Exploring exposure assessment

Release version: Xanadu

Updated August 1, 2024

5 minutes to read

Summarize

Summarized using AI

Summary of Exploring Exposure Assessment

Exposure assessment leverages the Common Platform Enumeration (CPE) framework to evaluate the vulnerability exposure of assets using a software discovery model. This process utilizes a matching algorithm to map relevant CPEs to software, allowing for the identification of potential vulnerabilities, including those not detected by traditional scanners and zero-day vulnerabilities. The assessment serves as an early warning mechanism to help improve vulnerability management practices.

Show full answer Show less

Prerequisites

Vulnerability Crisis Management plugin 1.0
Vulnerability Response 20.0 or higher
Software Asset Management Foundation or Professional plugin
Vulnerability Response Integration with NVD and CISA

Use Cases

Assess by CVE: Understand the impact of vulnerabilities using SAM and Discovery data, and implement timely remediation actions.
Assess by Software: Identify software installations to proactively manage zero-day vulnerabilities before they are widely known.
Assess by Publisher: Evaluate vendor-related vulnerabilities over a specified period to better manage vendor risk.

Compatibility and System Requirements

The Exposure Assessment module requires the ITSM Software Asset Management application. Ensure that necessary plugins like SAM Foundation and Professional are installed for effective operation. Access to asset data is crucial for the module to function properly.

Matching Algorithm Fields

The software discovery model utilizes various fields to enhance the accuracy of vulnerability assessments, including CPE, Product Display Name, and Version information. The SAM Professional application allows for editing and normalizing software discovery models to ensure comprehensive coverage.

Scheduled Jobs

Check potential vulnerability exposure: Runs every 12 hours to process delta CVEs and software installations.
Insert CISA exploited CVE: On-demand insertion of CISA CVEs into the Exposure Configuration table.
Run exposure assessment: On-demand calculation of exposure for configured CVEs.
Run software exposure: On-demand calculation of exposure for software records.

Key Terms

Confidence Score: Indicates the reliability of recommendations based on exposure assessment.
Software Installation Count: Reflects the number of software assets impacted by vulnerabilities.
Discovery Model: Displays counts and results related to active software installations.

Starting from version 22.0, a new system property allows filtering of inactive software installations in exposure assessments, enhancing the accuracy of reported counts. Scheduled jobs are essential for updating exposure data consistently.

Exposure assessment uses the Common Platform Enumeration (CPE) framework, which is a part of the Common Vulnerabilities and Exposures (CVEs) system, to evaluate the vulnerability exposure of your assets to vulnerability software. This assessment is performed using a software discovery model.

By employing a matching algorithm, the relevant CPEs are associated and mapped to the software discovery model, enabling the identification of potential exposures.

You can use the exposure assessment by CVE or software to identify exposure to potential vulnerabilities for the following scenarios:

Vulnerabilities that may not be identified by traditional scanners
Zero-day vulnerabilities before the scanner provide the signature for vulnerability detection

Exposure assessment provides an early warning to remediate these vulnerabilities, and improve the maturity of the vulnerability management program.

Prerequisites for exposure assessment

Table 1. Available versions
Application	Version
Vulnerability Crisis Management plugin	1.0
Vulnerability Response	20.0
Vulnerability Response with NVD	1.3
Vulnerability Response Integration with CISA	1.2
Vulnerability Response Integration with NVD Note: For more information, see Understanding the NVD integrations.	1.3
Software Asset Management	Software Asset Management Foundation plugin or Software Asset Management Professional plugin

Use cases

For examples of how Vulnerability Analysts organization would use the Vulnerability Exposure Assessment workspace, see these use cases.


Assessment type	Use
Assess by CVE	Assess vulnerabilities by CVE to gain a full understanding of the impact and exposure of the affected systems using Software Asset Management (SAM) and Discovery data. Take prompt remediation actions by creating manual VITs and assigning them to remediation owners. Assessing by CVEs is beneficial because scanners may not detect all the affected systems, whereas Discovery typically identifies most of the software on the attack surface.
Assess by Software	Assess the impact by software when CVE is unavailable to identify the number of CIs where the software is installed. By assessing by software, you can proactively act on zero-day or critical vulnerabilities by creating a manual VIT and assigning it to the remediation owner before they’re officially published or before scanners identify them.
Assess by Publisher	Assess vulnerabilities by a software vendor to understand the impact and exposure of affected systems for the CVEs published by the vendor within a time frame. Assessing by publisher helps you evaluate the vendor risk and critical vulnerabilities, enabling proactive remediation.

