Section 4: Prioritization
What is What Predictive Prioritization and what’s its role in risk-based vulnerability management?
Legacy vulnerability management returns a mountain of vulnerability data that makes it difficult—if not impossible—for your security teams to dig out and know which vulnerabilities are priorities for remediation.
Risk-based vulnerability management, on the other hand, uses tools that help you prioritize your actual risks and reduce your vulnerability overload by 97%.
One effective way to prioritize your vulnerabilities is through Tenable’s Predictive Prioritization. Predictive prioritization strengthens your vulnerability management processes because it reduces the number of vulnerabilities that need your immediate attention and pinpoints the 3% you should focus on first.
Predictive prioritization relies on machine learning to identify the few vulnerabilities that pose the greatest risk to your organization. It gives you ongoing and complete insight into your modern attack surface.
Predictive Prioritization uses Tenable’s vulnerability data and combines that with third-party vulnerability and threat data. It then analyzes them together with an advanced data science algorithm Tenable Research developed.
By taking a risk-based approach to comprehensive vulnerability analysis, Predictive prioritization determines the likelihood an attacker could leverage a weakness against your organization.
Predictive prioritization updates nightly, analyzing 109,000 distinct vulnerabilities. It then
predicts if an attacker might exploit a vulnerability in the near future.
Unlike the Common Vulnerability Scoring System (CVSS) traditionally used in legacy vulnerability management—which rates more than 60% of vulnerabilities as critical or high—Predictive Prioritization assigns each vulnerability a Vulnerability Priority Rating (VPR) and an Asset Criticality Rating (ACR) to help determine prioritization for remediation.
CVSS, VPR, and ACR are discussed in more detail below.
What is a Vulnerability Priority Rating (VPR)?
In legacy vulnerability management, the Common Vulnerability Scoring System (CVSS) takes a theoretical view of the risk a vulnerability could potentially introduce.
CVSS starts with 0 as the lowest priority and goes up to 10—the most critical. Unfortunately, CVSS assesses about 60% of all vulnerabilities with a high or critical CVSS score, even though they may pose little risk to your organization.
CVSS is unaware of real-world risk and doesn’t take into account the criticality of each asset within your environment. These are critical pieces of information you need to prioritize remediation effectively.
In risk-based vulnerability management, Tenable’s Predictive Prioritization builds on CVSS and anticipates the likelihood a threat actor may exploit a vulnerability. It also differentiates between real and theoretical risks. Tenable supplements CVSS with a Vulnerability Priority Rating (VPR) and an Asset Criticality Rating (ACR).
A VPR gives you more insight into risks by including threat and attack scope, vulnerability impact and threat score, whereas an (ACR) represents the criticality of each asset on your network based on several key factors.
Tenable calculates a VPR for most vulnerabilities, which is updated regularly to reflect the current threat landscape.
VPR uses a machine learning algorithm and threat intelligence to analyze every vulnerability ever published in the National Vulnerability Database (NVD). To date, there are almost 144,000 vulnerabilities published in the NVD. Vulnerabilities that are not listed in NVD do not get a VPR; however, you can still remediate those vulnerabilities based on a CVSS score.
VPRs range from 0.1-10.0, where higher values represent higher likelihood of exploits.
- Critical: 9.0 to 10.0
- High: 7.0 to 8.9
- Medium: 4.0 to 6.9
- Low: 0.1 to 3.9
Here are some of the key drivers used to calculate VPRs:
- Vulnerability age: Number of days since NVD published the vulnerability
- CVSS Impact Score: NVD-provided CVSSv3 impact score (if there is no NVD score,, Tenable.io displays a Tenable-predicted score)
- Exploit code maturity: Relative maturity of a possible exploit based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources
- Product coverage: Relative number of unique products affected by the vulnerability
- Threat sources: All sources where related threat events occurred
- Threat intensity: Relative intensity based on the number and frequency of recently observed threat events related to this vulnerability
- Threat recency: Number of days (0-730) since a threat event occurred
- Threat event examples:
- Exploit of vulnerability
- Posting vulnerability exploit code in a public repository
- Discussion of vulnerability in mainstream media
- Security research
- Discussion of vulnerability on social media
- Discussion of vulnerability on dark web and underground
- Discussion of vulnerability on hacker forums
VPRs supplement the Common Vulnerability Scoring System (CVSS) used in legacy vulnerability management. CVSS scores often rank many vulnerabilities as high or critical, even if there aren’t exploits active in real world scenarios, so VPRs help you better understand actual risk.
