Vulnerability percentages and CVE density

Views:

Evaluate your organization's exposure to CVEs to help tailor your mitigation efforts.

To better assist you in determining and responding to your organization's vulnerabilities, Trend Micro designed certain metrics to complement each other for greater clarity.

The Vulnerability Percentages and CVE Density widgets work together to help you tailor your response to vulnerabilities. Click on the entry for the CVE density or percentage of a particular type of asset to view a list of affected assets.

Metric

Description

Example

CVE Density

Calculated from the total number of detected CVEs divided by the total number of managed assets with Vulnerability Assessment (Total CVEs / Total managed assets with Vulnerability Assessment)

CVE density calculations occur daily. Weekly and monthly averages use a simple average calculation based off the daily values.

Total asset count: 3

Asset 1: 2 CVEs
Asset 2: 4 CVEs
Asset 3: 0 CVEs

CVE density (Total CVEs / Total assets with Vulnerability Assessment):

(2+4+0) / 3 = 2.0

Vulnerability Percentages

Calculated from the total number of a specific asset type with detected CVEs divided by the total number of the specific type of asset with Vulnerability Assessment (Total assets with vulnerabilities / Total assets with Vulnerability Assessment * 100).

Note

Vulnerability assessment scope is limited to supported operating systems.

Managed assets with available vulnerability percentage calculations include:

Internal assets
Hosts
Container clusters
Container images
Cloud VMs
Serverless functions

Vulnerability percentage calculations occur daily. Weekly and monthly averages use a simple average calculation based off the daily values.

Total number of assets with detected CVEs: 5
Total assets with Vulnerability Assessment: 25

Vulnerability Percentage (Total assets with vulnerabilities / Total assets with Vulnerability Assessment * 100):

5 / 25 * 100 = 20%

Important

CVE counts for hosts only include high-impact and medium-impact CVEs based on global exploit activity and Trend Micro threat expert evaluations.
Vulnerability Assessment is only supported on Windows desktop platforms starting from Windows 10 and select Linux platforms. For more information, see Vulnerability Assessment supported operating systems.

Using CVE density and vulnerability percentages together helps you obtain a more accurate picture of your organization's risk profile.

Example Scenario

Company A	Company B
CVE Density: 10.2 Vulnerable Internal Asset Percentage: 5%	CVE Density: 10.2 Vulnerable Internal Asset Percentage: 40%
Even though the CVE density values for both companies are the same (10.2), the risk profiles are very different. Company A has a small number of internal assets with a large number of CVEs, which could indicate the company regularly applies patches and only a limited subset of endpoints have not received the latest update. Company B has a large number of internal assets with a large number of CVEs, which could indicate that the company delays patching endpoints, possibly due to internal testing requirements. Examining both metrics can help determine the best method to reduce CVE vulnerabilities.