How do I drive security posture improvement via the CISO Dashboard?

Background:

Many of the CISO’s security executives struggle to build awareness of the various accomplishments and struggles related to the enterprise's security posture. Leaders for vulnerability and incident response management need a shared view to guide the leadership and stakeholder teams.

Recommendations:

Setup, configure, and improve the organization’s security posture via the CISO dashboard.

1. Install the Performance Analytics Store Apps for VR and SIR. Install Plugins, ensure Jobs are active, and Scan Coverage CMDB Configuration Item (CI) data is correct.
2. Setup CISO dashboards for VR with ingestion enabled.
3. Setup Scan Coverage with Required CIs and Vulnerability Solution Management.
4. Setup SIR Dashboard and ensure incident count and dashboard are the same.
5. Setup VR CISO Dashboard metrics for trending metrics and prioritization of vulnerabilities
6. Use SIR CISO Dashboard to view prioritized incidents, most vulnerable CIs, and security incident trends.
7. Establish governance through a meeting that leverages the CISO metrics and organizational trajectory with stakeholders.

Roles needed

• sn_vul.vulnerability_ciso required to view the dashboard.
• sn_vul.ciso_write needed to edit the dashboard.

 System requirements

• Security Incident Response (SIR) Pro includes CISO Dashboard for Security Incident Response (PA for SIR)
• Vulnerability Response (VR) Pro includes CISO Dashboard for VR (PA for VR)

1. Install the Performance Analytics Store Apps for VR and SIR. Install Plugins, ensure Jobs are active, and Scan Coverage CMDB Configuration Item (CI) data is correct.

1. Install the Store app and plugins needed to get the CISO Dashboard. The names of the apps will be:
   
   1. Performance Analytics for Vulnerability Response
   2. Performance Analytics for Security: when searching for installing the plugin, you may see a second option for Performance Analytics Premium for Security Operations, do not install it.
      
2. Step-by-step instructions for installing the store app can be found here.
1. For VR: the documentation recommends changing the Performance Analytics Properties (step 15.C.), however, do not do this and skip step 15 altogether. Although docs recommend changes here, this will impact ALL indicators.
3. Ensure the [PA VR] Cisco Dashboard Job is active.
1. Performance Analytics > Data Collector > Jobs > [PA VR] Cisco Dashboard, change active to true.

2. Setup your CISO dashboards for VR with ingestion enabled

1. Vulnerability Scanner ingestion is enabled using the store apps, which can be found at ServiceNow App Store.
2. CMDB data and CMDB hygiene practices are in place; this means owners of CIs and Services can be identified; if not, there is a process to find them.
3. Confirm that Scan Coverage has all the CMDB CI classes you expect to cover in the CISO Dashboard and correct any errors through the Scan Coverage Report to add additional CI Classes.

3. Setup Scan Coverage and Vulnerability Solution Management

1. Ensure the Scan Coverage Calculation job is running and reflecting the expected number of Total CIs, Scanned CIs, and CMDB CI Classes.
   
   1. Vulnerability Response > Administration > Scan Coverage Configuration
   2. Note that this Job pulls from the CMDB and is then used to populate the CISO Dashboard.

       

2. The setting for Indicator Sources must be changed to reflect the size of the VR implementation; by default, the maximum number of records is set to 1,000,000 for the override records collection. This should be increased according to the size of the overall deployment i.e incrementally increase by 1,000,000 as your VR environment grows.
   
   1. Go to indicator sources and change scope via the banner notification option.
   2. Performance Analytics -> Sources -> Indicator Sources, in the Active Vis (Services and Internet-facing) changes must be made in the Record Collection tab.

       

3. Ensure Solutions management is installed and configured (RedHat, Microsoft, etc.)
   1. Install third-party integrations for Microsoft Response Center Solutions or Red Hat Solution.
   2. Vulnerability Response > Administration > Setup Assistant > Integration Configuration > Solution Integrations.

