by Carole Fennelly
August 23, 2023
The CVSS framework was designed to measure the characteristics and technical severity of vulnerabilities rather than the actual risk they pose. Tenable’s Vulnerability Priority Rating (VPR) helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on both severity and threat. This dashboard helps organizations visualize which vulnerabilities are present in the environment that have a high VPR and which of those have been fixed.
VPR helps organizations refine the severity level of vulnerabilities in the environment by leveraging data science analysis and threat modeling based on emerging threats. Security analysts can drill into the data comparing CVSS scores to VPR scores to understand why a finding that CVSS rates as Critical may not actually pose a serious threat to the organization based on other factors, such as no exploit is available. Conversely, findings that CVSS rates as Medium may have a High or Critical VPR rating because mature exploit code for them is readily available. See the VPR Key Drivers page of the Tenable documentation for more information on how VPR is calculated.
The quarterly breakdown of vulnerabilities with a high VPR helps organizations visualize which vulnerabilities are present in the environment that have a high VPR and which of those have been fixed. The data can be exported into a report for executive management that shows how the most critical vulnerabilities are remediated quarter by quarter to improve remediation efficiency and effectiveness.
Security leaders need to SEE everything, PREDICT what matters most, and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Vulnerability Management discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirement for this dashboard is: Tenable Vulnerability Management (Nessus).
Widgets
VPR Vulnerabilities by Quarter (2023) – This widget displays the counts of active vulnerabilities that have had patches published in 2023. The counts are grouped by the quarter when the patch was published. The widget also filters to not show any accepted risks. The requirement for this widget is: Tenable Vulnerability Management (Nessus).
Fixed VPR Vulnerabilities by Quarter (2023) – This widget displays the counts of vulnerabilities that have been determined to be fixed. The counts are grouped by the quarter when the patch was published. The widget also filters to not show any accepted risks. The requirement for this widget is: Tenable Vulnerability Management (Nessus).
CVSS to VPR Heat Map – This widget provides a correlation between CVSSv3 scores and Vulnerability Priority Rating (VPR) scoring for the vulnerabilities present in the organization. The CVSSv3 scores are the standard scoring system used to describe the characteristics and severity of software vulnerabilities. Tenable's VPR helps organizations refine the severity level of vulnerabilities in the environment by leveraging data science analysis and threat modeling based on emerging threats. Each cell is comprised of a combination of cross-mapping of CVSS and VPR scoring. Using a heat map approach, the filters begin in the left upper corner with vulnerabilities that present least risk. Moving to the right and lower down the matrix the colors change darker from yellow to red as the risk levels increase. Tenable recommends that operations teams prioritize remediation for risks in the lower right corners, and then work towards the upper left cells. The requirement for this widget is: Tenable Vulnerability Management (Nessus, NNM).
VPR > 8 by Family – This widget displays the plugin families that found vulnerabilities with a VPR rating higher than 8, shown in descending order from highest count to lowest. Hovering over the bar graph for each family displays a percentage of vulnerabilities for each category. The High, Critical, and Medium boxes on the bottom of the widget can be toggled to select or de-select findings with ratings in these categories. The requirement for this widget is: Tenable Vulnerability Management (Nessus).
VPR Vulnerabilities by Quarter (2024) – This widget displays the counts of active vulnerabilities that have had patches published in 2024. The counts are grouped by the quarter when the patch was published. The widget also filters to not show any accepted risks. The requirement for this widget is: Tenable Vulnerability Management (Nessus).
Fixed VPR Vulnerabilities by Quarter (2024) – This widget displays the counts of vulnerabilities that have been determined to be fixed. The counts are grouped by the quarter when the patch was published. The widget also filters to not show any accepted risks. The requirement for this widget is: Tenable Vulnerability Management (Nessus).
Vulnerability Priority Rating – This widget displays vulnerabilities grouped by Vulnerability Priority Rating (VPR). VPR is the output of Tenable's predictive prioritization process and is continually updated to accommodate the evolving threat landscape. Following the initial scan of an asset on the network, Tenable computes an initial VPR using a machine-learning algorithm that analyzes more than 150 different aspects of each vulnerability to determine the level of risk. Vulnerabilities are listed on the left have the highest VPR, while those on the right have the lowest. The requirements for this widget are: Tenable.io Vulnerability Management (Nessus, NNM).
VPR Vulnerability Counts Per Port – This widget uses Vulnerability Priority Rating (VPR) scores to communicate the risk of discovered vulnerabilities. There are seven rows, each one for a VPR Score starting with 10 and ending with 4. Next, there are eight columns with port filters for less than 1024, greater than 1024 and unique filters for FTP, SSH, SMTP, HTTP and HTTPS. The colors used are yellow (medium), orange (high), and red (critical). The requirements for this widget are: Tenable.io Vulnerability Management (Nessus, NNM).