Compatibility and system requirements

The Vulnerability Response application is available on the ServiceNow Store. The ITSM Software Asset Management application (com.snc.asset_management) is required for the Exposure Assessment module. This application manages all your assets and software licenses, and the SAM Foundation version of this application is part of the Vulnerability Response application that you download from the ServiceNow Store.

Important:

The Exposure Assessment application works with the following plugins:

Software Asset Management Foundation plugin (com.snc.sams)
Software Asset Management Professional (com.snc.pa.samp)
Software Asset Management plugin (com.snc.software_asset_management)

To verify the SAM Foundation application is installed on your instance, navigate to System Applications > All Available Applications > All and search for com.snc.asset_management. If the application isn’t installed, select Install. As the Vulnerability Exposure Assessment application requires access to the asset data on your ServiceNow AI Platform® instance, the asset management applications must have data to reference. The Software Discovery Models table (cmdb_sam_sw_discovery_model) and the Software installations (cmdb_sam_sw_install) require data.

Matching algorithm fields for software discovery models

The Software Asset Management Professional application enables you to edit a software discovery model to manually normalize discovered software that hasn’t been fully normalized (partially normalized, publisher normalized, or match not found) on the Software Discovery Models form so that it can be reconciled. Starting with version 20.0 of Vulnerability Response supports normalized discovery model that comes from Software Asset Management Professional. The following fields are used for the matching algorithm for software discovery models.


CPE (Software model)	SAM Foundations	SAM Professional
Vendor	Primary Key	Primary Key
Product	Display Name	Display Name
Version	Discovered Publisher	Discovered Publisher
Edition	Discovered Product	Discovered Product
	Discovered Version	Discovered Version
		Normalized Publisher
		Normalized Product
		Normalized Version

Note:

The SAM Professional application isn’t part of the core Vulnerability Response product from the ServiceNow Store and requires a separate subscription.

System property

To process the CISA-exploited vulnerabilities automatically for exposure assessment, set the system property sn_vul_analyst.enable_exposure_for_cisa to true. The default value is false.

Scheduled jobs

Following are the scheduled jobs.


Scheduled job name	Description
Check potential vulnerability exposure	Processes the delta CVEs, software, and installations to get the exposure. Note: This scheduled job runs every 12 hours. It runs for a longer period than the other scheduled jobs.
Insert CISA exploited CVE to exposure config	On-demand. Inserts the CISA CVEs into the Exposure Configuration table to calculate the exposure.
Run exposure assessment for configured CVEs	On-demand. Calculates the exposure for all the CVE records in the Exposure Configuration table.
Run software exposure	On-demand. Calculates the exposure for all the software records in the Exposure Configuration table.

Key terms

Confidence score: A confidence score is a measurement of the reliability in providing a recommendation for a field. The higher the score, the more reliable the recommendation. For sample calculations, see Confidence score calculation example.
Software installation count: Number of software assets impacted by the vulnerability.
Software model: Software model associated with the product. Drill-down on the software model to see the software model result. For more information, see Software Asset Management Foundation plugin discovery models and software installations.

The Software installation count field provides the total number of software installs, regardless of their active or inactive status on the discovery model. Starting with v22.0 of Vulnerability Response, a new system property, sn_vul.filter_inactive_sw_installs, has been introduced to determine whether inactive software installations should be filtered out for exposure assessment. By default, the property is enabled in the base system. When the filter is enabled, only active installations are displayed.

The Discovery model field specifically shows the count of active software installations, as the inactive ones are filtered out based on the default active=true filter on the Software Discovery Model table. The count in this field should match the filtered count displayed in the Software installation count field. The count in the Software installation field persists even if you update the system property. To obtain the updated count, you must run the scheduled jobs Run exposure assessment for configured CVEs and Run software exposure that updates the count.