by Liz Hutto
January 5, 2022
As assets and networks become more dynamic, maintaining visibility requires grouping and prioritizing business-critical assets and the risk associated with them. The increasing persistence of attackers and the evolving threat landscape raises the importance of the methods used in the Prioritize step of the Risk-Based Vulnerability Management (RBVM) lifecycle. Now available in Tenable.sc+, the Asset Criticality Rating (ACR) predicts the priority of each asset based on indicators of business value and criticality. Tenable.sc+ enables Security Teams to leverage the ACR with the VPR to make strategic decisions and focus on issues that better align with the desired security and compliance posture.
The ACR provides Security Teams with more comprehensive visibility of the organization’s assets by predicting the business impact of each asset. Indicators of business value include business purpose, device type, connectivity, internet exposure, capabilities, and location. The ACR calculation allows organizations to objectively measure the risk of assets and more accurately represent risk across the attack surface, while keeping vulnerability data on premises. Tenable.sc+ assigns an ACR to each asset to represent the asset's relative criticality as an integer from one to ten, where ten is the highest criticality rating.
Prioritizing risk across all assets based on theoretical risk (such as a static CVSS score) versus actual risk, is not conducive to maintaining or improving security posture. The adoption of a more fluid risk prioritization process is necessary to keep pace with evolving risk. The combination of ACR and VPR in this report allows Security Teams to efficiently prioritize and monitor the attack surface.
This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards (ARCs), and assets. The report is easily located in the Tenable.sc Feed in the Executive category.
The report requirements are:
- Tenable.sc+ 5.20.0
- Nessus 10.0.2
Leveraging ACR alongside VPR enables organizations to gain an enriched risk-based view of the attack surface. Tenable.sc+ harnesses the power of ACR and VPR together, allowing for a more accurate representation and prioritization of risk through an RBVM approach. The data in this report directly enables teams to Prioritize, which is the third step in the ongoing RBVM lifecycle. This report helps Security Teams prioritize remediation, enabling the Security Director to make more strategic risk decisions that align with the desired security posture.
This report contains the following chapters:
Executive Summary: This chapter illustrates the vulnerability trending and risk levels across the environment on ACR-rated assets. The data provides focus on assets and vulnerabilities in relation to the Asset Criticality Rating and Vulnerability Priority Rating.
Vulnerability Status: This chapter presents the currently vulnerable ACR-rated systems on the network in relation to vulnerability age and most business-critical networks. Executive leadership uses the information in this chapter to understand how SLAs are being met as well as how the business-critical assets are dispersed.
Mitigation Status: This chapter displays the success of remediation efforts. Executive leadership uses the data in this chapter to demonstrate progress in remediation efforts for assets with ACR. Mitigated vulnerabilities are the source of the data shown in this chapter, therefore results will differ from the previous chapter.