Monitoring the current state of an organization’s Cyber Exposure initiative and measuring the organization's cyber risk are key responsibilities of IT executives. Executives are often pummeled with information from many different sources, one of those sources being vulnerability management. This dashboard takes into account all the metrics available to Tenable.io customers and helps to narrow the search down to only a few key metrics like severity, Common Vulnerabilities and Exposures (CVE) identifier, and vulnerability state.
Conceptually, the severity metric is easy to understand. There are five severity levels: Information, Low, Medium, High and Critical. Information has no risk associated with the finding, and only provides information for an analyst. Low through Critical severities are based on the Common Vulnerability Scoring System (CVSS) score. CVSS scores provide a way to capture the principal characteristics of a vulnerability and produce a numerical score. This score is then translated into a severity. Although a vulnerability's severity score is based on CVSS, other considerations (for example recasting a vulnerability due to other mitigations put in place) may warrant the vulnerability being assigned a higher or lower severity. Using CVSS scoring and severity scoring, Tenable.io is able to reflect both quantitative (CVSS Score) and qualitative (Severity) information about an organization's vulnerabilities in a simple and easy to understand view.
The CVE List is a data structure that contains vulnerability identification information. CVEs are often used as a third party system to allow many security products and software companies to report a common vulnerability. Once a vulnerability is reported, plugins are created for Tenable.io to detect the vulnerability. When high visibility vulnerability exploitation occurs, like in the case of Spectre & Meltdown, many executives ask questions like “Are we vulnerable to CVE-2017-5754?” Tenable.io is an essential platform for reporting on metrics such as CVE.
The “vulnerability state” metric is native to Tenable.io. This metric reports on the status of a vulnerability. There are four states: New, Active, Fixed and Resurfaced. The state New indicates vulnerabilities that were first detected on assets within the last 14 days. The Active state indicates vulnerabilities that are currently present on the network and are causing increased risk. The Fixed state indicates vulnerabilities that are no longer present. A vulnerability in the Resurfaced state is concerning because this state indicates that the vulnerability has returned. This means that Tenable.io detected that at some point the vulnerability was present, then removed (Fixed) and has now returned. This could be due to a scanning issue, or software that was reinstalled or downgraded. Executives should raise questions to the IT Security team if vulnerabilities are showing resurfaced very often.
Executives who are able to review and analyze these metrics will have a better understanding of the stability of the Cyber Exposure Life Cycle within their organizations. Cyber Exposure is an emerging discipline for managing and measuring the modern attack surface to accurately understand and reduce cyber risk. The discipline helps executives to better direct and focus mitigation efforts and report using industry-accepted metrics. Tenable.io facilitates the implementation of the five Cyber Exposure Life Cycle steps and provides a common place for analyzing vulnerability data.
Widgets on this dashboard
- Vulnerabilities by State - This widget provides executives with a view into the vulnerability life cycle. By tracking vulnerabilities through each state, the executive can track the progress of risk mitigation efforts.
- Most Prevalent Vulnerabilities Discovered in the Last 14 Days - This chart provides executives with a summary view of the most prevalent medium, high and critical severity vulnerabilities that have been detected within the last 14 days.
- Top 100 Vulnerabilities with Patch Available More than 120 Days - This table provides executives with a list of vulnerabilities that have been patchable for over 120 days.
- Top 100 Most Vulnerable Assets - This table presents a list of the top most vulnerable assets at risk for exploitation.
- Asset Count by Operating System - This bar chart provides a count of assets by operating system.
- Vulnerabilities by CVE - This table provides executives with a list of CVEs that are present on the network.