Picture this. It's 4:30 PM on a Friday and a critical vulnerability was just announced by a software vendor. The vendor states they are aware of the vulnerability and are actively working on a patch that will be released “very soon”. The vulnerability announcement states that customers could experience performance issues if the vulnerability is exploited. Just minutes before reading this announcement, your Service Desk sent out a notification that users have been reporting slowness with a critical business service. After putting two and two together, you realize this vulnerability is impacting your organization!
When this scenario occurs, security and IT teams scramble to determine the overall impact of this vulnerability to the organization. Far too often, the process to answer these two key questions involves referencing outdated spreadsheets and sending frantic emails to application and infrastructure teams.
- Which business services are affected by this vulnerability?
- Which servers is this software installed on?
Once these questions are answered, only then can you begin to prioritize and respond.
In the case of a critical vulnerability, time is of the essence to remove the threat from the organization. At the rate critical vulnerabilities are being released today, manual methods of research and patching are unacceptable.
Together, We Will Protect and Defend!
The functions of IT Operations and Security Operations both work toward the common goal of ensuring continued operations of the services which their business needs to operate. While they often have different adversaries, they must work together to protect and defend the estate. Oftentimes these functions are performed in different systems which increases mean time to resolution.
What if you could utilize a common platform to determine business impact, prioritize response, ensure operational governance, understand license cost impacts, automate remediation, and have continuous visibility into operational health and security posture? With ServiceNow, you can!
On an ongoing basis, ServiceNow dashboards provide your Security teams with complete visibility into your security posture and your IT Operations team with visibility into the health of the business services. These dashboards are provided Out of the Box with our Security Operations and IT Operations Management solutions. Through these Dashboards, IT and Security teams can easily determine which servers in the environment are running the application and most importantly determine which business services are impacted.
You can't build a great building with a weak foundation
In order to have this level of visibility, the first step is to establish a foundational Service-Aware CMDB. To ensure accuracy, this Service-Aware CMDB must be populated and maintained in a near real-time fashion. ServiceNow’s Discovery and Service Mapping applications are automated and agent-less solutions built with the sole purpose of ensuring your CMDB is healthy and trustworthy.
By using Discovery, your CMDB will be populated with all of the infrastructure devices in your environment along with their installed software. What you also get with Discovery are application dependency maps, which allow you to see which devices and applications are dependent on each other. Once you have your devices, software and dependencies in the CMDB, the next step is to add business context. With Service Mapping, you can build automated maps for your business services that only include the components that make up that business service. Why is this important? When you have a vulnerability, or are making a Change against a specific server, you can easily determine the impact to your business and other downstream systems. No more fire drills of manually checking spreadsheets or calling application owners.
Once the foundation of the Service-Aware CMDB is up and running, the next step is to integrate your operational monitoring tools and your security tools with ServiceNow. Operational events, vulnerabilities and security incidents will begin flowing into ServiceNow and will be processed to reduce the noise and help you prioritize your response based on the impact to your business.
Preventing Service Outages:
From an Operations perspective, the goal is to prevent service outages by remediating issues as quickly as possible. In the case of the performance degradation being seen by the exploited vulnerability I mentioned earlier, IT operators have immediate visibility into health at a business service level through the Event Management Dashboard.
When the operator sees an orange tile, this represents a degraded service. They can drill down into the Service Map and quickly determine the root cause component (or CI) that is causing the degradation. ServiceNow uses machine learning to deduplicate and correlate monitoring events and Operational Metrics to determine the probable root cause CI and provide a confidence score. The Operator also has additional troubleshooting steps they can perform such as reviewing any unplanned or planned changes, reviewing operational metrics, and dependent relationships between the affected CI and other Cis in the environment.
Because a knowledge base article was created with the workaround on how to restore service in the event of a performance degradation, the operator learns that restarting the application service is the remediation activity to be performed.
Operators can build Orchestration activities (operational runbooks) and associate these with conditions which can made available right from the service map. In this case, the operator can select the ‘Restart Service’ remediation option and the service is automatically restarted on the remote server and notifications are sent to stakeholders. There was no need for the operator to manually perform this activity, and as a result a complete service outage was prevented. As you increase your maturity level, you can even configure ServiceNow to automatically execute orchestration activities based on certain conditions, which enables true Zero Touch Automation!
While the operator is responding to the degraded performance condition, they see there is an open Vulnerable item record against the same server. Due to the sensitive nature of vulnerability, the operator is unable to see the details of the vulnerable item record, however this is an indicator to them of a potential root cause.
Resolve Vulnerabilities Fast:
Because you have near real-time visibility into which servers are running the vulnerable software with the CMDB, once the patch is released by the vendor you can quickly automate the deployment of the patch to all affected non-production servers and application owners can be assigned tasks to begin testing. By using ServiceNow’s Vulnerability Response solution and integrating your existing Vulnerability Scanner and Patch Deployment tool, you can automate the patch installation using Orchestration.
After testing is signed-off, IT can schedule the automated production deployment of the patch to the affected servers from the Vulnerability Response application, incorporating Change & Release Management governance to ensure proper review, approval and notification.
If there is a vulnerable instance of the application in the environment that is no longer supported and a version upgrade is required, you can understand the impact of software upgrade costs as part of the Change Management process by leveraging the License Change Projection feature from our Innovation of the Year award-winning Software Asset Management solution. This feature is unique to ServiceNow and is a "game changer" per Martin Thompson of the ITAM Review.
Upon completion of the patch installation, a re-scan request is automatically initiated from the Vulnerability Response workflow to the Vulnerability Scanner through Orchestration to ensure the vulnerability no longer exists for the affected application. At the same time, an automated discovery is launched as part of the Change Management workflow to ensure the CMDB is updated.
Throughout the installation of the patch, operational alerts are suppressed for the maintenance window to avoid false alerts for the IT Operators.
Different, yet the same
While operational issues and security vulnerabilities are two different things, the process of responding to them is very much the same. By using a common platform with shared capabilities, you can prioritize and automate response to vulnerabilities and operational issues fast with accurate business context.
By now you're wondering how you can achieve what I talked about above. Here's how:
This is just one example of how a common platform enables great experiences across multiple use cases. With ServiceNow, there are endless combinations of use cases that enable greater productivity for your organization, and it's all because of the common platform with a Service-Aware CMDB.
Hooah!
2 Comments
