Gopi37
ServiceNow Employee
ServiceNow Employee

Introduction

 

Security Posture Control is a new product that was launched on ServiceNow store on August 3rd, 2023. We are looking for early adopter customers who can test this product in their sub-prod environments and provide feedback to us. Please refer to the app links towards the end of this blog.

 

Problem

 

One question every Cybersecurity team needs an answer for is “What assets do we need to protect?”. According to Randori State of Attack Surface Management Report 2022, 69% of organizations have been compromised via an unknown, unmanaged, or poorly managed internet-facing asset in the preceding year.

 

While it is critical to deploy certain security tools such as Endpoint Protection, Anti-malware, Encryption etc. on the assets or devices, it is equally critical to keep track of what assets are protected by these tools vs what assets are not protected. And when these assets are deployed in public cloud infrastructure, any accidental configuration errors exposing assets to the internet should also be monitored.

 

Getting visibility into any security tool coverage gaps across on-prem and cloud assets and internet exposure or misconfigurations in cloud will help Cybersecurity teams to understand which assets are at risk. Even better, if Cybersecurity teams can also get visibility into any high-risk combinations of security issues on these assets, that will help them prioritize certain assets for remediation over the others. An example of a high-risk combination: Cloud assets with port 22 open to internet, with critical vulnerabilities, and no endpoint protection tool installed on it.

 

Security Posture Control Solution

 

Security Posture Control provides a solution to this problem with two layers of security.

 

Asset Security Posture Management provides visibility into security tool coverage gaps such as missing endpoint protection agent or missing configuration & patch management agent etc. on enterprise assets including on-prem devices and cloud based virtual machines.

 

Cloud Security Posture Management provides additional, advanced insights into cloud assets such as internet exposure of cloud virtual machines and any cloud misconfigurations or compliance gaps found for benchmark standards such as CIS.

 

Security Posture Control combines the insights from Asset Security Posture Management and Cloud Security Posture Management with vulnerability data gathered from third-party vulnerability assessment tools such as Qualys, Rapid7, Tenable etc. to identify assets having high-risk combinations.

 

Gopi37_0-1691397972452.png

 

How it works

 

Asset Security Posture Management relies on asset data reported by Service Graph Connectors in CMDB to identify coverage gaps. The Service Graph Connectors are available on ServiceNow store for tools in various categories such as Endpoint Protection (e.g., CrowdStrike), Networking (e.g., Cisco Meraki and Infoblox), Network Security, Infrastructure Monitoring (e.g., Datadog) etc.

 

When customers enable these Service Graph Connectors, the connectors populate asset data seen/reported by the various tools in CMDB. Security Posture Control then performs analysis on assets reported by various connectors to understand if there are any gaps.

 

For example, if there 100 assets reported by Networking and Infrastructure Monitoring tools but only 80 of those assets are seen / reported-by Endpoint Protection Service Graph Connector, then remaining 20 assets are surfaced as assets missing Endpoint Protection agent.

 

Cloud Security Posture Management directly talks to the APIs of cloud providers such as AWS and Azure to identify misconfigurations and internet exposure of cloud-based virtual machines. In case of internet exposure, ServiceNow performs this analysis for cloud virtual machines by analyzing configuration of security groups, subnets, internet gateway, and VPC. Through this analysis, ServiceNow can identify whether a virtual machine is accessible from anywhere on the internet and on what ports and protocols. This is currently supported for AWS only. Identifying misconfigurations or compliance gaps against benchmark standards such as CIS is supported for both AWS and Azure.

 

If customers already have Vulnerability Response deployed, they can benefit from Security Posture Control’s ability to combine the asset security and cloud security insights with vulnerability data on assets to identify critical or high-risk assets.

 

 

Gopi37_1-1691397972467.png

 

Policies

 

ServiceNow ships a few out-of-the-box policies to detect the following security gaps.

 

  • Assets missing security tools such as endpoint protection.
  • Unmanaged assets (assets missing configuration and patch management agent or endpoint management solution).
  • Assets missed by vulnerability scanners.
  • Assets missing security tools and having critical vulnerabilities.
  • Cloud assets exposed to internet and having critical vulnerabilities and/or security tool coverage gaps.

 

Customers can also easily create their own custom policies using the policy builder in Security Posture Control. For example, if your requirement is to identify any cloud assets facing the internet, missing a specific version of CrowdStrike, and are impacted by Log4Shell vulnerability, you can easily achieve that by defining a policy as shown below.

 

Gopi37_2-1691397972477.png

 

Early Adopters

 

We are looking for early adopter customers who are willing to test this solution in their sub-prod or test environments and provide feedback to shape the product’s roadmap.

 

Links to the apps

 

Asset Security Posture Management

 

Cloud Security Posture Management

 

Please comment on this post if you are interested in having a 1:1 conversation and would like to see a demo of this product.

11 Comments