Struggling with vulnerability prioritization? You're not alone. On average, cybersecurity teams must address 870 vulnerabilities across 960 assets every day. When every threat is a high priority, none of them are. It’s not enough to know threats exist — you need to know what to fix first.
Focus on what
matters first
58
%
Lack adequate staff
91
%
Have suffered cyberattacks
+
+
91
%
A big problem
Take the steps you need to achieve full threat visibility.
60
%
Have suffered cyberattacks
had two or more
+
91
%
of organizations surveyed have experienced at least one damaging cyberattack over the past two years
58
%
+
+
Only 19 vulnerability
management employees
58
%
state they do not have adequate staffing to scan vulnerabilities
in a timely manner
Lack adequate staff
+
Download the OT report
1
2
3
1
4
5
6
2
3
4
5
6
10%
0
Struggling with vulnerability prioritization? You're not alone. On average, cybersecurity teams must address 870 vulnerabilities across 960 assets every day. When every threat is a high priority, none of them are. It’s not enough to know threats exist – you need to know what to fix first.
Focus on what matters first
67%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
56%
Reduce the risk of attacks to the OT infrastructure
56%
51%
Improve protection of sensitive confidential data from unauthorized access
51%
49%
Reduce complexity in our IT security infrastructure
49%
47%
Improve controls over third parties’ access to our sensitive/confidential data
47%
47%
Ensure third parties have appropriate security practices to protect sensitive/confidential information
47%
43%
Reduce the risk of unsecured IoT devices in the workplace
43%
18%
Control the proliferation of IoT devices in the workplace
18%
2%
Other
2%
Some
Complete
None
What’s an attack surface?
28%
1
25%
2-3
13%
4-5
13%
6-7
7%
8-9
4%
10-11
Number of cyberattacks experienced over the past 24 months
Find out how
Which of the following threats
do you worry about most in 2019?
Third party misuses or shares confidential
information with other third parties
65%
An attack that involves IoT or OT assets
63%
Leakage of business confidential
information, such as emails
41%
Click below
Hover below
None
Find out how your organization compares to other OT teams by answering the questions below
6
01
02
03
04
05
06
Download the OT report
Reduce complexity in our IT
security infrastructure
You answered:
You answered:
You answered:
You answered:
Sophistication is being ratcheted up.
Improving the ability to keep up with the sophistication and stealth of attackers is a
high priority for OT leaders. This isn’t surprising given the significant number of OT sector organizations that have suffered a cyberattack
in the past 24 months.
5
What is your top security priority?
Improve our ability to keep up with the sophistication and stealth of attackers
Reduce the risk of attacks to the OT infrastructure
Improve controls over third parties’ access to our sensitive/confidential data
What is your top security priority?
Which of the following threats do you worry most about?
An attack that involves IoT or OT assets
A careless employee falls for a phishing scam
Sharing confidential information with other third parties
A data breach involving 10,000 or more customer
or employee records
OT leaders agree that significant threats exist.
Concerns about third parties misusing or sharing confidential information and OT attacks resulting in downtime to plant and/or operational equipment increased in 2019. Worries about nation-state attacks also continued at a significant level.
4
67%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
56%
Reduce the risk of attacks to the OT infrastructure
56%
51%
49%
Reduce complexity in our IT security infrastructure
49%
48%
Improve controls over third parties’ access to our sensitive/confidential data
48%
48%
Ensure third parties have appropriate security practices to protect sensitive/confidential information
48%
43%
Reduce the risk of unsecured IoT devices in the workplace
43%
18%
Control the proliferation of IoT devices in the workplace
18%
2%
Other
2%
Click below
Which of the following threats do you worry most about?
67%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
43%
Reduce the risk of unsecured IoT devices in the workplace
43%
18%
Control the proliferation of IoT devices in the workplace
18%
2%
Other
2%
Reduce complexity in our IT security infrastructure
49%
Reduce complexity in our IT
security infrastructure
Improve controls over third parties’ access to our sensitive/confidential data
Reduce the risk of attacks to the OT infrastructure
Improve our ability to keep up with the sophistication and stealth of attackers
An attack that involves IoT
or OT assets
You answered:
A careless employee falls for a phishing scam
You answered:
Sharing confidential information with other third parties
You answered:
A data breach involving 10,000 or more customer
or employee records
You answered:
In the event of a cyberattack, which facet of your business would be most affected?
Downtime of OT systems
Financial loss
Customer turnover
Other
Risk measurement is a priority.
Nearly half of the organizations in the OT
sector attempt to quantify the damage a cyber event could have on their business – and they’re most likely to quantify the impact based on downtime of OT systems.
3
You answered:
Financial Loss
You answered:
You answered:
Other
You answered:
Customer Turnover
Downtime of OT systems
Who in your organization is
responsible for evaluating cyber risk?
Chief Information Officer
Chief Information Security Officer
Chief Risk Officer
Other
The C-suite is taking action.
