by Liz Hutto
January 5, 2022
As assets and networks become more dynamic, maintaining visibility requires grouping and prioritizing business-critical assets and the risk associated with them. The increasing persistence of attackers and the evolving threat landscape raises the importance of the methods used in the Prioritize step of the Risk-Based Vulnerability Management (RBVM) lifecycle. Now available in Tenable.sc+, the Asset Criticality Rating (ACR) predicts the priority of each asset based on indicators of business value and criticality. Tenable.sc+ enables Security Teams to leverage the ACR with the VPR to make strategic decisions and focus on issues that better align with the desired security and compliance posture.
The ACR provides Security Teams with more comprehensive visibility of the organization’s assets by predicting the business impact of each asset. Indicators of business value include business purpose, device type, connectivity, internet exposure, capabilities, and location. The ACR calculation allows organizations to objectively measure the risk of assets and more accurately represent risk across the attack surface, while keeping vulnerability data on premises. Tenable.sc+ assigns an ACR to each asset to represent the asset's relative criticality as an integer from one to ten, where ten is the highest criticality rating.
Prioritizing risk across all assets based on theoretical risk (such as a static CVSS score) versus actual risk, is not conducive to maintaining or improving security posture. The adoption of a more fluid risk prioritization process is necessary to keep pace with evolving risk. The combination of ACR and VPR in this report allows Security Teams to efficiently prioritize and monitor the attack surface.
This dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards (ARCs), and assets. The dashboard is easily located in the Tenable.sc Feed in the Executive category.
The dashboard requirements are:
- Tenable.sc+ 5.20.0
- Nessus 10.0.2
Leveraging ACR alongside VPR enables organizations to gain an enriched risk-based view of the attack surface. Tenable.sc+ harnesses the power of ACR and VPR together, allowing for a more accurate representation and prioritization of risk through an RBVM approach. The data in this dashboard directly enables teams to Prioritize, which is the third step in the ongoing RBVM lifecycle. This report helps Security Teams prioritize remediation, enabling the Security Director to make more strategic risk decisions that align with the desired security posture.
This dashboard contains the following components:
ACR Summary - First Discovered Vulnerabilities: This matrix provides organizations with a view of vulnerabilities first discovered at different points in time, sorted by ACR, to enable Security Teams to focus on the vulnerabilities on the most business-critical assets first.
ACR Summary - Top Subnets with ACR 7-10: This table provides organizations with a Class C summary of networks containing the most assets with a High or Critical Asset Criticality Rating (ACR 7-10).
ACR Summary - Highlighted Patches (VPR and ACR 7-10): This table provides security teams with a risk reduction plan that reduces the greatest risk when patching the highest risk vulnerabilities (VPR 7-10) on the most business-critical assets (ACR 7-10).
ACR Summary - VPR to ACR Heat Map: This matrix displays a correlation between the VPR and ACR scores for all VPR-rated vulnerabilities on all ACR-rated assets, with the bottom-right corner containing the highest risk vulnerabilities on the most critical assets.
ACR Summary - Vulnerability Trending over the last 90 days: This line chart contains a trend analysis for VPR-rated vulnerabilities on assets with high and critical ACR scores (7-10) over the past 90 days.
ACR Summary - Mitigated Vulnerabilities: This matrix provides organizations with a view of vulnerabilities that have been mitigated during certain periods of time on ACR-rated assets.