Securing your IT infrastructure is more critical than ever in today's digital landscape. As organizations increasingly rely on ServiceNow for managing their enterprise services and workflows, ensuring the security of this powerful platform becomes paramount. In my last article on Security Hardening, I highlighted the need to be proactive about security along with some best practices to ensure you are focusing in the right areas.
This article will focus on the Security Scanner component of System Security Centre. The article will explore the capabilities provided by ServiceNow Out of the Box along with how you might go about extending that capability to further enhance your ongoing security posture.
The article aims to provide developers and administrators with the knowledge to continually monitor your ServiceNow instance for new security vulnerabilities that could be introduced by the team configuring your environment, or by changes coming through the upgrade process from ServiceNow.
What is Security Scanner?
Instance Scan is the tool we turn to, to ensure your instance is being configured using best practices and identify any health issues. Security Scanner is the go-to place when you are looking for this information from a security perspective. In fact, Security Scanner leverages the Instance Scan framework to configure and execute checks and suites.
Security Scanner consists of a number of components which work together to provide a useful outcome.
- Scan checks - scan checks are rules written to detect security issues within your instance. Check out ServiceNow's site, Security Scanner Checks for more information on the different types of checks.
- Security suites - allow you to group Scan checks together into logical bundles for each of use and reporting purposes. Security Center comes with an "Auditor" suite which scans the configured security settings against ServiceNow's recommended best practices.
- Scan findings - provides an easy way to review the results of a security scan. Security findings include a link to the check that failed along with a reference to the record that failed. The findings allow you to quick identify the underlying issue and take action to resolve it.
- Scan comparison - providing the core reporting capability, Scan comparisons allow you to compare the state of your instance on different dates. e.g. You might automatically scan your instance every month and have a team that is focused on remediating any issues found. The Scan comparison page will enable you to track progress over time and ensure your team is making progress on improving the security posture of your instance.
Security Scanner also forms an important component of the overall Security Centre experience. Under the covers, the Security Scanner component is used to feed the Security Hardening dashboard with some of its key statistics. If you wish to investigate further, take a look at the "Instance Security Hardening Settings" suite under Instance Scan.
Aligning Security Scanner to your requirements
Creating new security suites which align to your requirements is a relatively simple process.
- On the Security Scanner dashboard, navigate to "Suites" on the left hand side.
- Click on "New" to create a new scan suite.
- Name and save your new suite.
- If you switch to the "Checks" tab, you can then edit the list of scan check are included in your suite.
- Remember to set the "Schedule" for your suite to ensure that it executes regularly.
And for those times where an existing Scan Check is not available, check out ServiceNow's documentation for Instance Scan - Getting started with checks.
Using Security Scan Comparisons
Out of the Box, ServiceNow provides the "Auditor" suite which contains 64 individual security checks. This suite aims to cover system properties, plugins and configurations that impact the security posture of your instance. They range from checking common security hardening controls through to best practice configurations like applying ACLs to the Change Management process for planned start and end dates.
As part of your regular platform maintenance activities, I recommend that you review the Security Scan Comparison's dashboard and take the following actions;
- Review the "Scan findings" counters. The number of findings trends down over time, assuming you are taking action to reduce the findings. If this number jumps up, you have likely introduced new capability onto the platform which violates the security best practices or there has been a change in the Security Scanner Suite checks.
- Review the "Scan findings" list and take action on those items which you identify as critical. The tool provides a High, Medium, Low prioritisation and this is a good starting point for identify which items to work on first.
Regularly reviewing the Security Scan findings provides an easy method to identify code and configuration that may not be correct when compared to the security posture you are targeting. Executing and reviewing Security Scanner suites in your non-production environment before promoting code into Production will ensure you can identify and rectify an security issues prior to deployment to Production.
Ongoing Maintenance
Ongoing maintenance of your security posture is a very important process. By default, Security Centre will track your Security Scanner results based on the schedule you configure. I would recommend that each time you are performing an upgrade, patch or even a store application upgrade that you review your Security Scanner findings both before and after and consider the impact of any findings before you release these changes to your Production environment. Don't forget to ensure you keep the Security Center application up to date as well.
Ensuring the security of your ServiceNow instance requires consistent monitoring and proactive measures. Utilizing the Security Scanner and adhering to the best practices outlined in this post will help maintain a secure and compliant environment.
Outside of the Security Scanner, Security Center offers Security Hardening, Metrics and Best Practice recommendations.
Check back soon for another blog post that will dive into the Security Center capabilities in those areas.
