Vulnerability Management: New ACR and AES Scores in Asset Exports
Tenable is pleased to announce the availability of new enhanced Asset Criticality Rating (ACR) and Asset Exposure Score (AES) metrics in asset export response chunks. The existing ACR and AES metrics have been enhanced using a new algorithm and data platform to provide customers with a more complete view of their exposure.
The following table defines the improved metrics:
| Scoring Metric | Definition |
|---|---|
| ACR | The Tenable-defined Asset-Criticality Rating using a new algorithm which assigns assets to classes by business and device function. This metric rates the importance of an asset to your organization from 1 to 10, with higher numbers for more critical assets. For more information, see Scoring and Asset Criticality Rating. |
| AES | The Tenable-defined Asset Exposure Score using a new algorithm. This metric weighs an asset's Vulnerability Priority Rating (VPR) and Asset Criticality Rating (ACR) and then assigns a number from 1 to 1000, with higher numbers for more exposed assets. For more information, see Scoring. |
Some highlights of the improved algorithm include the following:
- The Asset Criticality Rating (ACR) algorithm for Tenable Vulnerability Management assets are now based on the Global Asset Profile (GAP) classification and sub-classification of the assets.
- The Vulnerability Density computation is based on counts of CVE instances rather than plugin instances. CVE IDs provide a standardized enumeration of vulnerabilities.
- Informational plugins are excluded from the Vulnerability Density calculation even if they have an associated CVE.
- The weights for low and medium severity weaknesses have been reduced meaning these weaknesses individually increase the Vulnerability Density to a lesser degree than before. Conversely, the weights for high and critical vulnerabilities have been increased slightly. The result of these changes is that assets that have high or critical vulnerabilities are highlighted to a greater degree than before.
Note
To use the new ACR and AES metrics, you need a Tenable One or Tenable Lumin license.
The new Asset Criticality Rating (ACR) and Asset Exposure Score (AES) metrics are returned by the Download assets chunk endpoint in a new ratings object for both the v1 and v2 asset export response models.
This update affects the following endpoints:
| Endpoint | Name | Description |
|---|---|---|
| POST /assets/export/{export_uuid}/chunks/{chunk_id} | Download assets chunk | Downloads exported asset chunks by ID. Chunks are available for download for up to 24 hours after they have been created. Tenable Vulnerability Management returns a 404 message for expired chunks. |
Sample Ratings Object
The new ratings object containing the acr and aes metrics is returned in the following format:
{
"ratings": {
"acr": {
"score": 9
},
"aes": {
"score": 744
}
}
}