Vulnerability Response Rollup Calculators

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Rollup Calculators

    The Vulnerability Response Rollup Calculators help configure cumulative risk scores for remediation tasks and imported vulnerabilities. These calculators are essential for assessing the overall risk associated with vulnerable items within your organization.

    Show full answer Show less

    Key Features

    • Remediation Task Rollup: Aggregates risk scores for all vulnerable items within a remediation task.
    • Patch Update Rollup: Combines risk scores for vulnerable items associated with the same patch update.
    • Organization Risk Score Rollup: Summarizes risk scores for various vulnerable items and configuration issues across the organization.
    • Vulnerable Item Rollup: Focuses on host vulnerable items to influence the overall organizational risk score.
    • Vulnerability Entry Rollup: Merges risk scores for all vulnerable items sharing the same vulnerability entry.
    • Rollup EPSS Scores: Calculates the probability of vulnerabilities being exploited based on External Product Security Scores (EPSS).
    • Remediation Effort Rollup: Compiles risk scores from all records within a remediation effort.

    Key Outcomes

    Using these calculators, you can customize the weight of each risk score component, influencing the final cumulative risk score. Rollup calculations occur automatically every 15 minutes to ensure timely updates based on any changes in the status of vulnerable items. Understanding the calculated risk scores can enhance your organization's ability to prioritize remediation efforts effectively.

    For example, if a remediation task contains multiple vulnerable items, the rollup calculator computes a risk score based on maximum and average risk scores, as well as the count of vulnerable items. This aids in making informed decisions regarding your remediation strategies.

    Additionally, the Rollup EPSS Scores allow organizations to gauge the probability of exploitation across multiple vulnerabilities, providing a clearer picture of potential threats. To modify this feature, users must switch to the Rollup Developer View.

    After your initial assessment of risk calculators in the Setup Assistant, use the vulnerability rollup calculators to configure how the cumulative risk score is computed for remediation tasks and imported vulnerabilities.

    Use the vulnerability rollup calculators to configure how the cumulative risk score is computed for remediation tasks and imported vulnerabilities. The following rollup calculators are shipped with the base system:
    • Remediation Task Rollup: Rolls up the risk scores for all vulnerable items in a remediation tasks, to provide an overall risk score for the entire group of vulnerable items.
    • Patch Update Rollup: Rolls up the risk scores for all vulnerable items with same patch update, to provide an overall risk score for the patch update.
    • Organization Risk Score Rollup: Rolls up the risk scores for all host vulnerable items, application vulnerable items, container vulnerable items and configuration issues in an organization, to provide an overall risk score for the entire organization in unified dashboard.
      Note:
      Starting with v22.0 of Vulnerability Response, you can configure rollup weights for organizational score. Also, individual roll-up calculators have been removed.
    • Vulnerable Item Rollup: Rolls up the risk scores for all host vulnerable items in an organization, to contribute to the overall risk score of the entire organization for unified dashboard.
    • Vulnerability Entry Rollup: Rolls up the risk scores for all vulnerable items with the same vulnerability entry, to provide an overall risk score for the vulnerability entry.
    • Rollup EPSS Scores from NVD to TPEs: Rolls up the EPSS scores for all vulnerable items/ CVEs listed on the NVD table to existing TPEs, to provide an overall probability of the vulnerability being exploited.
    • Remediation Effort Rollup: Rolls up the risk scores for all the records in a remediation effort, to provide an overall risk score for the remediation effort.

    Navigate to All > Vulnerability Response > Administration > Vulnerability Rollup Calculator.

    Configure the rollup calculator to specify how much weight to give each of those computed values in setting the cumulative risk score. The higher the weight, the more that value is used to determine the rolled up risk score in the vulnerability or remediation tasks.

    Note:
    When Include deferred is selected, all deferred vulnerable items are included in the rollup calculation for the remediation tasks. Be sure that you understand the impact on the total calculation before selecting this option.
    Rollup calculators run the scheduled job, Rollup VI values to vulnerability, Remediation Task (RT), and VI count on RT, every 15 minutes to pick up changes and roll up the details and risk scores to remediation tasks and vulnerabilities. These scheduled jobs also calculate cumulative values for the number of VIs, maximum risk score, remediation target date, and status for remediation tasks.
    Note:
    Calculated values for vulnerability entries do not include remediation target data.
    The risk score is calculated when:
    • The risk score, remediation target, remediation status, or vulnerability changes on the vulnerable items.
    • The vulnerable item state changes to Open, Deferred, Closed, or changes from Closed or Deferred.
    • Vulnerable items are deleted.
    • Vulnerable items are added or removed from the remediation task.
    Vulnerability rollup calculator example: Consider a remediation task VUL324567, which has the following vulnerable items:
    • VIT1001 with risk score of 30
    • VIT1002 with risk score of 40
    • VIT1003 with risk score of 50
    Also, consider the following weights in the vulnerability rollup calculator:
    • Maximum risk score: 80
    • Average risk score: 5
    • Count of vulnerable items: 15
    Figure 1. Vulnerability rollup calculator example
    Vulnerability rollup calculator example with a maximum risk score of 80, an average risk score of 5, and a count of vulnerable items of 15.

    In the Vulnerability rollup calculator example, the formula for determining the remediation task Risk Score is:

    (Maximum risk score/100) * 80 + (Average risk score /100) * 5 + (factor * 15)

    The factor is determined as follows:
    VI count Factor
    <10 0.2
    10-100 0.4
    101-1000 0.6
    1001-10000 0.8
    > 10000 1
    So, for the remediation task, VUL324567:
    • Average risk score is 40
    • Maximum risk score is 50
    • 50 (Maximum risk score)
    • Factor is 0.2

    The Risk Score would be 45 [(50/100) * 80 + (40/100) * 5 + 0.2 * 15 = 40 + 2 + 3 = 45]

    Figure 2. Rollup EPSS Scores from NVDs to TPEs
    EPSS rollup calculator script.

    EPSS Rollup calculator - Example

    For example, consider an organization with 100 vulnerabilities, each with a 5% chance of being exploited. The question of great interest to a network defender might be: what is the probability that at least one of those vulnerabilities will be exploited, and therefore what is my overall threat? The probability of at least one event occurring is simply the complement (opposite) of no events occurring, that is: 
    P(at least one exploited vulnerability) = 1 - P(no vulnerabilities are exploited)
    Where, the probability of no vulnerabilities is the linear product of each vulnerability not being exploited. In this example, since each vulnerability has a 5% chance of being exploited, they each have a 95% chance of not being exploited. And since there are 100 of them, we can write this as: 
    P(at least one vuln exploited) = 1 - P(no vulns are exploited) = 1 - P(one vuln not exploited)^100 = 1 - 0.95^100 = 0.994
    Which says that the probability of at least one of the vulnerabilities being exploited is 99.4%.
    Important:
    To modify the Rollup EPSS Scores from NVD to TPEs, you need to switch the Form context menu view to Rollup Developer View from the Default view.