Executive Age Summary Report

by Megan Daudelin
August 12, 2015

With an overabundance of data available to analysts, it can be difficult to adequately convey the status of vulnerability remediation and mitigation to upper management and executives. Reports tailored to the interests of management can facilitate more effective communication between analysts and executives. An organization can use Tenable's SecurityCenter Continuous View to track the vulnerability status of their network, discover trends in vulnerability discovery and mitigation, and determine the criticality of vulnerabilities based on various standards.

The Executive Age Summary Report aims to provide a high-level overview of the vulnerability management status of the network. This information is presented through the lens of various measures of severity, such as the Common Vulnerability Scoring System (CVSS), local security checks, and Microsoft Windows Bulletins. Credentialed vulnerability scans allow the report to present accurate vulnerability data about asset lists, networks, and hosts. Trend data about vulnerability age and severity can help an organization understand the changes in vulnerability status over time. Together, the information depicted in this report can assist with remediation prioritization and effectively focusing mitigation efforts.

This report is available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The report can be easily located in the Feed under the category Executive. The report requirements are:
  • SecurityCenter 5.0.1
  • Nessus 6.2.1
SecurityCenter Continuous View (CV) provides organizations with proactive continuous network monitoring to identify the newest threats across the entire enterprise. SecurityCenter CV enables the organization to react to advanced threats, zero-day vulnerabilities and new forms of regulatory compliance. SecurityCenter CV supports more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure.

Chapters:
  • About this Report - With an overabundance of data available to analysts, it can be difficult to adequately convey the status of vulnerability remediation and mitigation to upper management and executives. Reports tailored to the interests of management can facilitate more effective communication between analysts and executives. An organization can use Tenable's SecurityCenter Continuous View to track the vulnerability status of their network, discover trends in vulnerability discovery and mitigation, and determine the criticality of vulnerabilities based on various standards. The Executive Age Summary Report aims to provide a high-level overview of the vulnerability management status of the network. This information is presented through the lens of various measures of severity, such as the Common Vulnerability Scoring System (CVSS), local security checks, and Microsoft Windows Bulletins. Credentialed vulnerability scans allow the report to present accurate vulnerability data about asset lists, networks, and hosts. Trend data about vulnerability age and severity can help an organization understand the changes in vulnerability status over time. Together, the information depicted in this report can assist with remediation prioritization and effectively focusing mitigation efforts.
  • Executive Summary - This chapter provides a series of tables and charts to provide a summary view of vulnerabilities and the ratio of current to mitigated vulnerabilities. The tables provide two views, one of vulnerabilities discovered over time, and the other of vulnerabilities that have been mitigated.
  • CVSS Scoring - The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The CVSS quantitative model facilitates a repeatable and accurate measurement of vulnerabilities and provides the ability to analyze the characteristics that were used to generate the scores. CVSS is generally accepted as the standard measurement system for vulnerability impact scores. Two common uses of CVSS are for prioritization of vulnerability remediation activities and calculating the severity of discovered vulnerabilities.
  • Severity Summary - The Severity Summary pie chart provides a high-level summary of the current count of critical, high, medium, and low severity vulnerabilities. The legend provides a count and percentage to allow for an informed perspective while assessing risk. This overview helps to convey the overall vulnerability status of the network based on severity and can assist teams in determining where their mitigation efforts will be most impactful.
  • Top 10 Summary - This chapter contains three tables and two bar charts. Two of the tables summarize the vulnerabilities by assets and networks based on local security checks. The third table provides a summary of Microsoft Bulletins by assets. All three tables are sorted by the highest number of critical severity vulnerabilities. The two bar charts contain the most vulnerable hosts and networks both ranked by the highest number of critical findings. The bar charts contain vulnerabilities with critical, high, and medium severities. This chapter aims to provide an overview of the most vulnerable aspects of the network in order to support the prioritization of mitigation and hardening efforts.
  • Vulnerability Age - This chapter contains the Vulnerability Age matrix displaying ages of vulnerabilities detected. The columns identify new hosts (within the past 24 hours), and vulnerabilities from low to critical severities. The rows show when the vulnerabilities were first discovered, sorted by less than 7, 30, 90 days, and greater than 90 days. This data can be used to understand the increases or decreases in vulnerability discovery over time.
  • Vulnerability Trend - This chapter contains the Vulnerability Trending (Last 90 Days) line chart, which shows a trend analysis for medium, high, and critical severity vulnerabilities over the past 90 days. This method of analysis allows executives to see how risk to the organization has changed during the previous 90 days.