This is the first of 3 blogs discussing new GRC features in the Kingston release. I've started with one of the most interesting - GRC Continuous Monitoring and the Configuration Compliance application that's part of Security Operations. I'm really excited about this topic because it shows how valuable to an enterprise's security it can be to have Security Operations and GRC working together.
I think we can all agree that enterprise environments are not static. To validate and maintain an optimal security and compliance posture you need to identify and remediate, as quickly as possible, vulnerabilities that might place your enterprise at risk of a breach or non-compliance.
First let's level set with some terminology. We talk about "vulnerabilities," but those can come in a few flavors, although both result in "security incidents." There are software flaws that can be exploited — think of Heartbleed, Ghost, Spectre, and Meltdown. These types of vulnerabilities are identified by Vulnerability Assessments - scanners from vendors like Tenable and Qualys.
Then there are vulnerabilities that result from flaws in configuration. For example, a network engineer may forget to "enable secret" on a Cisco appliance, which leaves the authentication credentials on the device in cleartext. Password requirements may not be consistently enforced, leading to weak passwords that can be easily compromised. End-users may have local administrative access, providing the opportunity to inadvertently install malware with privileged systems access. Drag-and-drop of ZIP files in Microsoft OneNote could be left enabled, making it a virtual USB stick for sensitive corporate data that can then be leaked to an unauthorized and unsecure system. These types of vulnerabilities are caught during a Security Configuration Assessment.
All major Vulnerability Management vendors address both Vulnerability Assessments (software flaws) and Secure Configuration Assessments (configuration flaws).
In my opinion, the configuration vulnerabilities are more serious because they are stealthy — you'd never know there was a problem… unless you're breached.
It could just be an oversight. For example, a Windows Group Policy Object (GPO) for enforcing a password timeout for the screensaver may be correctly defined but applied to the wrong group.
It could also be intentional, for example a malicious insider exploiting configuration drift. Security and IT Operations intend for any "image," or baseline configuration they load on a device, to be unalterable. But, users may have more privileged access to the asset configuration than they think. With some changes, malicious users can create security vulnerabilities. It is thought that this was one of the root causes for Edward Snowden's elevated access and data compromise. Security thought they had a hardened image on in-scope systems, but that system configuration changed post-deployment.
Therefore, it is critical that security professionals can easily and continuously verify that all in-scope assets have the configurations articulated in their security policy, and drive misconfigurations through remediation with IT operations.
Let's Scan! What's the Problem?
Configuration hardening applies to IT assets up and down the software stack - Cloud IaaS (ex. AWS, Azure), virtualization, operating systems, databases, web servers, and the software applications themselves. Technologies are heterogeneous. While Vulnerability Management vendors are strong in many of these areas, select technologies, such as databases, cloud,
mobile, and IoT may have point solutions that are better suited to manage configuration than the incumbent players.
This implies multiple scan technologies may be required to adequately secure the heterogenous IT environment, which creates information silos and complicates enterprise-wide secure configuration assessment. It also creates a massive amount of vulnerabilities and alerts. In many cases more than the enterprise can investigate, prioritize, and remediate. A single source of truth is needed across all technologies - a mechanism to aggregate scan results and to provide an apples-to-apples comparison of configuration issues for effective prioritization and remediation.
ServiceNow Configuration Compliance
Our new Configuration Compliance application, just like Vulnerability Response, brings in scan data and prioritizes it against the ServiceNow CMDB. But Configuration Compliance does this
with security configuration assessment data from sources like Qualys. Then we use workflows, automation, and Security Operations' deep connection with ServiceNow ITOM to quickly remediate misconfigured software.
Main ServiceNow Configuration Compliance application dashboard
But what about Governance, Risk, and Compliance (GRC)?
Configuration hardening policies are often driven by GRC programs, based on standards or external regulatory compliance obligations (ex. SOX, PCI, ISO), especially if a prior audit has failed. Other times its driven simply by IT striving to do the right thing and put information security best practices in place.
Popular standards for hardening include those from the Center for Internet Security (CIS). CIS is the primary recognized industry-standard for secure configuration guidance, developing comprehensive, consensus-derived checklists to help identify and mitigate known security vulnerabilities across a wide range of platforms. Policies derived from PCI are popular, while Security Technical Implementation Guides from the Defense Information Systems Agency (DISA STIGs) are used frequently by IT security leaders with military backgrounds. DISA STIGs comprise a library of documents that explain very specifically how computing devices should be configured to maximize security.
Although GRC professionals work with their security team to interpret and implement the policies with specific secure configuration baselines for all in-scope assets, they don't always have visibility into their compliance. The processes to check assets for compliance is manual, requiring significant GRC and Security overhead even for minimal coverage.
When the ServiceNow GRC application portfolio is used with Configuration Compliance, configuration tests in can be rolled-up to their corresponding GRC controls. Through GRC Continuous Monitoring, control compliance can be automatically and continuously calculated from configuration scan results collected across all in-scope assets. Within Policy and Compliance, you can see which scanner produced the test in the new Configuration Tests tab. The Controls tab tracks the compliance of those controls and provides detailed drill down capabilities.
From a failed control, the GRC Risk Management application identifies and prioritizes the risk to the enterprise
New Configuration Tests tab shows critical failure of controls based on Qualys scanning data while risks associated with vulnerabilities can be easily identified and quantified.
Real-time dashboards greatly improve compliance and risk visibility, while automation significantly reduces manual effort. Issues are automatically generated to the appropriate individuals and tracked to conclusion.
Having all communication and evidence conveniently stored in the ServiceNow platform makes any audit activities a snap. And with reporting capabilities it's easy to effectively communicate with other departments and to the board.
ServiceNow GRC has been able to monitor for compliance or to detect software flaws for quite some time. However, with the new ability to monitor for configuration flaws, Continuous Monitoring provides 360 degree visibility into vulnerability that could present a significant business risk to an enterprise.
Read more about Kingston enhancements in our community blogs for Security Operations and GRC or visit us at www.servicenow.com/grc and www.servicenow.com/sec-ops.
