Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Vulnerability Risk Calculator - Use Source Risk Score instead of Vulnerability Severity?

Kevin Lillis
Tera Expert

3 weeks ago

Hi,

We currently use Source Risk Score from Qualys (Qualys Detection Score; QDS) to do a direct map to our Risk Score in ServiceNow.  QDS combines the severity of the vulnerability with other Threat Intelligence to get that Risk Score.  Quite frequently we see a score start as a 50 but once intel has discovered it is actively being exploited, the QDS score changes to something higher (ex. 80).

We want to enhance that existing QDS score to include Asset/Business related factors (ex. Business Criticality and/or External Facing). 

So we are attempting to use the OOTB Risk Calculators in ServiceNow.  We want to be able to keep our existing Risk Score number and take a percentage of that (ex. 60%) and add in a percentage of Business Criticality (ex. 25%) as well as Externally Facing (ex. 15%).

However, every example I have seen on how to use the Risk Calculators uses 'Vulnerability Severity'.  That won't work for two reasons:
1. Vulnerability Severity is not an exact match with the QDS Score.  In the example below, 5 of the 6 rows show 'Severity' different than the associated real ranking of 'Source Risk Score' we use today.

2. I could use 'Source Risk Score' as one of the fields, but it would require me to program the entire range of values (as seen below).  I was hoping there would be an easier way to do that.

  • Default : 50, Empty String : 0, 1 : 1, 2 : 2, 3 : 3, ... , 99 : 99, 100 : 100

Also of note, we want to keep the integrity of the QDS score using our Risk Rating ranges.  What I mean by that is our ranges Risk Ratings are as follows:

  • Low: 0 - 39
  • Medium: 40 - 69
  • High: 70 - 89
  • Critical: 90 - 100

So it is important to us, as we are applying Business Criticality and Externally Facing, to NOT take the 'average' score for that range.  Example: HIGH 70 is different than a HIGH 89.  If the asset it is on is Business Critical and Externally Facing these are the following scores for both as well as the 'average'.

  • 70*.60 + 100*.25 + 100*.15 = 42+25+15 = 82; HIGH
  • 80*.60 + 100*.25 + 100*.15 = 48+25+15 = 88; HIGH
  • 89*.60 + 100*.25 + 100*.15 = 53.4+25+15 = 93.4; CRITICAL

Is there an easy way to do this without hardcoding the 101 Source Risk Scores?

 

If not, perhaps this could be a future enhancement?

Preview file
35 KB
0 Helpfuls
  • 588 Views
5 REPLIES 5

QM_SSJ4
Tera Contributor

a week ago

I am doing the exact same thing but with Tenable VPR and map a range of the VPR to an equivalant point value within the Risk Calculator. We also have an asset scoring methodology maintained in our CMDB which is also follows a % score mapping in our Risk Calculators.  Attached is a screenshot of an example.

 

Be careful including too many conditions to a singular calculation as well. The more you use, the greater risk you have to unintentionally deflate your scores. For example, if you use the 'external' flag as 15% of your overall score, all the non-external things have a 15% lower maximum. Instead, consider using the Conditions to set multiple risk calculators for different scenarios leveraging both the condition builder and Order. Some options:

External Assets

Internal Assets w/ Asset Risk Score

Internal with no Asset Risk Score

Internal with no asset score and no VPR

Preview file
44 KB
0 Helpfuls