Respondents state the people most involved in the evaluation of their organization’s cyber risk
are C-level leaders, including the CIO and CISO.
2
Chief Information Officer
You answered:
You answered:
Chief Risk Officer
You answered:
Other
You answered:
Chief Technology Officer
Cyberattacks are relentless.
90% of OT organizations have suffered at least
one damaging cyberattack over the past two years. And, in the public sector, 55% of organizations surveyed experienced an attack against OT infrastructure. These attacks have
led to downtime and disruption of business operations – making the protection of OT
assets a top priority.
1
How many attacks did your organization face in 2018?
0
1-4
5-8
9+
0
You answered:
1-4
You answered:
5-8
You answered:
9+
You answered:
How many attacks did your organization face in 2018?
67%
67%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
Who in your organization is
responsible for evaluating cyber risk?
Click below
Click below
Reduce the risk of attacks to the OT infrastructure
56%
Reduce complexity in our IT security infrastructure
49%
Reduce complexity in our IT security infrastructure
49%
Improve controls over third parties’ access to our sensitive/confidential data
48%
Ensure third parties have appropriate security practices to protect sensitive/confidential information
48%
43%
56%
51%
+
49%
48%
48%
43%
Reduce the risk of unsecured IoT devices in the workplace
Factors used to quantify risk
Click below
Click below
67%
67%
56%
51%
49%
48%
48%
43%
18%
2%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
Reduce the risk of attacks to the OT infrastructure
56%
Improve our ability to keep up with the sophistication and stealth of attackers
67%
Reduce complexity in our IT security infrastructure
49%
Reduce complexity in our IT security infrastructure
49%
Improve controls over third parties’ access to our sensitive/confidential data
48%
Ensure third parties have appropriate security practices to protect sensitive/confidential information
48%
Reduce the risk of unsecured IoT devices in the workplace
43%
Control the proliferation of IoT devices in the workplace
18%
Other
2%
Download the OT report
Download the OT report
Download the OT report
Download the OT report
Download the OT report
Download the OT report
Click below
Click below
Click below
Click below
How much visibility do you have into your attack surface?
What’s an attack surface?
You answered:
None
You answered:
Complete
You answered:
Some
You answered:
along with 10% of survey respondents
along with 66% of survey respondents
along with 33% of survey respondents
along with 11% of survey respondents
along with 12% of survey respondents
along with 7% of survey respondents
along with 10% of survey respondents
along with 58% of survey respondents
along with 49% of survey respondents
along with 49% of survey respondents
along with 38% of survey respondents
along with 33% of survey respondents
along with 63% of survey respondents
along with 49% of survey respondents
along with 41% of survey respondents
along with 39% of survey respondents
along with 67% of survey respondents
along with 49% of survey respondents
along with 47% of survey respondents
along with 43% of survey respondents
Achieve up to 97% reduction in high risk and critical vulnerabilities
Vulnerability Priority Rating
with Tenable Predictive Prioritization.
View Product Demo
Overview
Vulnerabilities
Details
Overview
Overview
With Predictive Prioritization, VPR is calculated nightly for over 109,000 vulnerabiliities. Machine learning algorithms work to find patterns, giving you insight into the threats on the horizon.
Explore key features
Get Started Now
Try Predictive Prioritization in Tenable.io for Free
VPR Widget
Next
VPR scores are provided in the main dashboard, so you can easily understand actual cyber risks. Here, we have 88 Critical vulnerabilities that should be investigated immediately, and another 623 High risk vulnerabilities to address next.
Next
Notice how the number of Critical and High risk vulnerabilities differ between VPR and CVSS. Because CVSS calculates theoretical risk instead of actual risk, the number of Critical and High risk vulnerabilities is dramatically higher.
Compare to CVSS
Tenable.io allows you to quickly investigate your vulnerabiliites. Clicking the VPR widget provides a detailed summary of all Critical vulnerabilities.
Explore key features
Next
Sorting vulnerabilities by VPR shows you the most dangerous vulnerabilities to address immediately.
Sort VPRs
Next
See the differences between the CVSS score on the left and the corresponding VPR on the right. Many vulnerabilities have very different risk ratings. In this environment, many of the highest Critical vulnerabilities are only rated as High risk, according to CVSS.
VPR vs CVSS
Vulnerabilities
Tenable.io provides detailed information about each of your vulnerabiilities, along with the assets affected. In this example, we found a particularly dangerous Linux Kernel vulnerability, dubbed Dirty COW, impacting many assets.
Explore key features
Next
Understand important vulnerability details, including number of assets affected, VPR, solution for remediation and key drivers that were significant factors in calculating the VPR.
Detailed Vulnerability Summary
Details
Next
Threat Recency shows the number of days since the last threat event was observed. Notice that Dirty COW remains an active threat today.
