Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Measuring Vulnerability Management

by Cody Dumont
November 2, 2022

Measuring Vulnerability Management Screenshot

The Cyber Exposure discipline provides a structured approach to model and analyze cyber risk to make better business and technology decisions. Risk managers need to have consistent and trackable metrics to calculate the organization's cyber risk. This dashboard provides a centralized view of several key metrics that are help close the Cyber Exposure Gap. 

Organizations conduct internal security assessments required by many industry standards and government regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Critical Security Controls (CSC), and many others. The assessment, must include evidence of the assessment execution and parameters. The Nessus Scan Information plugin (19506) provides a scan summary record of the scan parameters. There are several parameters recorded during the scan, such as use of credentials, safe checks, and many other settings.

Risk managers are encouraged to monitor security advisories from different sources. One such source is the National Vulnerability Database (NVD). The NVD is one of the sources for the Common Vulnerabilities and Exposures (CVE). Where appropriate, Tenable.io associates CVE IDs with plugins, allowing risk managers to use the CVE as a good external resource to identify vulnerabilities. The CVE uses the year the vulnerability was published as part of the CVE ID, enabling managers to use simple search patterns supported within Tenable.io to easily identify new or old vulnerabilities. 

Managing risk requires several different strategies. In some cases, the strategy is to accept or recast the risk due to a mitigating control. The risk manager may authorize a risk to be mitigated by some other means, for example network device configuration or some other mitigating factor. Mitigation controls need to have a common and accepted practice to account for these mitigations. Tenable.io supports the ability to maintain a record of vulnerabilities that are recast or accepted.

The risk management team and security operations team collaborate to identify and report on risks as part of the overall vulnerability management plan. Working together, they create robust vulnerability scanning and risk assessment processes aligned with the Cyber Exposure Life Cycle. The metrics provided by Tenable.io and correlated in this dashboard, enables risk managers to monitor and report on vulnerabilities by operating system type. This information also allows the risk manager to monitor the performance of the organization against multiple security standards. 

Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable.io discovers and analyzes assets continuously to provide an accurate and unified view of an organization’s security posture. The requirements for this dashboard are: Tenable.io Vulnerability Management, Tenable Web Application Security (WAS), Tenable.cs.

Widgets

Threat and Vulnerability Information is Received from Security Advisories – This widget provides counts of vulnerabilities by the year the CVE was published and by severity level. CVE IDs have a prefix for the year and can be easily grouped by year. The matrix rows group the vulnerabilities in 5-year ranges according to the year the CVE was released. The columns group the vulnerabilities by severity. The requirements for this widget are: Tenable.io Vulnerability Management (Nessus, NNM).

Enumerating Assets and Software – This widget provides lists of enumerated software assets, running processes and installed software. Tenable.io uses several plugins to extract a complete list of installed software. Additional plugins use key words such as enumeration, installed, reputation, and more to identify software assets located on systems. This data helps risk managers to enumerate assets on the network and evaluate risk appropriately. The requirements for this widget are: Tenable.io Vulnerability Management (Nessus, NNM).

Assets by Type and Discovery – This widget helps track new assets in the environment. The columns display a count of assets that are licensed, how many of those assets have been seen within the past 30 days, and how many were created within the past 30 days. The rows display counts of the types of assets within these categories.  Licensed assets are included in the asset count for Tenable.io, which means they are being scanned and managed. This information is useful in tracking software or hardware that has been deployed but is not managed by the IT or security teams of the organization. The requirements for this widget are: Tenable.io Vulnerability Management, Tenable Web Application Security (WAS), Tenable.cs.

Vulnerability Scanning & Management – This widget supports vulnerability scanning and management using plugin families to provide a concise matrix of vulnerability data. Managers and teams can leverage metrics with vulnerability counts to measure progress, beginning with counts of mitigated and unmitigated vulnerabilities. Teams can view the number of vulnerabilities that hold a CVSS score above a threshold of 7.0. In addition, vulnerabilities that are exploitable are presented as a second metric to prioritize mitigation strategies. Tenable recommends prioritizing mitigation of systems with vulnerabilities in this range of CVSS scores as well as vulnerabilities that are found to be exploitable. The last column displays the number of vulnerabilities with patches available for 30 days or more, to enable managers to monitor the patch deployment progress. Tenable.io Vulnerability Management (Nessus, NNM).

Organizational Risk Tolerance is Determined by Accepted Risks – This widget provides a list of vulnerabilities that have been accepted. Accepting risks allows managers to create rules that record vulnerabilities mitigated through some means other than applying the software patch or operating system upgrade. The table provides the host name, severity, and number of accepted vulnerabilities per hosts. The requirements for this widget are: Tenable.io Vulnerability Management (Nessus, NNM).

Organizational Risk Tolerance is Determined by Recast Tracking – This widget provides a list of vulnerabilities that have been recast from one severity level to another. Recasting allows managers to change the severity of a vulnerability based on other mitigating factors that cannot be tracked or tested using Tenable.io. The widget provides the host name, recast severity, original severity, and number of affected recast vulnerabilities present on that host. The requirements for this widget are: Tenable.io Vulnerability Management (Nessus, NNM).

Category

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training