Views:

Evaluate your company's exposure to highly exploitable CVEs and how you compare to global averages.

To better assist you in determining and responding to your company's vulnerabilities, Trend Micro designed certain metrics to complement each other for greater clarity.
The Highly Exploitable Vulnerability Percentages and Highly Exploitable CVE Density widgets work together to help you tailor your response to vulnerabilities. Click on the entry for the CVE density or percentage of a particular type of asset to view a list of affected assets.
Metric
Description
Example
Highly Exploitable CVE Density
Calculated from the total number of detected highly-exploitable CVEs divided by the total number of managed assets with Vulnerability Assessment enabled (Total highly exploitable CVEs / Total managed assets with Vulnerability Assessment)
Highly Exploitable Vulnerability Percentage calculations occur daily. Weekly and monthly averages use a simple average calculation based off the daily values.
Total asset count: 3
  • Asset 1: 2 CVEs
  • Asset 2: 4 CVEs
  • Asset 3: 0 CVEs
Highly-exploitable CVE density (Total highly-exploitable CVEs / Total assets with Vulnerability Assessment):
(2+4+0) / 3 = 2.0
Highly Exploitable Vulnerability Percentages
Calculated from the total number of a specific asset type with detected highly exploitable CVEs divided by the total number of the specific type of asset with Vulnerability Assessment enabled (Total assets with vulnerabilities / Total assets with Vulnerability Assessment * 100).
Note
Note
The vulnerability assessment scope is limited to supported operating systems.
Managed assets with available highly exploitable vulnerability percentage calculations include:
  • Internal assets
  • Hosts
  • Container clusters
  • Container images
  • Cloud VMs
  • Serverless functions
Highly Exploitable Vulnerability Percentage calculations occur daily. Weekly and monthly averages use a simple average calculation based off the daily values.
  • Total number of assets with detected highly-exploitable CVEs: 5
  • Total Vulnerability Assessment-enabled assets: 25
Highly Exploitable Vulnerability Percentage (Total assets with vulnerabilities / Total assets with Vulnerability Assessment * 100):
5 / 25 * 100 = 20%
Important
Important
  • CVE counts only include Highly-Exploitable CVEs based on global exploit activity and Trend Micro threat expert evaluations.
  • CVE counts include all Highly-Exploitable CVEs regardless of patch availability.
  • Vulnerability Assessment is only supported on Windows desktop platforms starting from Windows 10.

Example Scenario

Company A
Company B
  • CVE Density: 10.2
  • Vulnerable Internal Asset Percentage: 5%
  • CVE Density: 10.2
  • Vulnerable Internal Asset Percentage: 40%
Even though the CVE Density values for both companies are the same (10.2), the risk profiles are very different.
  • Company A has a small number of internal assets with a large number of critical CVEs, which could indicate that the company regularly applies patches and only a limited subset of endpoints have not yet received the latest update.
  • Company B has a large number of internal assets with a large number of CVEs, which could indicate that the company has a delayed policy in patching endpoints, possibly due to internal testing requirements.
Examining both metrics can help a company determine the best method to reduce CVE vulnerabilities.