sean_convery
ServiceNow Employee

I've been spending a lot of time talking to customers over the last few weeks and I've heard a ton of great use cases for our Security Operations product. Let me share a great one right now. If you've been sitting on the sidelines as Enterprise Security Response has moved from concept to reality, this may come as a bit of a shock. We have a customer doing this in production today. You may want to sit down.

Here's what it looks like:

1. Vulnerability Scan kicks off via automated trigger from ServiceNow using Tenable, Qualys, Rapid7, etc..

2. Scan results are automatically attached to the asset repository maintained by IT.

3. Based on pre-defined rules--using both the criticality of specific vulnerabilities and the value of the asset / service affected--automatically create tasks for IT with specific SLAs to remediate the discovered vulnerabilities.

4. IT can then either trigger automatic patching for certain assets, conduct manual patching for others, and incorporate whatever test and validation procedures they require. All of this is part of a common vulnerability and patching workflow.

5. When the patch is marked complete by IT, security is notified and an automatic targeted re-scan is triggered by ServiceNow.

6. Assuming the vulnerability is addressed, the workflow concludes and a complete audit trail of the entire process is recorded, automatically.

7. All of this rolls up into high-level dashboards that highlight average time to remediate by specific criticality categories with overall SLA compliance trended over time. No more finger pointing, now IT and security have the data.

Zero people are involved at all from the security team beyond setting up the initial policies and workflow and reviewing the dashboards at the end. Let me say that again as you probably weren't prepared to read it: zero people are involved at all from the security team once the environment is setup.

And IT staff (worst case) get involved at step 4 only for any system that requires manual patching.

When our marketing department talks about working at light speed, this is what they mean. Complete automation, total visibility, available from ServiceNow today.

Boom.

15 Comments
bjhughey164
Mega Expert

This.



This is awesome. Can someone demo this? We're looking at getting into Vulnerability Response and this sounds too good to be true!


Not applicable

Ben,



I do demos for Security Incident Response/Vulnerability Management at least once a week.   Let me know if you would like to setup some time to review.



Tom O'Neil


Partner & Founder


SecOps Partners LLC


P: (585) 322-4767


E: tom.oneil@SecOpsPartners.com


W: http://www.SecOpsPartners.com


https://www.linkedin.com/in/tom-oneil-5758371


Visit us at booth N3 at Knowledge17


derocheb
Kilo Contributor

sean.convery@servicenow.com This sounds great. I have a couple question on the workflow you laid out.



Is there a separate ticket for each vulnerability on each asset? If so, does the IT owner have to mark each one as "fixed" or will marking one as fixed, prompt a vulnerability scan. Then the results of the scan update/close all tickets as applicable?



How is automatic patching done and how much granularity is there? Can patching be specific by certain filters (host name filters and timing windows)?



Is the dashboard referenced in the last step, only available in performance analytics or is it also available within just the Vulnerability module?


Alex Cox
ServiceNow Employee

Hi Brett,



Our best practice for ticket creation is to use the built-in "Vulnerability Grouping" feature for bulk management of vulnerabilities.   This is really handy because, in many cases, a vulnerability scanning platform may have information on hundreds of thousands to millions of vulnerabilities in a large-scale enterprise — and with vulnerability groups we can address thousands of vulnerabilities within a single change request.



Another handy benefit of doing things this way is that, to the point of your second question, it can help teams distribute and organize their response by nature of the vulnerability groups.   For example: vulnerability response tasks for data centers in Europe, Asia and the Americas can be automatically assigned to the appropriate teams based on their geography, or however else system ownership is driven.



For the dashboards: there are dashboards using standard reporting, performance analytics, and also a few with a blend of both!   That said: ServiceNow has a fantastic engine for building custom reports; once we've got the vulnerability data loaded you can get really creative.



Great questions; if you have any more, or would like to schedule a demo — just let us know!



Alex Cox | Principal Security Architect


derocheb
Kilo Contributor

All,



What are the options in terms of asset owners consuming the data?



It sounds and looks like vulnerability groups will contain vulnerability items. Which sounds a lot like a ticket inside of a ticket.



If that is the case - In order for an asset owner to see what remediation steps should be taken, they must click on their vulnerability group then click each vulnerable item so see what the actual vulnerability/remediation is. Are their other options for the asset owners to consume this data that will lead them to the necessary remediation steps quicker than this looks to?


Alex Cox
ServiceNow Employee

Hello Brett,



Ultimately: vulnerable items, vulnerability groups and change requests (tickets to remediate the issues) are three different types of things,   and the differences may help understand how an end user might use the data.   I'll try to cover this below and also go over how they work together.



A vulnerable item record simply stores a status/situation - it denotes the presence of a given vulnerability on a given system,   but does not specifically create a ticket for working on these things.   This status can be connected to other applications in ServiceNow, such as Change Management.   The information from a vulnerable item can be automatically loaded into a change request, for instance.



Vulnerability groups, on the other hand, are simply what I would call "smart filters".   Users can create and save search criteria for vulnerable items, and use that criteria to create a single change request, or single exception, in bulk.  


Vulnerability Group.png


For example:   if a vulnerability admin spots a prolific vulnerability that needs attention - they can make a vulnerability group to search for and isolate that issue, and then click "Create Change Request" to automatically create a change request ticket. That new ticket then holds all the info needed to remediate the issue: the affected systems, the assignee,   a reference to all the threat and solution data from the originating vulnerability scanner.



So ultimately: a vulnerability response coordinator would work from a vulnerability group, and a system admin, or patch team would work completely from the change ticket.  



Note that while these are manual remediation flow examples - we can also automatically prescribe tasks (for humans or machines) to get the ball rolling in remediating the most critical of issues.



I hope that helps clarify the design some!


derocheb
Kilo Contributor

alexcox Thank you for the clarification. I want to make sure that asset owners are receiving their data in the most efficient way possible.


NameHere
Kilo Contributor

sean.convery@servicenow.com and alexcox,



Would/Could Step #4 instead use a truly automatic patch management response? What's listed for Step #4 doesn't quite seem so "automatic".



Could ServiceNow Orchestration use the hyperlink/fix listed in the Vulnerability Group to download and then push the install of the patch to each Vulnerable Item? I was thinking using Microsoft SCCM, Windows PowerShell, SSH or some other means?



If so, are there already companies/clients who are doing something similar?



Thanks,


jonwayman


Alex Cox
ServiceNow Employee

Hi Jon,



Yes, step #4 can be converted from a more automated process (ie: approve and go) to an automatic one, though there are naturally risks and caveats.



ServiceNow Orchestration is indeed capable of performing automatic patch application when provided with a method, set of systems and the right update to execute - and you're absolutely right that this pairs well with the Vulnerability Group feature for routing fixes.



In terms of companies doing this today: we actually use Orchestration ourselves to keep ServiceNow systems protected and up to date!   As a fun fact: ServiceNow instances themselves are maintained centrally using highly available pairs of ServiceNow management instances. 🙂



Now for an important caveat: each vulnerability scanner is different and some provide more data, and more structure than others.   Some scanners are great at providing fix IDs in a clean and structured way, though most provide fix information as free-form text. For this reason, it is generally helpful to have a human review element in your workflow - or at least an approval step - as a sanity check.



As my good friend Myke Lyons says: it's security automation that won't get you fired!


NameHere
Kilo Contributor

Thanks alexcox for your response!



And thank you davepeters as well for the link to the post.