New risk-centric vulnerability remediation enables organizations to focus on the seven percent of issues that matter
Tenable®, Inc., the Cyber Exposure company, announced Predictive Prioritization, a first-of-its-kind innovation for both Tenable.io and Tenable.sc (formerly SecurityCenter) which will provide organizations with the unprecedented capability to focus on the seven percent of vulnerabilities which pose the greatest actual risk to the business.
Effectively prioritizing vulnerabilities is a critical and strategic business imperative for reducing cyber risk. According to Gartner, “Through 2021, the single most impactful enterprise activity to improve security will be mitigating vulnerabilities.*” The newly published Vulnerability Intelligence Report from Tenable Research found that enterprises must triage and manage more than 100 critical vulnerabilities on average daily, as rated by the common vulnerability scoring system (CVSS). Basic CVSS ratings alone are failing the industry and leave organizations unable to effectively and confidently focus on which vulnerabilities require immediate action. Moreover, Tenable Research estimates that the industry is on track to disclose up to 19,000 new vulnerabilities in 2018, an increase of 27 percent over 2017. Yet in 2017, public exploits were available for seven percent of all vulnerabilities, meaning that 93 percent of all vulnerabilities posed only theoretical risk. For most vulnerabilities, a working exploit is never developed and of those, an even smaller subset is actively weaponized by threat actors, making it difficult to understand which vulnerabilities to remediate first, if at all.
To address this deluge of vulnerabilities and predict which ones expose organizations to the most cyber risk, Tenable is announcing new predictive prioritization capabilities. Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat data and analyzes them together with the advanced data science algorithm developed by Tenable Research. The data science algorithm analyzes over 100,000 vulnerabilities using machine learning to anticipate the probability of a vulnerability being leveraged by threat actors and differentiate between real and theoretical risks.
Third party data sources include:
- Basic Vulnerability Information, such as CVSS and the National Vulnerability Database (NVD), that provide baseline information on ease of exploit and attack vectors associated with the vulnerability.
- Third-Party Threat Intelligence feeds from a variety of public threat intelligence feeds as well as Recorded Future, that deliver insight into which vulnerabilities are actively being exploited by both targeted and opportunistic threat actors.
“With thousands of vulnerabilities identified in enterprise environments each day, security teams don’t have time and the business doesn’t have the luxury to guess which ones to focus on first,” said Dave Cole, chief product officer, Tenable. “Organizations need solutions to help them better understand the actual, not theoretical, impact of vulnerabilities, and focus remediation efforts based on business risk. We’re very excited to introduce Predictive Prioritization as a first-of-its-kind innovation to our Cyber Exposure platform, helping organizations better manage, measure and reduce their cyber risk in the digital era.”
Predictive Prioritization will be included as part of Tenable.io, for vulnerability management in the Cloud, and Tenable.sc (formerly SecurityCenter), for vulnerability management On-Prem. These two flexible deployment options are core components of the Tenable Cyber Exposure platform, which uniquely provides the breadth of visibility into cyber risk across IT, cloud, IoT and OT environments and the depth of analytics to measure and communicate cyber risk in business terms to make better strategic decisions. Predictive Prioritization for Tenable.io and Tenable.sc will be generally available in 2019.