The Cyber Exposure discipline provides a structured approach to model and analyze cyber risk in order to make better business and technology decisions. In calculating the organization's cyber risk, risk managers need to have consistent and trackable metrics. This dashboard provides a centralized view of several key metrics that are beneficial for closing the Cyber Exposure Gap.
Organizations conduct internal security assessments required by many industry standards and government regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Critical Security Controls (CSC), and many others. As part of the assessment, there must be evidence of the assessment execution and parameters. The Nessus Scan Information plugin (19506) provides a scan summary record of the scan parameters. There are several parameters recorded during the scan, such as use of credentials, safe checks, and many other settings.
Risk managers are encouraged to monitor security advisories from different sources. One such source is the National Vulnerability Database (NVD). The NVD is one of the sources for the Common Vulnerabilities and Exposures (CVE). Where appropriate, Tenable.io associates CVE IDs with plugins, allowing risk managers to utilize the CVE as a good external resource to identify vulnerabilities. The CVE uses the year the vulnerability was published as part of the CVE ID. This allows managers to use simple search patterns that are supported within Tenable.io to easily identify new or old vulnerabilities.
Managing risk requires several different strategies. In some cases, the strategy is to accept or recast the risk due to a mitigating control. The risk manager may authorize a risk to be mitigated by some other means, for example network device configuration or some other mitigating factor. When using mitigating controls, there needs to be a common and accepted practice to account for these mitigations. Tenable.io supports the ability to maintain a record of vulnerabilities that are recast or accepted.
The risk management team and security operations team collaborate to identify and report on risks as part of the overall vulnerability management plan. Working together, they create robust vulnerability scanning and risk assessment processes aligned with the Cyber Exposure Life Cycle. Using the metrics provided by Tenable.io and correlated in this dashboard, they can monitor and report on vulnerabilities by operating system type. Additionally, this information allows the risk manager to monitor the performance of the organization against multiple security standards.
Tenable.io is the first Cyber Exposure platform to collect a multitude of metrics that risk managers can use to monitor risk and compliance in a network. When the full Cyber Exposure Life Cycle is utilized, the entire IT organization can benefit from the data collected and available though this advanced platform. Moving from the Discover through to the Measure steps, risk managers can provide executive teams with reports and updates of their risk reduction activities.
Threat and Vulnerability Information is Received from Security Advisories - This widget provides counts of vulnerabilities by the year the CVE was published and by severity level. CVE IDs have a prefix for the year and thus can be easily grouped by year. The matrix rows group the vulnerabilities in 5-year ranges according to the year the CVE was released. The columns group the vulnerabilities by severity.
Enumerating Assets and Software - This matrix provides the risk manager with lists of enumerated software assets, running processes and installed software. Using several plugins, Tenable.io is able to extract a complete list of installed software. Additional plugins use key words such as enumeration, installed, reputation, and more to identify software assets located on systems. This data helps risk managers with enumerating assets on the network and properly evaluating risk.
Assets Discovery Process Scan Parameters - This widget parses important information from the Nessus Scan Information plugin and allows the risk manager to monitor scan parameters. The Nessus Scan Information plugins displays useful information about the scan parameters used during security assessments. Relevant and pertinent scan data on each tested host, such as whether Safe Checks, CGI Scanning, Credentialed Checks, Thorough Tests, or Patch Management Test were enabled or not is displayed. The data is presented as ratios of hosts in which the test was enabled and hosts in which the test was disabled. A column containing the number of hosts scanned is also presented.
Vulnerability Scanning & Management - This widget supports vulnerability scanning and management, using plugin families to provide the manager with an easy to understand matrix of vulnerability data. Managers and teams are provided metrics with ratios to measure progress, beginning with counts of mitigated and unmitigated vulnerabilities. Teams are able to view the percentage of vulnerabilities that hold a CVSS score above a threshold of 7.0. In addition, vulnerabilities that are exploitable are presented as a second metric for prioritizing mitigation strategies. Systems with vulnerabilities in this range of CVSS scores as well as vulnerabilities that are found to be exploitable carry a much higher risk and should be targeted quickly. The last column provides managers the percentage of vulnerabilities with patches available for 30 days or more, to enable monitoring of patch deployment progress. Clicking on this cell brings up the vulnerability workbench and enables tracking systems that are outside of the 30-day patch cycle and should be prioritized accordingly.
Organizational Risk Tolerance is Determined by Recast Tracking - This widget provides a list of vulnerabilities that have been recast from one severity level to another. Recasting allows managers to change the severity of a vulnerability based on other mitigating factors that can’t be tracked or tested using Tenable.io. The table provides the plugin name, severity, and number of affected hosts.
Organizational Risk Tolerance is Determined by Accepted Risks - This widget provides a list of vulnerabilities that have been accepted. Accepting risks allows managers to create rules that record vulnerabilities mitigated through some means other than applying the software patch or operating system upgrade. The table provides the plugin name, severity, and number of affected hosts.