How does CSDM complement Vulnerability response

Dharshini Rohit · ‎02-15-2023

Hi,

In all VR documents, it is mentioned that a CI should possess an Assignment group info for the Remediation tasks to be assigned to. However, this contradicts the fact of introducing CSDM. As in CSDM, we group CI's either to a Technical Service offering via Application service. The support group info for ITSM triaging is obtained (based on category of the Incident) from either Application Service or from the Technical Service offering. But for VR, we are required to populate this info on the CI. My question is, where and how does CSDM provide value to Security operations/ vulnerability response.

Thanks

Dharshini

sai12 · ‎03-08-2023

Hi Barry,

Thank you. So the ideal case is there would be no CI left without part of TSO and BSO. Otherwise we still drive groups based on CI ?

Barry Kant · ‎03-08-2023

hi Sai12,
I would say so. To maintain multi thousands/millios of CIs is no sustainable scenario in my opinion. Linking it to logical layers (TSO/BSO/App Service) you can lookup parent level information to your need (ownership, support, criticality, ...). What can you inherit via parenting relations and what needs to be maintained on CI level (as less as possible I guess).

BR,
Barry

sai12 · ‎03-09-2023

Hi Barry,

Agreed. but most of companies are still in phase of Crawl and some finds difficulty in migrating to CSDM itself as their instances are heavily customized. they don't have service offerings defined at all due to lack of maturity OR unsupportive stakeholders. I believe its a long way for companies to settle CMDB and csdm eventually and which should be ongoing.

Barry Kant · ‎03-09-2023

that is most of the time a chicken/egg question. Lot of customizations are workarounds because of lacking a proper data model (not all of course). On the processes side as well as on the CMDB side.
Good start is the use case (what is the requirement)
and solutionize that in context of data governance and data maintenance.

if a current state is not the best state but it is consistent then most if the times it is convertable by logic. Still the need to understand the impact of that remains of course. There is no general test to understand that impact for each situation.

JordiDG · ‎02-13-2024

So to summarize:

It is best-practice to link only 1 Dynamic CI Group + Technical Service Offering to each Infrastructure CI because of the many reasons you provide with regards to ownership, calculating SLAs / OLAs, the OOTB data sync otherwise creating arbitrary results & more, correct?

But how would you then design and configure a scenario in which you have SecOps groups that are picking up vulnerabilities / security incidents but also have other groups with regards to operational IT that are picking up changes, (regular) incidents & problems?

By reading all the messages, does that mean you will need to leverage the Teams related list for this? To have the SecOps groups in there as Teams records (with custom Group Types), attached to the Technical Service Offerings?

But if that is the case, I also read that the data sync from the TSO to the CIs will not take place for the (SecOps) Teams records, correct? That only works for the OOTB Support Group, Change Group & Managed by Groups? What would the assignment process look like in that case and how would that be configured? Because then Security Incidents would contain the same Offering as the regular Incidents but the assignment group should be different.