Try Tenable Lumin
Calculate and manage cyber risk across your entire organization, and see how you stack up against your competition.
What is occurring?
Tenable is making improvements in the algorithms used by Tenable Lumin to craft an organization’s Cyber Exposure Score.
Why are these improvements being made?
The CES algorithm has remained largely unchanged since Lumin launched in Q4 2019. There have been small improvements since then. This change represents a significant set of improvements to the accuracy of the predictions and information contained in the Cyber Exposure Score. These changes will result in more accurate predicted VPR component values, which will result in more precise AES and CES values.
What does this mean for me as a Lumin customer?
On average the overall effect of these improvements will be a slight reduction in Cyber Exposure Scores. Some customers will see no change while others may see an increase in their score.
What has changed for Asset Exposure (AES) scores?
We have introduced a number of changes to the AES algorithm that will improve properties of the score:
- Predictive Scoring: assets that have not have not been scanned with authentication or that have only been scanned with minimal plugin coverage will now have the VPR component of their AES predicted by a machine learning algorithm. The model bases its predictions on information we know about the asset (such as OS, device type, open ports, etc.) and also on behavioural information we know about the customer (scan frequency, assessment maturity score, etc).
- Core algorithm changes: Changes have been made that will make the AES score more sensitive to changes. This applies both to increases when new vulnerabilities are detected and decreases when patches are applied.
- ACR changes: The ACR changes detailed above will also impact AES/CES scores for some customers.
What has changed for Asset Criticality Rating (ACR) scores?
There have been a number of small improvements to ACR scoring:
- Internet exposure bugfix: some assets were incorrectly classified as internal assets when they should have been classified as external.
- ACR score capping: the maximum ACR score that will be assigned to an asset is now 8. A user can manually assign a score up to 10 but the ACR algorithm will no longer assign scores higher than 8. This will allow organizations to designate only their most critical assets as having a score of 9 or 10
How has the scoring algorithm for Vulnerability Priority Rating (VPR) changed?
The VPR component of the AES is formed by combining the threat likelihood (a value between 0 and 1) and the impact factor (a value between 1 and 6). Under the current model formulation the threat likelihood sometimes goes to 1 too quickly. Once this happens adding more vulns will not increase the threat likelihood. In cases where an asset has a large number of vulns, large scale patching may be required before any change in the threat likelihood is observed. In these situations we say that the threat likelihood is saturated and any change to the impact factor can cause large swings in the VPR component score. To make the threat likelihood of a given vulnerability less prone to saturation we have changed the way we calculate it by only considering the CVE with the highest threat probability from each plugin. The result of this is that the threat likelihood is more responsive to both patching and to new vulnerability detections.