Understanding the Exploit Prediction Scoring System (EPSS) integration

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Exploit Prediction Scoring System (EPSS) integration

    The Exploit Prediction Scoring System (EPSS) integration imports data on common vulnerabilities and exposures (CVEs) from First.org, allowing ServiceNow users to prioritize and remediate vulnerabilities effectively. EPSS provides a probability score (0-1) indicating the likelihood of a vulnerability being exploited, enhancing the National Vulnerability Database (NVD) data in your instance.

    Show full answer Show less

    Key Features

    • Initial setup integration with Vulnerability Response is required before importing vulnerability data from third-party scanners.
    • Default run-as user for integration is VR.System; this should not be changed.
    • Daily updates are configured by default, but scheduled jobs can be set up for regular updates.
    • Integration is included in the base system and active by default, simplifying the vulnerability remediation lifecycle.
    • EPSS Score, Percentile, and Last Modified fields are automatically updated in the Vulnerability Entries table.

    Key Outcomes

    By utilizing the EPSS integration, customers can enhance their vulnerability management processes, ensure timely updates, and maintain synchronization with other vulnerability management systems. The integration facilitates better decision-making by providing critical exploit probability information, thus improving overall security posture.

    Overview of the EPSS integration with Vulnerability Response.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Overview

    The Exploit Prediction Scoring System (EPSS) integration imports EPSS data related to common vulnerabilities and exposures (CVEs) from First.org to prioritize and remediate vulnerabilities. For more information see, https://www.first.org. The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

    Data imports from the EPSS integration, further enrich the NVD data in your instance. If NVD records are not present, then it will create a placeholder in the CVE table and add EPSS details in the same table. Run this integration as part of your initial setup of Vulnerability Response and prior to importing vulnerability data into your instance with a third-party scanner product.

    Important:
    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Initial import of data with the EPSS integration

    1. Perform an initial import of EPSS data with the First.org EPSS Integration. For more information, see Configure and run a scheduled job to update CVE records with EPSS data.
      Important:
      You perform EPSS updates Daily from the integration record by default, and you must configure it if you want it to run as a scheduled job.
    2. Third-party libraries are updated as scheduled jobs. For more information, see Importing data with the NVD and CWE integrations and managing third-party libraries.
      Important:
      It is recommended to perform NIST National Vulnerability Database Integration - API (CVE only) integrations before EPSS.
    Perform the EPSS imports prior to importing vulnerability data with a third-party product. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.
    Important:
    The following integration is included in the base system. The integration is active by default.

    After the initial run, base system scheduled jobs run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    On activation of the EPSS integration, the EPSS Score, EPSS Percentile, and EPSS Last Modified fields are added to the Vulnerability Entries table. For existing CVEs these fields are auto-updated on successful completion of the initial import job. If there are new CVEs that are added to the Vulnerability Entries table after the completion of the EPSS scheduled job, the newly added CVEs will indicate their source as EPSS. The scores are rolled up to existing TPEs from CVEs from the NVD table, using the base system Rollup EPSS score from NVD to TPEs calculator. You can also modify the calculator. For more information, see Vulnerability Response Rollup Calculators.