Vulnerability Response calculators and vulnerability calculator rules

  • Release version: Xanadu
  • Updated August 1, 2024
  • 6 minutes to read

    • Vulnerability calculators automate calculating initial values for the fields on vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.

    Vulnerability Calculators

    The Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the vulnerable item.
    • Default Risk Calculator
    • Vulnerability Severity

    Vulnerability calculators can be built to prioritize and rate the impact of vulnerable items based on any criteria by using condition filters. Whether it is the business impact of the vulnerability, the class of the configuration item (CI), or the age of the vulnerable item, you can create additional vulnerability calculators to set other fields on vulnerable items. Or you can customize the existing vulnerability calculators. A calculator can be written to reflect any set of priorities. See Create a Vulnerability Response calculator and Filtering within Vulnerability Response for more information.

    Additionally, you can use attributes in the configuration_item [cmdb_ci] in the Configuration Management Database (CMDB) to help you create logic for your Vulnerability Response risk calculators. If, for example, you determine that CIs that are external-facing in your organization are more vulnerable and might require immediate remediation, you can assign attributes such as Internet Facing for these CIs. This attribute, and others, are listed in the Common Service Data Model release notes . For current information and guidance on the CMDB, see the following topics:

    Each calculator contains a list of calculator rules, with a condition determining when to apply it. When the calculator is run, the condition for each calculator rule is evaluated in order, and the first matching calculator rule is used.

    The Vulnerability Severity calculator calculates the Risk Score for vulnerable items using the normalized vulnerability severity.
    Note:
    • Only one calculator per target field (Risk Score) can be active at a time. Vulnerability Severity is disabled by default.
    • Whenever the risk score is updated on a VIT, the Notes section is updated with the following details:
      • Calculator group name
      • Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, click on any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script.

        The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the work notes section. Starting with v25.0.3 of Vulnerability Response, the system property is inactive by default. If you enable it, only then you can see all the changes related to the risk score.

    All enabled vulnerability calculators set the selected fields each time a vulnerable item is created, when an associated CI or vulnerability changes, or when the Calculate Risk Score related link in a vulnerable item is used. As an example, the Risk Score is automatically updated on vulnerable item records when the severity value is updated on a vulnerability that is imported. After a vulnerability import has updated a vulnerability score, the recalculate flag is enabled for that vulnerability. The risk scores for the vulnerable items that have the recalculate flag enabled (true) with that vulnerability are recalculated.

    From an existing vulnerable item, if you click the Calculate Risk Score related link and either of the calculators is enabled, the Risk Score field in the vulnerable item is updated.
    Note:
    • The Calculate Risk Score related link is only visible when at least one vulnerability calculator is enabled.
    • You can update the risk score for a vulnerable item in the Vulnerability Manager Workspace and IT Remediation Workspace by selecting the Calculate Risk Score button in its record view.
    • Whenever the risk score on a VIT changes, the following details are documented in the Notes section of the VIT:
      • Calculator group name
      • Calculator name
      • Field values with their weightage and risk score contribution
      • Final risk score

    Vulnerability Calculator Rules

    The base system calculator Default Risk Calculator contains the ruleDefault Risk Rule, a specialized vulnerability calculator rule called a Risk Rule. It calculates Risk Score based on multiple values:
    • Vulnerability severity
    • Exploit information
    • Criticality
    • External exposure of the CI with the vulnerability
    • EPSS scores
    You can adjust the values to use in the Default Risk Rule and how much weight to give each of these values. Weights are used to adjust how much each element counts when setting the base Risk Score.

    You can customize the criteria for the default risk rule. For more information, see Define fields and weights for the risk rule for Vulnerability Response Risk Calculators.

    For an example of how risk scores for risk rule calculators are determined, see Risk score calculation example for Vulnerability Response.

    Assigning a weightage percentage

    You can also assign weightage percentage (0-100) at the field value level, for example, you can assign a weightage percentage to each level of Severity (None to Critical).

    If the severity weightage is 50 for the risk rule, and the following weightage values are assigned for the Severity level:
    Vulnerability severity Risk score
    Critical 100
    High 50
    Medium 20
    None 0

    If the severity is critical, the equivalent weightage is 50. If the severity is high, the equivalent weightage is 25, and if the severity is medium, the equivalent weightage is 10. If the severity is None, the equivalent weightage is 0. For more information, see the Risk score calculation example for Vulnerability Response.

    Vulnerability calculator rule settings

    Each rule has an Order setting. However, the first one to match the conditions updates the Risk score field in the vulnerable item. For more information on vulnerability calculator rule settings, see Create a Vulnerability Response calculator. Non-scripted calculator rules typically create less of a performance impact than scripted calculator rules.

    The base system Vulnerability Severity calculator contains calculator rules that assign each level of severity (None to Critical) a value (0-100) for Risk Score based on severity. Unknown Severity is automatically assigned a risk score of 100. These values can be adjusted and, like Default Risk Calculator, new calculator rules or new risk rules can be created.

    Vulnerability Risk Score Weights

    All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the vulnerable items.
    Value (Risk Rating) Weight (Risk Score)
    1 90–100
    2 70–89
    3 40–69
    4 1–39
    5 0
    • The risk rating types are shipped in the base table as vr_risk_rating. These types are passed as part of the business rule on each table where the risk rating is calculated.
    • The script is modified so that you can query the entries in the Risk Score Weights table values for the risk rating calculation.
    • Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
    • Modify the script to query the records in the base table.
    You can access the Risk Score Weights table by entering sn_sec_cmn_risk_score_weight (for versions below 30.0) or sn_sec_calculator_risk_score_weight (for versions 30.0 and above) in the filter navigator.

    In addition, the risk score is automatically recalculated when the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).

    Tenable Vulnerability Integration and the Tenable Risk Rule

    The Tenable Risk Rule is available with the Tenable Vulnerability Integration. The Vulnerability Priority Rating (VPR) is an attribute from the Tenable product that is imported and used with a new default risk calculator in Vulnerability Response. The Tenable Risk Rule is installed with the Vulnerability Response Integration with Tenable application as part of the Default Risk Calculator in the Vulnerability Calculators from Vulnerability Response.

    This risk rule is disabled by default. See Configure the Tenable Vulnerability Integration using Setup Assistant.