Exploring exposure assessment

  • Release version: Xanadu
  • Updated August 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Exposure Assessment

    Exposure assessment leverages the Common Platform Enumeration (CPE) framework to evaluate the vulnerability exposure of assets using a software discovery model. This process utilizes a matching algorithm to map relevant CPEs to software, allowing for the identification of potential vulnerabilities, including those not detected by traditional scanners and zero-day vulnerabilities. The assessment serves as an early warning mechanism to help improve vulnerability management practices.

    Show full answer Show less

    Prerequisites

    • Vulnerability Crisis Management plugin 1.0
    • Vulnerability Response 20.0 or higher
    • Software Asset Management Foundation or Professional plugin
    • Vulnerability Response Integration with NVD and CISA

    Use Cases

    • Assess by CVE: Understand the impact of vulnerabilities using SAM and Discovery data, and implement timely remediation actions.
    • Assess by Software: Identify software installations to proactively manage zero-day vulnerabilities before they are widely known.
    • Assess by Publisher: Evaluate vendor-related vulnerabilities over a specified period to better manage vendor risk.

    Compatibility and System Requirements

    The Exposure Assessment module requires the ITSM Software Asset Management application. Ensure that necessary plugins like SAM Foundation and Professional are installed for effective operation. Access to asset data is crucial for the module to function properly.

    Matching Algorithm Fields

    The software discovery model utilizes various fields to enhance the accuracy of vulnerability assessments, including CPE, Product Display Name, and Version information. The SAM Professional application allows for editing and normalizing software discovery models to ensure comprehensive coverage.

    Scheduled Jobs

    • Check potential vulnerability exposure: Runs every 12 hours to process delta CVEs and software installations.
    • Insert CISA exploited CVE: On-demand insertion of CISA CVEs into the Exposure Configuration table.
    • Run exposure assessment: On-demand calculation of exposure for configured CVEs.
    • Run software exposure: On-demand calculation of exposure for software records.

    Key Terms

    • Confidence Score: Indicates the reliability of recommendations based on exposure assessment.
    • Software Installation Count: Reflects the number of software assets impacted by vulnerabilities.
    • Discovery Model: Displays counts and results related to active software installations.

    Starting from version 22.0, a new system property allows filtering of inactive software installations in exposure assessments, enhancing the accuracy of reported counts. Scheduled jobs are essential for updating exposure data consistently.

    Exposure assessment uses the Common Platform Enumeration (CPE) framework, which is a part of the Common Vulnerabilities and Exposures (CVEs) system, to evaluate the vulnerability exposure of your assets to vulnerability software. This assessment is performed using a software discovery model.

    By employing a matching algorithm, the relevant CPEs are associated and mapped to the software discovery model, enabling the identification of potential exposures.

    You can use the exposure assessment by CVE or software to identify exposure to potential vulnerabilities for the following scenarios:
    • Vulnerabilities that may not be identified by traditional scanners
    • Zero-day vulnerabilities before the scanner provide the signature for vulnerability detection
    Exposure assessment provides an early warning to remediate these vulnerabilities, and improve the maturity of the vulnerability management program.
    Prerequisites for exposure assessment
    Table 1. Available versions
    Application Version

    Vulnerability Crisis Management plugin

    		 1.0
    Vulnerability Response 20.0
    Vulnerability Response with NVD 1.3
    Vulnerability Response Integration with CISA 1.2
    Vulnerability Response Integration with NVD
    Note:
    For more information, see Understanding the NVD integrations.
    		 1.3
    Software Asset Management Software Asset Management Foundation plugin or Software Asset Management Professional plugin

    Use cases

    For examples of how Vulnerability Analysts organization would use the Vulnerability Exposure Assessment workspace, see these use cases.
    Assessment type Use
    Assess by CVE Assess vulnerabilities by CVE to gain a full understanding of the impact and exposure of the affected systems using Software Asset Management (SAM) and Discovery data. Take prompt remediation actions by creating manual VITs and assigning them to remediation owners. Assessing by CVEs is beneficial because scanners may not detect all the affected systems, whereas Discovery typically identifies most of the software on the attack surface.
    Assess by Software

    Assess the impact by software when CVE is unavailable to identify the number of CIs where the software is installed. By assessing by software, you can proactively act on zero-day or critical vulnerabilities by creating a manual VIT and assigning it to the remediation owner before they’re officially published or before scanners identify them.
    Assess by Publisher Assess vulnerabilities by a software vendor to understand the impact and exposure of affected systems for the CVEs published by the vendor within a time frame. Assessing by publisher helps you evaluate the vendor risk and critical vulnerabilities, enabling proactive remediation.

