CVSS base scores are often misinterpreted: They measure the intrinsic severity of vulnerabilities, not their real-world risk to a specific organization, leading many security teams to waste effort on flaws that pose little actual threat.
Exposure management adds essential context to vulnerability risk by factoring in exploit availability, attack paths, asset importance, business impact, and environmental details, producing tailored risk scores rather than one-size-fits-all severity ratings.
Platforms like Tenable One enable smarter, business-aligned prioritization by combining vulnerability risk and asset criticality into dynamic exposure scores, helping organizations focus remediation on the flaws and assets that matter most to security posture and revenue.
Since 2005, the Common Vulnerability Scoring System (CVSS) has been the predominant standard by which we measure widespread cybersecurity flaws. Companies use the CVSS base score, which estimates the severity and the feasibility of exploiting each vulnerability, to prioritize remediation.
Yet the CVSS base score doesn't tell you the whole story. It doesn't tell you whether a particular vulnerability, no matter how dire, can affect your organization, or if so, how badly. Because of this, many security teams waste time and effort chasing down vulnerabilities that end up being no threat to their organizations.Exposure-management platforms like Tenable One start with the CVSS base score but take into account other factors such as exploit availability, potential attack paths, asset criticality, and business risk. They also assess the potential impact of other types of weakness, such as compromised user accounts or misconfigurations.For more information:
The result is a comprehensive score that is tailored to fit each client organization's assets and system architecture. This provides a much clearer view of which flaws to fix immediately, which to put on the back burner, and which can be safely left alone."We provide much richer scores by looking at variables such as exploitability. Is there exploit code available? Is it externally exposed?" says Pierre Coyne, Director of Product Marketing for Tenable One. "We also aggregate all risk associated with a specific asset to calculate an overall asset exposure score, vs. just looking at individual risk."
Why CVSS scores go only halfway
To be fair, the CVSS system is not getting things wrong. Because it is meant to be as universally applicable as possible, the CVSS base score assesses the ease of exploit and potential impact of a vulnerability in the most general terms. It does not consider specific environments, whether an exploit has been proven, or if a patch to remediate an exploit is widely available.In theory, it's up to the security team of each organization to take that CVSS base score and then use their knowledge of their own systems, assets and architectures to gauge if and how badly an individual vulnerability might impact their specific environment."The CVSS Base Score represents only the intrinsic characteristics of a vulnerability and is independent of any factor associated with threat or the computing environment where the vulnerable system resides," states the CVSS User Guide posted by the Forum of Incident Response and Security Teams (FIRST), which compiles CVSS scores and maintains the standard. "[It] should not be used alone to assess risk."But in practice, many security teams misunderstand the CVSS base score as a measurement of risk and rank their priorities accordingly, with the flaws with the highest CVSS scores coming first. That's a mistake, and it leads to teams misallocating their resources by fixing flaws that may not actually be severe threats to their organizations.Aside from the base score, CVSS also uses metrics that do estimate the changing threat level, include availability, of a particular vulnerability over time as it ages, as well as the impact a vulnerability could have on a specific environment.The CVSS User Guide states bluntly that "the application of Environmental and Threat metrics is the responsibility of the CVSS consumer," and that many third parties used as sources for CVSS scores, such as the National Vulnerability Database (NVD), "typically provide only the Base Scores."But because the CVSS base score is the original and oldest metric, the most widely distributed and understood, and the one that doesn't require any additional calculation by a security team, it's what most people think of when they hear "CVSS score."In the same way that U.S. Social Security numbers were not intended to become ID numbers, the CVSS base scores have taken on a purpose for which they were not designed: as comprehensive estimates of risk.
A better yardstick
The Tenable One platform automatically does the threat-estimation and environmental customization that many teams using the CVSS base score fail to calculate, providing a fuller picture of an organization's risk.It determines whether a vulnerability exploit exists, how widely available and how old the exploit is, which known threat actors are using it, and whether a fix has been distributed.Using its knowledge of the client organization's environment, the platform also assesses the vector by which an exploit may be applied, and which attack surface may have the highest risk. Those factors, including the CVSS base score, are combined to form the Vulnerability Priority Rating, or VPR.Going beyond the scope of the secondary CVSS scores, Tenable One uses the MITRE ATT&CK framework to determine potential attack paths that a vulnerability exploit might follow, the importance of the assets (including user accounts) that might be affected by the exploit, the relationship each vulnerable asset would have with other assets to gauge the possible blast radius, and the potential business impact on the organization that a successful exploit would have. Those factors make up the Asset Criticality Rating, or ACR.An attack-path map in Tenable One."Exposure management doesn't stop at scoring individual risks by asset," says Coyne. "It looks at asset, identity and risk relationships in a business context to drive much more effective prioritization, and to eliminate the need to just patch everything."Tenable One combines the Vulnerability Priority Rating and the Asset Criticality Rating to create an Asset Exposure Score (AES) for each asset. Adding and averaging the Asset Exposure Scores across a sector of the organization, or the whole environment, yields a Cyber Exposure Score (CES).Because the exposure-management platform monitors the entire platform continuously, it can generate new Cyber Exposure Scores at any time, allowing security managers and executives to follow changes in the organization's risk posture.
Turning down the volume
But, as Coyne explains, there's more to exposure management than just risk scores."The bigger value is the relationship context exposure management provides to separate true exposures from all the noise," he says. "Exposure management looks at toxic risk combinations (will a vulnerability compromise the administrator account that is actively logged into the same asset?) and actual attack paths leading to crown-jewel assets that can take down a business service or process, or lead to compromise of sensitive customer data."An exposure-management platform that automatically rules out vulnerability exploits that have no viable attack paths, while at the same time highlighting critical assets whose compromise might have devastating consequences, clears the fog and lights the way for security teams to accurately prioritize remediation of risks. Coyne gives an example."We know service A drives $50 million, vs. service B, which drives $10 million. You can now prioritize resources to service A because you know it has the largest financial impact," he explains.That puts organizations that use automated exposure-management platforms way ahead of those that don't, both in security posture and in overall business resilience."Today, most organizations just see individual assets and risks," Coyne adds. "Not what they align to, or how they are strung together to support critical revenue streams."Please visit our exposure management topic page.
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.