Threat Recency
Next
Exploit Code Maturity is based on the availability of exploit code of various databases and frameworks. Dirty COW exploits are widely known and published.
Exploit Code Maturity
Next
The Age of Vuln is the number of days since the vulnerability was published on the U.S. National Vulnerability Database. This vulnerability is rather old, going back to 2016.
Age of Vuln
Next
Product Coverage refers to the number of unique assets affected by this vulnerability. CentOS is a popular Linux distribution used industry-wide.
Product Coverage
As a result of these key drivers, the VPR is 9.8 compared to a CVSS score of 7.8. Using Predictive Prioritization, you'd place this Dirty COW vulnerability at the top of your remediation queue (along with other vulnerabilities that have been or will likely be exploited).
Vulnerability Priority Rating (VPR)
Vulnerabilities
Close
Close
Details
Close
The output of Predictive Prioritization is the Vulnerability Priority Rating (VPR). VPR indicates remediation priority of each vulnerability based on the threat landscape. Each vulnerability receives a rating from 0 to 10, helping you evaluate your vulnerabilities and make decisions with confidence.
+
%
A growing threat
%
91
A big problem
+
97
%
Reduction in vulnerabilities to be remediated with the same impact to the attack surface
Predictive
Priortization
+
91
Research
Insights
Data science based analysis of over 109,000 vulnerabilities to differentiate between the real and the theoretical risks vulnerabilities pose.
Insight into which vulnerabilities are actively being exploited by both targeted and opportunistic
threat actors
Threat
Intelligence
The criticalirty, ease of exploit and attack vectors associated with the flaw
Vulnerability
Rating
97
%
reduction in the number of vulnerabilities requiring immediate remediation.
Data science based analysis of over 130,000 vulnerabilities to differentiate between the real and the theoretical risks vulnerabilities pose.
Predictive
Prioritization
Research Insights
Insight into which vulnerabilities are actively being exploited by both targeted and opportunistic threat actors.
Threat Intelligence
The criticality, ease of exploit and attack vectors associated with the flaw.
Vulnerability Rating
Overview
Vulnerabilities
Details
Overview
With Predictive Prioritization, VPR is calculated nightly for over 130,000 vulnerabilities. Machine learning algorithms work to find patterns, giving you insight into the threats on the horizon.
Explore key features
Next
VPR scores are provided in the main dashboard, so you can easily understand actual cyber risks. Here, we have 88 Critical vulnerabilities that should be investigated immediately, and another 623 High risk vulnerabilities to address next.
VPR Widget
Next
Here are the corresponding CVSS-rated vulnerabilities. Notice how the number of Critical and High risk vulnerabilities differ between VPR and CVSS. Because CVSS calculates theoretical risk instead of actual risk, the number of Critical and High risk vulnerabilities is dramatically higher.
Compare to CVSS
Explore Vulnerabilities
Close
Overview
Tenable.io allows you to quickly investigate your vulnerabilities. Clicking the VPR widget provides a detailed summary of all Critical vulnerabilities.
Explore key features
Next
Sorting vulnerabilities by VPR shows you the most dangerous vulnerabilities to address immediately.
Sort VPRs
Next
See the differences between the CVSS score on the left and the corresponding VPR on the right. Many vulnerabilities have very different risk ratings. In this environment, many of the highest Critical vulnerabilities are only rated as High risk, according to CVSS.
VPR vs CVSS
See Vulnerability Details
Close
Vulnerabilities
Tenable.io provides detailed information about each of your vulnerabilities, along with the assets affected. In this example, we found a particularly dangerous Linux Kernel vulnerability, dubbed Dirty COW, impacting several assets.
Explore key features
Next
Understand important vulnerability details, including number of assets affected, VPR, solution for remediation and key drivers that were significant factors in calculating the VPR.
Detailed Vulnerability Summary
Next
Threat Recency shows the number of days since the last threat event was observed. Notice that Dirty COW remains an active threat today.
Threat Recency
Next
Exploit Code Maturity is based on the availability of exploit code of various databases and frameworks. Dirty COW exploits are widely known and published.
Exploit Code Maturity
Next
The Age of Vuln is the number of days since the vulnerability was published on the U.S. National Vulnerability Database. This vulnerability is rather old, going back to 2016.
Age of Vuln
Next
Product Coverage refers to the number of unique assets affected by this vulnerability. CentOS is a popular Linux distribution used industry-wide.
Product Coverage
As a result of these key drivers, the VPR is 9.8 compared to a CVSS score of 7.8. Using Predictive Prioritization, you'd place this Dirty COW vulnerability at the top of your remediation queue (along with other vulnerabilities that have been or will likely be exploited).
Vulnerability Priority Rating (VPR)
Close
Details
View Vulnerability Priority Rating Summary
Predictive Prioritization combines research insights, threat intelligence and vulnerability rating to reduce the number of vulnerabilities requiring immediate remediation by 97%.
How it works
See how Predictive Prioritization Works