    Compatibility and system requirements

    The Vulnerability Response application is available on the ServiceNow Store. The ITSM Software Asset Management application (com.snc.asset_management) is required for the Exposure Assessment module. This application manages all your assets and software licenses, and the SAM Foundation version of this application is part of the Vulnerability Response application that you download from the ServiceNow Store.
    Important:
    The Exposure Assessment application works with the following plugins:
    • Software Asset Management Foundation plugin (com.snc.sams)
    • Software Asset Management Professional (com.snc.pa.samp)
    • Software Asset Management plugin (com.snc.software_asset_management)

    To verify the SAM Foundation application is installed on your instance, navigate to System Applications > All Available Applications > All and search for com.snc.asset_management. If the application isn’t installed, select Install. As the Vulnerability Exposure Assessment application requires access to the asset data on your ServiceNow AI Platform® instance, the asset management applications must have data to reference. The Software Discovery Models table (cmdb_sam_sw_discovery_model) and the Software installations (cmdb_sam_sw_install) require data.

    Matching algorithm fields for software discovery models

    The Software Asset Management Professional application enables you to edit a software discovery model to manually normalize discovered software that hasn’t been fully normalized (partially normalized, publisher normalized, or match not found) on the Software Discovery Models form so that it can be reconciled. Starting with version 20.0 of Vulnerability Response supports normalized discovery model that comes from Software Asset Management Professional. The following fields are used for the matching algorithm for software discovery models.
    CPE (Software model) SAM Foundations SAM Professional
    Vendor Primary Key Primary Key
    Product Display Name Display Name
    Version Discovered Publisher Discovered Publisher
    Edition Discovered Product Discovered Product
    Discovered Version Discovered Version
    Normalized Publisher
    Normalized Product
    Normalized Version
    Note:
    The SAM Professional application isn’t part of the core Vulnerability Response product from the ServiceNow Store and requires a separate subscription.

    System property

    To process the CISA-exploited vulnerabilities automatically for exposure assessment, set the system property sn_vul_analyst.enable_exposure_for_cisa to true. The default value is false.

    Scheduled jobs

    Following are the scheduled jobs.

    Scheduled job name Description
    Check potential vulnerability exposure Processes the delta CVEs, software, and installations to get the exposure.
    Note:
    This scheduled job runs every 12 hours. It runs for a longer period than the other scheduled jobs.
    Insert CISA exploited CVE to exposure config On-demand. Inserts the CISA CVEs into the Exposure Configuration table to calculate the exposure.
    Run exposure assessment for configured CVEs On-demand. Calculates the exposure for all the CVE records in the Exposure Configuration table.
    Run software exposure On-demand. Calculates the exposure for all the software records in the Exposure Configuration table.

    Key terms

    The Software installation count field provides the total number of software installs, regardless of their active or inactive status on the discovery model. Starting with v22.0 of Vulnerability Response, a new system property, sn_vul.filter_inactive_sw_installs, has been introduced to determine whether inactive software installations should be filtered out for exposure assessment. By default, the property is enabled in the base system. When the filter is enabled, only active installations are displayed.

    The Discovery model field specifically shows the count of active software installations, as the inactive ones are filtered out based on the default active=true filter on the Software Discovery Model table. The count in this field should match the filtered count displayed in the Software installation count field. The count in the Software installation field persists even if you update the system property. To obtain the updated count, you must run the scheduled jobs Run exposure assessment for configured CVEs and Run software exposure that updates the count.