Vulnerability Risk Calculator - Use Source Risk Score instead of Vulnerability Severity?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hi,
We currently use Source Risk Score from Qualys (Qualys Detection Score; QDS) to do a direct map to our Risk Score in ServiceNow. QDS combines the severity of the vulnerability with other Threat Intelligence to get that Risk Score. Quite frequently we see a score start as a 50 but once intel has discovered it is actively being exploited, the QDS score changes to something higher (ex. 80).
We want to enhance that existing QDS score to include Asset/Business related factors (ex. Business Criticality and/or External Facing).
So we are attempting to use the OOTB Risk Calculators in ServiceNow. We want to be able to keep our existing Risk Score number and take a percentage of that (ex. 60%) and add in a percentage of Business Criticality (ex. 25%) as well as Externally Facing (ex. 15%).
However, every example I have seen on how to use the Risk Calculators uses 'Vulnerability Severity'. That won't work for two reasons:
1. Vulnerability Severity is not an exact match with the QDS Score. In the example below, 5 of the 6 rows show 'Severity' different than the associated real ranking of 'Source Risk Score' we use today.
2. I could use 'Source Risk Score' as one of the fields, but it would require me to program the entire range of values (as seen below). I was hoping there would be an easier way to do that.
- Default : 50, Empty String : 0, 1 : 1, 2 : 2, 3 : 3, ... , 99 : 99, 100 : 100
Also of note, we want to keep the integrity of the QDS score using our Risk Rating ranges. What I mean by that is our ranges Risk Ratings are as follows:
- Low: 0 - 39
- Medium: 40 - 69
- High: 70 - 89
- Critical: 90 - 100
So it is important to us, as we are applying Business Criticality and Externally Facing, to NOT take the 'average' score for that range. Example: HIGH 70 is different than a HIGH 89. If the asset it is on is Business Critical and Externally Facing these are the following scores for both as well as the 'average'.
- 70*.60 + 100*.25 + 100*.15 = 42+25+15 = 82; HIGH
- 80*.60 + 100*.25 + 100*.15 = 48+25+15 = 88; HIGH
- 89*.60 + 100*.25 + 100*.15 = 53.4+25+15 = 93.4; CRITICAL
Is there an easy way to do this without hardcoding the 101 Source Risk Scores?
If not, perhaps this could be a future enhancement?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Yes, you absolutely can use your Vulnerability Response risk calculators to pull in the external Source Risk Score (such as Qualys QDS) instead of the OOTB Vulnerability Severity field, and the way to do it is by configuring a calculator rule (or scripted rule) that takes the QDS field on the Vulnerable Item (or Third Party Entry) record, applies your weighting logic (for example 60% QDS + 25% Business Criticality + 15% External Facing), and writes the resulting value to the risk_score field........ the key being you’ll need to ensure a) the QDS score is stored in a field you can reference, b) the calculator condition is set up to use that field (not just the Severity field), c) you create business logic (script or weight table) that maps the full 0 to 100 range instead of hard-coding only the standard severity buckets, and d) you test Reapply Calculator or schedule the run so that existing records get recalculated properly............
If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
