Vulnerability Prioritization with Nessus Cloud

Share and earn Cybytes
Facebook Twitter LinkedIn Email

By Sam Gaudet

If you’re a security professional, vulnerability prioritization is likely something you deal with frequently. Few, if any organizations ever address 100% of discovered vulnerabilities, as new vulnerabilities come out every day and old vulnerabilities can hide out on unknown and shadow assets or simply never make it to the top of the patching priority list.

Vulnerabilities that don’t get addressed cause problems. In last year’s Data Breach Investigations Report (DBIR), Verizon noted that 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Addressing 100% of vulnerabilities 100% of the time is not an achievable goal for most organizations. But being able to prioritize those that pose the highest risk is something that most organizations should be able to accomplish using a solution like Nessus® Cloud. Here are a few tips for using Nessus Cloud to prioritize your vulnerabilities list.

Scoring vulnerabilities with CVSS

The industry standard for communicating the severity of vulnerabilities is the Common Vulnerability Scoring System, or CVSS. The CVSS uses an algorithm based on metrics in three different areas that approximate the ease and impact of exploiting a vulnerability. Our EMEA technical director, Gavin Millard gives a good explanation of the three CVSS scoring areas (base, temporal, environmental) in this on-demand webcast if you’d like to learn more about CVSS.

Addressing 100% of vulnerabilities 100% of the time is not an achievable goal for most organizations

As an industry standard, Nessus Cloud uses CVSS in multiple ways. First, when Nessus Cloud identifies a vulnerability as Critical, High, Medium, Low or Informational, it uses CVSS scores to assign those categories:

You can also use the Nessus Cloud Advanced Search capability to identify vulnerabilities with specific CVSS characteristics. For example, many organizations rely on CVSS Base Scores, the metrics that measure how easy it is to access a vulnerability. In Advanced Search, it’s easy to identify vulnerabilities cataloged on your network that have a CVSS Base Score of 7.5 or higher. This search would list all of the High severity vulnerabilities:

Additional Search Filters

CVSS provides a number you can associate with each vulnerability; but by using Advanced Search, there are a few other search filters that provide additional context from the mountain of vulnerabilities.

Tenable announced several of these advanced search filters for Nessus Cloud last year. One of my favorites is the In the News filter. Your CISO may have just read about a big new vulnerability, such as Heartbleed, Shellshock, or Ghost, that has caught the attention of the media. The In the News filter can identify these high profile vulnerabilities and therefore help your security team mitigate the newsworthy questions so that when asked, you can confidently state that you have taken care of the big vulnerability that’s making headlines.

Identifying Vulnerabilities on Specific Assets – Or Not

Earlier this year, Asset Lists and Exclusions were introduced in Nessus Cloud. Asset Lists are a way to organize hosts into groups. For example, hosts that fall under the same compliance area could be placed into a list, such as all hosts that fall under PCI DSS. Asset Lists have several benefits. You can scan similar assets using the most appropriate scan policies and frequencies. Asset lists also make it easier to share vulnerability information with the appropriate business group, which can simplify the remediation process.

Assets Lists can also be useful if and when you need to scan specific assets at a specific time. For example, you might want to scan all your PCI assets immediately before an annual PCI audit.

On the other hand, Exclusions enable you to restrict the scanning of specific hosts based on a given schedule. If there is a situation where one or many hosts do not need to be included in a scan, you can omit them and simplify your vulnerability results.


While CVSS, Advanced Search Filters, Asset Lists, and Exclusions are all useful ways to prioritize vulnerabilities, sometimes you just need to see the big picture. To accomplish this, Nessus Cloud offers dashboards that provide a graphical representation of vulnerability trending data over time.

You can use the dashboards to quickly get an overall view of vulnerabilities in your environment as well as to identify if you are meeting goals and policies set forth by your organization. Let’s say your organization has a policy that it will not tolerate more than 25 critical vulnerabilities open at any time. In the example below, even though there are 19 critical vulnerabilities open, you know you’re within policy; so maybe you could mix some vulnerability remediation work with another important project instead of just focusing on remediation efforts.

This same dashboard helps you track how long vulnerabilities have been open. As I noted earlier, last year’s Verizon DBIR highlighted how often old vulnerabilities end up being the path attackers take to gain access to networks. The dashboard could help you identify critical vulnerabilities that could lead to actual breaches.

Starting with the dashboard, you can access an interactive list of all vulnerabilities that are more than 30 days old and easily drill down to details for a specific host exhibiting an old security hole.

Try Nessus Cloud

Nessus Cloud provides insight into the vulnerabilities on your network that should be given your immediate attention.

If you aren’t already using Nessus Cloud and would like to try any of these vulnerability prioritization techniques, you can request a free Nessus Cloud evaluation. Try out the ideas from this article and see even more ways that Nessus Cloud provides insight into the vulnerabilities on your network that should be given your immediate attention.

Continue the vulnerability prioritization conversation on Tenable’s Discussion Forums at, or on Twitter @TenableSecurity.

Thanks to Diane Garey for assisting with this blog.

This content was authored by Sam Gaudet and originally posted on the Tenable blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?