What is a Common Vulnerability Scoring System (CVSS) score?
The Common Vulnerability Scoring System (CVSS) is a theoretical view of vulnerability risk.
Like VPRs, CVSS starts with 0 as the lowest priority and goes up to 10—the most critical; however, CVSS rates about 60% of all vulnerabilities as high or critical, even though they may pose little risk to your organization.
CVSS doesn’t account for real-world risk or asset criticality within your environment. You need these critical pieces of information, which are included in VPRs, to effectively prioritize remediation.
An article in Security Week highlighted one report that indicated that if a security team focuses on remediating vulnerabilities exclusively based off of a high CVSS score, it’s akin to randomly picking a vulnerability to fix.
In other words, a CVSS assessment doesn’t correlate the reasonable likelihood of an exploit or even if an attacker has ever successfully exploited the threat in the wild.
What is an Asset Criticality Rating (ACR)?
An Asset Criticality Rating (ACR) represents asset criticality for every asset on your network. It’s based on several key metrics such as business purpose, asset type, location, connectivity, capabilities and third-party data.
ACRs range from 0 to 10. If an asset has a low ACR, it is not considered business critical. If it’s high, it is.
- Critical: 9 to 10
- High: 7 to 8
- Medium: 4 to 6
- Low: 1 to 3
Tenable provides an ACR value when you scan an asset on your network for the first time. After that, Tenable will automatically generate an ACR, which is updated daily.
You can customize ACR values to reflect your organizational needs.
Here are some of the key drivers used to calculate VPRs:
- Device type
- For example: hypervisor (the device is a Type-1 hypervisor that hosts a virtual machine) or printer (the device is a networked printer or a printing server)
- Device capability
- The device's business purpose. For example: it’s a file server or a mail server
- Internet exposure
- The device's location on your network and proximity to the internet. For example: it’s internal and within your local area network (LAN), possibly behind a firewall or it’s external and it’s outside your LAN and not behind a firewall.
What is an Asset Exposure Score (AES)?
In addition to VPRs and ACRs, Tenable also issues an Asset Exposure Score (AES) that can further support your risk-based vulnerability management approach.
Tenable calculates AES based on the current ACR and VPRs associated with an asset. It accounts for each asset’s vulnerability threat, criticality, and scanning behavior to quantify its vulnerability landscape.
An AES represents each asset's relative exposure ranging between 0 and 1000. A higher AES indicates higher exposure.
What is a Cyber Exposure Score?
A Cyber Exposure Score (CES) represents your organization’s cyber risk and combines your VPR with your ACR.
A CES ranges between 0 (minimal risk) and 1,000 (highest risk) and represents the average of AESs in your organization.
CES helps you prioritize remediation by:
- Examining asset criticality
- Analyzing your business goals
- Reviewing the severity of each potential threat within your attack surface
- Determining how likely an attacker may exploit the threat in the next 28 days
- Understanding threat context related to how prevalent the exploitation risk is in the real world
CES also helps benchmark your risk-based vulnerability management success internally and against peer organizations.
Tenable calculates your CES as a number between 0 and 1000, based on the AES values for all assets scanned in the last 90 days. The higher the CES, the higher risk.
Cyber Exposure Scores are available for:
- Your entire organization
- Assets in a specific business context