Understanding the Exploit Prediction Scoring System (EPSS) integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Exploit Prediction Scoring System (EPSS) integration

    The Exploit Prediction Scoring System (EPSS) integration in ServiceNow Vulnerability Response enhances vulnerability prioritization by importing EPSS data from First.org. EPSS provides a probability score (between 0 and 1) indicating the likelihood a software vulnerability (CVE) will be exploited in the wild. This data enriches National Vulnerability Database (NVD) records in your instance, or creates placeholders if no NVD records exist.

    Show full answer Show less

    This integration is designed to be run as part of the initial setup of Vulnerability Response and before importing vulnerability data from third-party scanners. The integration is active by default in the base system and runs scheduled jobs automatically to keep vulnerability data synchronized and up to date.

    Key Features

    • Imports EPSS scores to prioritize vulnerabilities based on exploitation probability.
    • Enriches existing NVD CVE entries or creates new CVE placeholders with EPSS data.
    • Automatically adds EPSS Score, EPSS Percentile, and EPSS Last Modified fields to Vulnerability Entries table upon activation.
    • Scheduled jobs for daily EPSS data updates are configured by default but can be customized.
    • Rolls up EPSS scores from CVEs to Third-Party Entities (TPEs) using a base system calculator, which can be modified as needed.
    • Maintains a configured run-as user (default VR.System) that should not be changed to ensure proper integration operation.

    Practical Guidance for Customers

    • Perform the NIST National Vulnerability Database (NVD) integration before starting EPSS imports to ensure data completeness.
    • Run the EPSS integration prior to importing vulnerability data from third-party scanner products to ensure vulnerabilities are prioritized correctly.
    • Use scheduled jobs to automate EPSS data updates daily, simplifying ongoing vulnerability remediation efforts.
    • Leverage the added EPSS fields and rollup calculators to improve risk scoring and vulnerability prioritization in your workflows.
    • Refer to Vulnerability Response integrations documentation for managing third-party libraries and other related integrations.

    Overview of the EPSS integration with Vulnerability Response.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Overview

    The Exploit Prediction Scoring System (EPSS) integration imports EPSS data related to common vulnerabilities and exposures (CVEs) from First.org to prioritize and remediate vulnerabilities. For more information see, https://www.first.org. The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

    Data imports from the EPSS integration, further enrich the NVD data in your instance. If NVD records are not present, then it will create a placeholder in the CVE table and add EPSS details in the same table. Run this integration as part of your initial setup of Vulnerability Response and prior to importing vulnerability data into your instance with a third-party scanner product.

    Important:
    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Initial import of data with the EPSS integration

    1. Perform an initial import of EPSS data with the First.org EPSS Integration. For more information, see Configure and run a scheduled job to update CVE records with EPSS data.
      Important:
      You perform EPSS updates Daily from the integration record by default, and you must configure it if you want it to run as a scheduled job.
    2. Third-party libraries are updated as scheduled jobs. For more information, see Importing data with the NVD and CWE integrations and managing third-party libraries.
      Important:
      It is recommended to perform NIST National Vulnerability Database Integration - API (CVE only) integrations before EPSS.
    Perform the EPSS imports prior to importing vulnerability data with a third-party product. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.
    Important:
    The following integration is included in the base system. The integration is active by default.

    After the initial run, base system scheduled jobs run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    On activation of the EPSS integration, the EPSS Score, EPSS Percentile, and EPSS Last Modified fields are added to the Vulnerability Entries table. For existing CVEs these fields are auto-updated on successful completion of the initial import job. If there are new CVEs that are added to the Vulnerability Entries table after the completion of the EPSS scheduled job, the newly added CVEs will indicate their source as EPSS. The scores are rolled up to existing TPEs from CVEs from the NVD table, using the base system Rollup EPSS score from NVD to TPEs calculator. You can also modify the calculator. For more information, see Vulnerability Response Rollup Calculators.