Scoring (Beta)

As a result of migrating the Lumin Exposure View data model, there have been several updates to the way scores are calculated across Tenable One.

Exposure Classes

The new Lumin Exposure View scoring model includes the introduction of Exposure Classes. The exposure class of an asset or finding is determined by the sensor that assessed the asset or detected the finding. For example, an asset assessed by Tenable Nessus belongs to the Vulnerability Management (VM) exposure class. Likewise, a finding detected by Tenable Nessus is considered a VM finding.

The Exposure Classes are:

Note: It is possible for an asset to belong to multiple exposure classes. Additionally, while the sensor determines the exposure class, not every sensor belongs to its own exposure class.

The key change to scoring is that an asset can now have multiple Asset Exposure Scores (AES) depending on what Exposure Classes it belongs to. Each asset also has a Global AES that aggregates the exposure information from all of the Exposure Classes to which it belongs. For example, an asset may have a VM AES, an Identity AES, and a Global AES.

While an asset can have multiple AES, it can only have one Asset Criticality Rating (ACR). If more than one ACR can be determined for an asset that belongs to multiple exposure classes, Tenable One uses a hierarchy of authority to determine the appropriate ACR for the asset.

To consistently compute the AES for an exposure class:

  1. Calculate the Vulnerability Density for an asset based on whatever weaknesses are present and the associated severity of those weaknesses. Vulnerability Density is a function of the number of weaknesses on the asset and their severity as reflected by the VPR scores.

  2. Combine the Vulnerability Density with the ACR (which can be model-generated or user-defined in the case of VM assets) and then scale the result to produce the AES for the given exposure class.

The Global AES for an asset follows the steps above, but instead pools weaknesses from all exposure classes to use in the Vulnerability Density calculation.

Tenable One calculates a Cyber Exposure Score (CES) for each exposure class by taking the average of the AES in each case. Additionally, Tenable One calculates the Global CES by averaging the Global AES. Each CES provides a different view of your Cyber Exposure.