4. Setup your SIR Dashboard and ensure your incident count and dashboard are the same.

1. Monitoring and Alerting (SIEM/EDR) ingestion is enabled using the store apps, which can be found at ServiceNow App Store.
2. Data integrity will need to be checked. Validate that the number of incidents created matches what’s being created in the CISO Dashboard by comparing the number of created tickets vs what is in the CISO Dashboard.

 5. Use VR CISO Dashboard effective metrics for trending metrics, prioritization of vulnerabilities, and Scan Coverage.

1. VR metrics that need to be reviewed daily by the Vulnerability leadership team are: Average Vulnerability Per Asset, Mean Time to Remediate (MTTR), and Average Age of Vulnerabilities.
2. Conversations with the CISO need to focus on monthly Remediation Efficiency of New and Closed Items.
3. Scan Coverage needs to trend upwards, while the gap between Scanned Assets and Scannable Assets should narrow upward; convergence is the goal.
4. Monthly Scan Coverage needs to trend upwards; if not, the team should investigate how to address this.

    

5. Using the Recommended Actions tab, you can take strategic actions based on metrics that are prioritized to improve your security posture:
   1. Vulnerabilities' most prevalent on Assets
   2. Top 10 Oldest Vulnerable Items
   3. Top 10 Highest Impact Solutions
   4. Top 10 Vulnerabilities with Exploits Available

       

6. Use SIR CISO Dashboard to view prioritized security incidents, most vulnerable CIs, and incident trending metrics.

1. The SIR metrics that need to be reviewed weekly by the Security Operations leadership team are Average Time to Identify, Average Time to Contain, and Average Time to Eradicate. You’ll want these going in a downward trend, but the key is to share this data with leadership to help prioritize resourcing needs.
   
   1. Observe New Security Incidents This week, and Security Incidents Closed This week are also present. These metrics focus on managing the Security Operations team directly vs providing guidance to leadership.
2. Vulnerability Trends in the Vulnerability Profile tab which should slope downward, need to be shared with the leadership team to understand the vulnerabilities to Business Critical (CIs) to Business impact.
   
   1. For global teams, the Vulnerability Map helps with a recent breach or M&A or some other type of restructuring as a visual representation.

7. Establish governance through a meeting that leverages the CISO metrics and organizational trajectory with stakeholders

1. Establish a VR-focused discussion with remediation teams and stakeholders twice a month.
   1. Trending - The conversations here need to focus on the direction of the trends and creating actionable steps.
   2. Example widget - New and Closed Vulnerable Items
      1. Are more vulnerabilities being found than being remediated? Are certain vendors releasing more vulnerabilities?
      2. What actions are being taken to address potential gaps?
   3. Example widget – Vulnerabilities' most prevalent on Assets
      1. Which assets are most impacted? Are they owned by one remediation team, such as the mail server team?
   4. Risk reduction discussions – Are there higher priority areas, such as regulatory (e.g., PCI), externally facing, old gear, or mission-critical gear?

       

2. Establish a SIR-focused discussion with remediation teams and stakeholders twice a month.
   1. Trending - The conversations here need to focus on the direction of the trends and creating actionable steps.
   2. Example widgets – Average Time to Identify|Contain|Eradicate
      1. Throughout the three widgets, are we seeing the correct trending pattern?
      2. Are the right tools, people, and training in place? Are there other bottlenecks?
   3. Is the incident volume in line with the alert volume expected?
      1. Fine-tune alert ingestion process and tools regular basis.
      2. False positives need to be closely monitored and tuned as well.
3. Other metrics are also available through the Performance analytics for VR and SIR. It can add to the discussion and explore different dashboards, such as the Security Operations Efficiency dashboard, to further enhance the conversations.

There will always be security threats in every organization. Still, effective strategies to combat them are not only tools but consistent practices such as established communication cadence leveraging a shared view.

Sample Agendas:

VR CISO Dashboard agenda:

• Discuss trends
• Discuss actionable areas to reduce risk
• Discuss areas of risk that need more focus

SIR CISO Dashboard agenda:

• Discuss trends
• Discuss actionable areas to reduce risk
• Discuss areas of risk that need more focus