Exploring exposure assessment
Exposure assessment uses the Common Platform Enumeration (CPE) framework, which is a part of the Common Vulnerabilities and Exposures (CVEs) system, to evaluate the vulnerability exposure of your assets to vulnerability software. This assessment is performed using a software discovery model.
By employing a matching algorithm, the relevant CPEs are associated and mapped to the software discovery model, enabling the identification of potential exposures.
- Vulnerabilities that may not be identified by traditional scanners
- Zero-day vulnerabilities before the scanner provide the signature for vulnerability detection
| Application | Version |
|---|---|
|
Vulnerability Crisis Management plugin |
1.0 |
| Vulnerability Response | 20.0 |
| Vulnerability Response with NVD | 1.3 |
| Vulnerability Response Integration with CISA | 1.2 |
| Vulnerability Response Integration with NVD 注: For more information, see Understanding the NVD integrations. |
1.3 |
| Software Asset Management | Software Asset Management Foundation plugin or Software Asset Management Professional plugin |
Use cases
| Assessment type | Use |
|---|---|
| Assess by CVE | Assess vulnerabilities by CVE to gain a full understanding of the impact and exposure of the affected systems using Software Asset Management (SAM) and Discovery data. Take prompt remediation actions by creating manual VITs and assigning them to remediation owners. Assessing by CVEs is beneficial because scanners may not detect all the affected systems, whereas Discovery typically identifies most of the software on the attack surface. |
| Assess by Software |
Assess the impact by software when CVE is unavailable to identify the number of CIs where the software is installed. By assessing by software, you can proactively act on zero-day or critical vulnerabilities by creating a manual VIT and assigning it to the remediation owner before they’re officially published or before scanners identify them. |
| Assess by Publisher | Assess vulnerabilities by a software vendor to understand the impact and exposure of affected systems for the CVEs published by the vendor within a time frame. Assessing by publisher helps you evaluate the vendor risk and critical vulnerabilities, enabling proactive remediation. |
Compatibility and system requirements
- Software Asset Management Foundation plugin (com.snc.sams)
- Software Asset Management Professional (com.snc.pa.samp)
- Software Asset Management plugin (com.snc.software_asset_management)
To verify the SAM Foundation application is installed on your instance, navigate to and search for com.snc.asset_management. If the application isn’t installed, select Install. As the Vulnerability Exposure Assessment application requires access to the asset data on your ServiceNow AI Platform® instance, the asset management applications must have data to reference. The Software Discovery Models table (cmdb_sam_sw_discovery_model) and the Software installations (cmdb_sam_sw_install) require data.
Matching algorithm fields for software discovery models
| CPE (Software model) | SAM Foundations | SAM Professional |
|---|---|---|
| Vendor | Primary Key | Primary Key |
| Product | Display Name | Display Name |
| Version | Discovered Publisher | Discovered Publisher |
| Edition | Discovered Product | Discovered Product |
| Discovered Version | Discovered Version | |
| Normalized Publisher | ||
| Normalized Product | ||
| Normalized Version |
System property
To process the CISA-exploited vulnerabilities automatically for exposure assessment, set the system property sn_vul_analyst.enable_exposure_for_cisa to true. The default value is false.
Scheduled jobs
Following are the scheduled jobs.
| Scheduled job name | Description |
|---|---|
| Check potential vulnerability exposure | Processes the delta CVEs, software, and installations to get the exposure. 注: This scheduled job runs every 12 hours. It runs for a longer period than the other scheduled jobs. |
| Insert CISA exploited CVE to exposure config | On-demand. Inserts the CISA CVEs into the Exposure Configuration table to calculate the exposure. |
| Run exposure assessment for configured CVEs | On-demand. Calculates the exposure for all the CVE records in the Exposure Configuration table. |
| Run software exposure | On-demand. Calculates the exposure for all the software records in the Exposure Configuration table. |
Key terms
- Confidence score: A confidence score is a measurement of the reliability in providing a recommendation for a field. The higher the score, the more reliable the recommendation. For sample calculations, see Confidence score calculation example.
- Software installation count: Number of software assets impacted by the vulnerability.
- Software model: Software model associated with the product. Drill-down on the software model to see the software model result. For more information, see Software Asset Management Foundation plugin discovery models and software installations.
The Software installation count field provides the total number of software installs, regardless of their active or inactive status on the discovery model. Starting with v22.0 of Vulnerability Response, a new system property, sn_vul.filter_inactive_sw_installs, has been introduced to determine whether inactive software installations should be filtered out for exposure assessment. By default, the property is enabled in the base system. When the filter is enabled, only active installations are displayed.
The Discovery model field specifically shows the count of active software installations, as the inactive ones are filtered out based on the default active=true filter on the Software Discovery Model table. The count in this field should match the filtered count displayed in the Software installation count field. The count in the Software installation field persists even if you update the system property. To obtain the updated count, you must run the scheduled jobs Run exposure assessment for configured CVEs and Run software exposure that updates the count.