Note: this article assumes the reader is actively using Discovery and Vulnerability Response
Background: How Vulnerabilities are Imported and Managed in ServiceNow
Vulnerable Items are a key concept in ServiceNow. They represent a Configuration Item with an associated vulnerability imported from a Vulnerability Scanner like Tenable or Tanium.
In other words: Vulnerable item (VI) = Configuration Item (CI) + Vulnerability
Vulnerability scanners provide an enormous amount of data to sift through, resulting in hundreds of thousands or millions of Vulnerable Items (VIs). Without a robust enterprise process to respond to VI’s, it can require tremendous effort and resources to make the data actionable.
Vulnerability Response (VR) assigns owners to VI’s that must be remediated. It also helps remediation teams prioritize efforts based on important CI attributes like business criticality or firewall status. VR also monitors remediation progress.
Recommendation
- Work iteratively with your CMDB team to ensure your vulnerability scanner data is fully matched to CMDB Configuration Items (CIs)
- Identify remediation owners using the CI’s support group or managed by a group
- Enrich your prioritization of vulnerabilities using CI’s business criticality and other attributes
- Understand your exposure and remediation progress using the CISO Dashboard
1. Work iteratively with your CMDB and Discovery team to ensure your vulnerability scanner data is fully matched to CMDB Configuration Items (CIs)
Vulnerability scanners are powerful tools to identify vulnerabilities across your network. However, customers may find that when they first compare datasets between their CMDB and their scanner data, there are gaps. Out-of-box vulnerabilities that are not matched to CI’s will result in entries in the Unclassed Hardware table.
The Vulnerability Response team and CMDB/Discovery team must partner closely and work iteratively to address these gaps.
- New records in the Unclassed Hardware table should be counted weekly to eliminate unmatched data.
- The CMDB/Discovery team should troubleshoot the reasons for unmatched data with assistance from IT teams such as Network and Firewall engineering. Unmatched data can often be traced back to root causes such as:
- A lack of ServiceNow discovery credentials for the target hosts.
- Missing IP ranges from ServiceNow Discovery.
- No Discovery mid-server in the range accessed by the vulnerability scanner.
- The VR team and Discovery team should advocate for new credentials, firewall access, and new MID servers as needed.
- This process should iterate until all gaps are closed.
2. Identify remediation owners using the CI’s support group or managed by a group
Once you have a set of VI’s to work with, use the CMDB to assign ownership. One of two attributes can be used:
- Support Group (support_group)
- Managed By (managed_by_group)
The "Support group" or “Managed By” group on the CI record are designed to be used as remediation owners. Either attribute can be used for VI remediation assignments. Confirm with your CMDB team, as custom set-ups can vary.
3. Enrich your prioritization of vulnerabilities using CI business criticality and other attributes
Vulnerability scanners usually rate the risk of a vulnerability using the Common Vulnerability Scoring System (CVSS) and other models. However, the impact of those on your critical business services and applications can only be understood through the CMDB and VI records.
To get a strategic understanding of your vulnerability risk posture, ensure your ServiceNow risk scoring calculators combine elements of both, the vulnerability and configuration item. The following table highlights the attributes you want to utilize:
Type | CI attribute |
Business impact | · internet_facing · firewall_status |
Classification such as production vs. non-production
| · classification |
Business Criticality. This can be inferred through related business services | · busines_criticality |
If data gaps in these fields hinder accurate categorization, meet weekly with your CMDB team to partner on a remediation plan.
4. Understand your exposure and remediation progress using the CISO Dashboard
Ensuring your data is complete is key to successful VR, but the goal is to lower your organization’s exposure to vulnerabilities. The CISO Dashboard is an excellent out-of-box feature to understand vulnerability exposure and remediation progress. (Detailed set-up instructions can be found here)
Review the CISO Dashboard regularly to understand:
- Average age of vulnerabilities
- Mean Time to Remediate
- Average Vulnerabilities per Asset
- New and Closed VI’s
