VR - How to Prepare for VR Deployment

As part of the journey into managing enterprise vulnerabilities, it’s vital to understand How to Prepare for your Vulnerability Response (VR) Deployment. Initially, it might seem overwhelming, but a well thought and deliberative approach will take you down the right path.

1. Deployment approach – Plan to target the highest priority vulnerabilities that will cover 90% of your organization's critical infrastructure.

• The mindset needs to be to deploy in a phased manner so you can adapt to changes that come with deploying VR and build momentum for gradual growth in maturity.
• Continue to expand coverage of your company's highest priority assets until you can shift to lower priority ones.
• Initial deployment should focus on segments of production environments with gradual expansion into more business-critical areas.
  • Example: QA test lab environment -> IDF/BDF infrastructure in City A -> IT services environment, etc.

Tip: Most ServiceNow customers find success when working with partners who have delivered on a Vulnerability Response transformation. ServiceNow Expert Services or a ServiceNow Certified Partner will help guide you and avoid time-consuming missteps.

2. Resources and stakeholders – Ensure the right set of resources and stakeholders are involved and informed.

Include the following key resources and stakeholders

• ServiceNow Platform team
• Vulnerability Response technical administrators
• Vulnerability Response business process owner
• Vulnerability Response analysts
• Remediation teams
• Exception team
• Change Management team
• ServiceNow Configuration Management Database (CMDB) team
• CISO (or CSO)

Tip: To get a good grasp of the parties needed, read “Who needs to be in the room for a Vulnerability Response Workshop” here.

3. Training – This list of training provides a solid understanding of the various capabilities and features that can be leveraged for highly valuable business outcomes-based VR deployment.

• ServiceNow Fundamentals – Foundational understanding of the platform
• Security Operations (SecOps) Fundamentals – Perform Security Operation functions on a student instance
• Vulnerability Response Implementation – How to properly implement Vulnerability Response
• CMDB Fundamentals – How to implement a successful CMDB, configure rules to prevent duplicates, and populate data from various sources
• Flow Designer – Fundamentals needed for understanding and leveraging Flow Designer
• Get Started with Now Create - Learn how to create exceptional business outcomes, faster and with less risk using ServiceNow's Now Create methodology

Tip: Both Partners and customers should take these courses.

4. Set up Roles and Permissions

Note detailed instructions for how to install the Store Application Vulnerability response can be found here.

You need the following:

• System Admin (admin) for installation of the Vulnerability Response plugin:
  • For Configuration:
    • Vulnerability Admin (sn_vul.vulnerability_admin) for Vulnerability Response 
    • Application Security Manager (User part of App-Sec Manager group) for Application Vulnerability Response
  • For access to the Vulnerability Response Workspaces:
    • Vulnerability Manager Workspace: sn_vul.vulnerability_analyst or sn_vul.vulnerability_admin
    • IT Remediation Workspace: sn_vul.remediation_owner

5. Third-Party Store Apps - The tools of the trade

• Support credentials will be required. Although ServiceNow-developed Apps can be installed by platform administrator without formally requesting access, Third-Party Apps must be requested for production instances.
  • Once entitled you’ll still need activate the Store App. This is done under the System Applications > All Available Applications > All. A detailed walk-through can be found here.
• Applications developed by a third-party (as in, not ServiceNow) must be requested from the ServiceNow Store for both sub-production and production instances.
• Within your instance, go to your respective application and request access.
• Once approved, install in subprod environment, test, and then deploy in production.
• Links to VR third-party applications are below for reference:
  • Rapid7 Store App
  • Tenable Store App
  • Qualys Store App

Tip: Customers should designate an individual that will authenticate to the Store and make the Application request.

6. Preparing for Vulnerability Scanner integration

• Setup a dedicated (independent and not part of a cluster) MID server should be in place for Third-Party Vulnerability Scanners that leverage them for on-site deployments.
  • MID server requirements:
    • High-performance CPU
    • Capable of running Microsoft Windows Server 2012, 2016, or 2019
    • PowerShell 3.0
    • Java 11.0.12
    • More details can be found here.
• Associated credentials with appropriate permissions in the third-party tool.
• Network access, Access-lists (ACLs), and firewall rules must allow for communication between the MID Server and the third-party tool.
• Establish an Asset Tag naming strategy to enable a standardized naming convention.
  • Tip: Customers need to leverage Asset Tages for identifying externally facing systems, business-critical systems, compliance required systems, etc.
  • Tip: a {key:value} asset tag naming convention, to make configurations simple and maintainable (Example: env:internal, env:external, etc.)

7. Third-Party Vulnerability Scanner ingestion

• Start with a small known dataset with known CI information; You should know who the CI owner is, know who is responsible for patching it, its priority, and its severity.
• Ingest scanner data based on a set time/date limited to the last 90 days initially, instead of since the beginning of time.
• NOTE: Initial data loads will take a longer time than the delta loads. Leveraging smaller/batched networks to run test imports can be used to build estimated expected load times.  Based on that those results one rough import time can be extrapolated for larger networks.

8. CMDB - Some key things to know

• Understand how the ServiceNow CMDB is currently being fed Configuration Item (CI) data (as in, the specific tools, scheduling, and targets of discovery activities).
  • Schedules that need to be looked at are Discovery (CMDB population), Service Mapping, and third-party vulnerability scans.
    • Tip: Knowing the timing of these scans will affect CI Reconciliation and classification.
  • Examples of tools include Vulnerability Scanning tool(s), Shodan Exploit, etc.
  • NOTE: Discovery is an excellent tool for populating the CMDB but may not have the permission/access to those environments in order to do so. Vulnerability Scanning tools will most likely find New CIs.
• Depending on the scope of the existing ServiceNow environment, there could be both ServiceNow Discovery and Service Mapping, and it is a great setup, but there may still be differences between hosts in third-party vulnerability scanner results and the ServiceNow CMDB.
  • Refer to documentation on Unmatched CIs, Discovered Items, and View and reclassify unmatched configuration items. Customers should establish internal roles and responsibilities and workflow to regularly review Discovered Items and reclassify Unmatched CIs.
  • Tip: Having regular Candence with the Vulnerability and CMDB teams will significantly improve the data.

9. Instance sizing – Ensure the instance is ready for your Vulnerability Response deployment.

• Validate your instance sizing based on the number of vulnerable items you expect to import.
  • Request Instance sizing analysis before Go-Live.
  • Tip: An undersized instance can lead to long load times. If you do not know the size of your instance, contact Customer Service and Support.
• Capture current and expected volumes of vulnerability detections.
• Customers need to consider the expected growth plan in terms of additional networks that are expected to be scanned.

With the list of what customers should have a high-level understanding of what they need to have a very successful VR Deployment!