How to get started with VR: a leading practice guide

Background

As part of the journey into managing enterprise vulnerabilities, it’s vital to understand how to prepare for your Vulnerability Response (VR) Deployment. Initially, it might seem overwhelming, but a well thought-out and deliberate approach will take you down the right path.

Before getting started, we recommend familiarizing yourself with the Vulnerability Response Workspaces that help your teams streamline management of vulnerabilities and misconfigurations.

Recommendations

1. Plan to target the highest priority vulnerabilities
2. Validate you have the right stakeholders involved
3. Build a training plan for your administrators and fulfillers to support the solution
4. Set up roles and permissions and install the VR application
5. Install the official integration to your vulnerability scanner
6. Set up a dedicated MID server
7. Import a small subset of vulnerabilities to begin with
8. Understand the current state of the CMDB
9. Ensure the instance is sized correctly for VR

1. Plan to target the highest priority vulnerabilities

• Plan to deploy in a phased manner so you can adapt to changes that come with deploying VR and build momentum for gradual growth in maturity.
• Expand coverage of your company's highest priority assets until you can shift to lower priority ones.
• Focus on segments of production environments with gradual expansion into more business-critical areas, For example, QA test lab environment -> IDF/BDF infrastructure in City A -> IT services environment, etc.

2. Validate you have the right stakeholders involved

Include the following key resources and stakeholders

• ServiceNow Platform team
• Vulnerability Response technical administrators
• Vulnerability Response business process owner
• Vulnerability Response analysts
• Remediation teams
• Exception team
• Change Management team
• ServiceNow Configuration Management Database (CMDB) team
• CISO (or CSO)

Additionally, most ServiceNow customers succeed when working with partners who have delivered a Vulnerability Response transformation. ServiceNow Expert Services or a ServiceNow Certified Partner will help guide you and avoid time-consuming missteps. Learn more about charting your path to implementation success here.

3. Build a training plan for your administrators and fulfillers to support the solution

Ensure your administrators, implementation partners, and CMDB team have taken or plan to take the Now Learning courses below. These are listed in order of priority. VR staff should prioritize taking courses (i)-(iii) below. See additional recommended training here.

1. ServiceNow Administration Fundamentals – Foundational understanding of the platform
2. Security Operations (SecOps) Fundamentals – Perform Security Operations functions on a student instance
3. Vulnerability Response Implementation – How to properly implement Vulnerability Response
4. CMDB Fundamentals – How to implement a successful CMDB, configure rules to prevent duplicates, and populate data from various sources
5. Flow Designer Fundamentals – Fundamentals needed for understanding and leveraging Flow Designer
6. Get Started with Now Create - Learn how to create exceptional business outcomes faster and with less risk using ServiceNow's NowCreate methodology

4. Set up Roles and Permissions and install the VR application

Ensure your administrators and implementation partners have the appropriate roles as outlined below:

1. System Admin (admin) for installation
2. For Configuration:
   • Vulnerability Admin (sn_vul.vulnerability_admin) for Vulnerability Response 
   • Application Security Manager (User part of App-Sec Manager group) for Application Vulnerability Response
   • Note: detailed instructions for how to install the Application Vulnerability response can be found here
3. For access to the Vulnerability Response Workspaces:
   • Vulnerability Manager Workspace: sn_vul.vulnerability_analyst or sn_vul.vulnerability_admin
   • IT Remediation Workspace: sn_vul.remediation_owner

Install the Vulnerability Response application. View installation steps here.

5. Install the certified integration to your vulnerability scanner

1. ServiceNow Support credentials will be required. Although Platform administrator can install ServiceNow-developed Apps without formally requesting access, Third-Party Apps must be asked for production instances.
   • Once entitled, you’ll still need to activate the Store App. This is done under System Applications > All Available Applications > All. A detailed walk-through can be found here.
2. Applications developed by a third party (as in, not ServiceNow) must be requested from the ServiceNow Store for sub-production and production instances.
3. Within your instance, go to your respective application and request access. Customers should designate an individual that will authenticate to the Store and make the Application request.
4. Once approved, install in the sub-prod environment, test, and deploy in production.
5. Links to VR third-party applications are below for reference:
   • Rapid7 Store App
   • Tenable Store App
   • Qualys Store App

 6. Set up a dedicated MID server

1. Set up a dedicated (independent and not part of a cluster) MID server for Third-Party Vulnerability Scanners. A dedicated MID server will ensure that workloads for VR are run independently of other functions in ServiceNow.
   • MID server requirements:
     • High-performance CPU
     • Capable of running Microsoft Windows Server 2012, 2016, or 2019
     • PowerShell 3.0
     • Java 11.0.12
     • More details can be found here.
2. Associate credentials with appropriate permissions in the third-party tool to run privileged commands. A list of privileged commands can be found here.
3. Network access, Access-lists (ACLs), and firewall rules must allow communication between the MID Server and the third-party tool. Work with your network and security engineers to ensure access.
4. Establish an Asset Tag naming strategy to enable a standardized naming convention.
   • Customers need to leverage Asset Tags for identifying externally facing systems, business-critical systems, compliance required systems, etc.
   • A {key:value} asset tag naming convention, to make configurations simple and maintainable (Example: env:internal, env:external, etc.)

7. Import a small sub-set of vulnerabilities, to begin with

1. Start with a small known dataset with known CI information. The data should indicate who the CI owner is, know who is responsible for patching it, its priority, and its severity.
2. Ingest scanner data based on a set time/date limited to the last 90 days initially, instead of since the beginning of time.

NOTE: Initial data loads will take longer than delta loads. Leveraging smaller/batched networks to run test imports can be used to build estimated expected load times. Based on those results one rough import time can be extrapolated for more extensive networks.

8. Understand the current state of the CMDB

Get an understanding of the state of how the ServiceNow Configuration Management Database (CMDB) is currently being populated in terms of target IP ranges and schedules.

Understanding existing discovery schedules is important as they should be coordinated with vulnerability scans. If your discovery scans are completed several days before your vulnerability scans, there are likely to be larger differences between the discovered assets and CIs.

Additionally, your Discovery and vulnerability scanners should have the same IP ranges and credentials to ensure there are no unexpected gaps when importing vulnerability data.

Refer to documentation on Unmatched CIs, Discovered Items, and View and reclassify unmatched configuration items. Customers should establish internal roles and responsibilities and workflow to regularly review Discovered Items and reclassify Unmatched CIs.

Meet regularly with the CMDB teams to review the data and agree on remediation plans.

9. Ensure the instance is sized correctly for VR

1. Validate your instance sizing based on the number of vulnerable items you expect to import.
   • Request Instance sizing analysis before Go-Live.
   • An undersized instance can lead to long load times. If you do not know the size of your instance, contact Customer Service and Support.
2. Capture current and expected volumes of vulnerability detections.
3. Customers need to consider the expected growth plan in terms of additional networks that are expected to be scanned.
4. Refer to documentation on Best Practices: Vulnerability Response Implementation for better performance (customer log-in required).

With this list, customers should have a high level of understanding of what they need to have a successful VR deployment!