degree than before.

  • Previously, VM benchmarks were the average CES for the relevant group of containers (population or industry). VM benchmarks now consider the percentage of assets that a customer has scanned with authentication. For example, this means that the benchmark each customer sees is relative to their industry (or population) peers who scan a similar percentage of their assets with authentication. As a best practice, Tenable recommends using authenticated and agent-based scans wherever possible to gain a comprehensive insight into exposures.

    Tip: For more information about Cyber Exposure Score (CES), see Cyber Exposure Score in the Tenable Vulnerability Management User Guide.