EPSS Recalculation with Warning or Waiver for Remediation Target

dbl2 · 3 weeks ago

We have implemented EPSS for our vulnerability severity calculation and then apply remediation targets based on the calculated severity.

What we are having some issues with is that when the EPSS scores are updated we are seeing some vulnerabilities jump from a low to a critical overnight and as they were identified some time ago they are automatically being reported as overdue and missing the target.

Does anyone have any guidance, ideas or anything coming in the platform that would enable us to build some rules or something around the EPSS calculation that if there is a change in the EPSS score that would cause this that the vulnerability could be in some transitive state for a period of time to give the teams time to be notified and address the vulnerability before it its reported of overdue?

Dave Winsor · 3 weeks ago

I am not aware of anything out of box and this is not the 'transitive state' part but we created a custom table called Vulneability Changes built off of the History table of the Third Party Entries. We enabled auditing on all the fields we use Risk Calculator for and then have a report that runs when the overall Risk Rating increases also capturing what field(s) change that generated the increase. We then send out the report to the appropiate teams to give them the heads up their Remediation Targets changed.

dbl2 · 3 weeks ago

Thanks for the idea QM_SSJ4 and we will look into this for the notifications.

This will help with the notification but unfortunately won't help with the remediation targets being missed and so the vulnerabilities reporting as overdue. We have quite strict risk practices around overdue vulnerabilities and so this behaviour is causing some issues with our metric reporting and SLA breach alerting.

If anyone else has any ideas (or potential roadmap SNOW team!) then it would be greatly appreciated!