Security Posture Control: Enabling visibility and prioritization in exposure management

Gopi37
ServiceNow Employee
ServiceNow Employee
‎03-03-2025 06:30 AM

Are you part of a team looking to answer any of the following questions?

 

  • How do I gain efficiencies in vulnerability management by focusing on high-risk vulnerabilities while automatically reducing risk score for vulnerabilities that are mitigated by security controls such as a firewall or an endpoint protection agent?
  • How do I ensure all the devices on-prem or cloud have the critical security tools such as endpoint protection, data loss prevention, vulnerability scanner etc. installed and running properly?
  • How do I ensure that critical security tools such as Endpoint Protection are configured appropriately to detect and/or block threats.
  • How do I get visibility into security tool coverage for the assets in my CMDB without having to integrate with a third-party point solution?
  • How do I get visibility into unmanaged or unknown assets on my network or in cloud?

 

If your answer is yes for any of the above questions, you will be interested in the content this blog has to offer.

 

Last year we launched Security Posture Control – a solution that provides 360o visibility into your enterprise assets and allows you to manage attack surface by identifying security control coverage gaps such as assets missing key security tools like endpoint protection.

 

One year after the GA launch, Security Posture Control has evolved beyond just providing visibility into the assets and security controls coverage into a platform that provides the security controls intelligence layer for information security teams and vulnerability management teams to gain comprehensive visibility into security tools coverage, health, and configuration and efficiently address exposures in their environment. Given below are the three problem areas addressed by Security Posture Control.

 

  • Visibility into unknown or unmanaged assets
  • Visibility into security tool coverage, health, and configuration 
  • Mitigation control detection for vulnerability prioritization

Visibility into unknown or unmanaged assets

How do you know all the devices connected to the network are managed devices? It could be an unmanaged laptop connected to the network or a virtual machine instance launched from non-standard images in cloud by one of the developers. Security Posture Control can identify any unmanaged devices or unknown devices on your network by processing the aggregated asset data from diverse sources such as Active Directory, Cloud Providers (AWS/Azure/GCP), Endpoint Management tools like Intune, and other security tools such as Endpoint Protection and Vulnerability Assessment.

 

Given below is an out-of-the-box policy that identifies any end user devices missing endpoint management tools like Microsoft Intune. To implement this use case, enable the appropriate API connectors (Service Graph Connectors) with common sources such as Active Directory, SCCM, Intune etc. and then enable the out-of-the-box policy shown below. If you have ITOM discovery already running in your environment, those assets will be considered for the policy evaluation too. Service Graph Connectors allow you to connect with diverse sources of asset data to uncover any gaps in your attack surface.

 

Gopi37_0-1740960741010.png

 

 

Visibility into security tool coverage, health, and configuration

Now that you have a handle on your enterprise asset inventory, let’s get to the next problem. Do you know if all your devices have been equipped with and running basic security tools such as Endpoint Protection, Data Loss Prevention, Backup & Recovery etc.?

 

Security Tool Coverage

Security Posture Control seamlessly identifies any security control coverage gaps by comparing asset data reported by various sources. Given below is a policy shipped out-of-the-box that identifies devices missing endpoint protection tools such as CrowdStrike, Microsoft Defender etc.

 

Gopi37_1-1740960741015.png

 

 

Let’s double click on what this policy is doing exactly. It is looking for devices that are not reported by endpoint protection tools like CrowdStrike. As mentioned earlier in this blog post, a key pre-requisite for you to get full benefits of Security Posture Control is to enable API connectors (or Service Graph Connectors) with most common asset data sources such as Active Directory, Microsoft SCCM, Intune, Cloud Providers etc. Security Posture Control policy engine relies on aggregated asset data from diverse sources. Let’s say there is a device reported by Active Directory (end user laptop running Windows 11) connector, but this device was never reported by CrowdStrike connector. This is a clear indication of an Active Directory registered device that doesn’t have CrowdStrike agent installed.

 

Security Tool Health

Along with coverage of security tools, it is also critical to monitor their health. Due to various issues, the endpoint protection agent or other security tool agents might not be actively running on a given device. Security Posture Control allows you to monitor the health of these tools seamlessly. Given below is an example policy.

 

Gopi37_2-1740960741020.png

 

The above policy is looking for any devices reported by CrowdStrike (which means CrowdStrike was installed at some point on these devices) but CrowdStrike agent has not been seen active in the last 3 days.

 

Security Tool Configuration

Having security tools such as Endpoint Protection (CrowdStrike) installed and running is not good enough. It is critical to configure these tools to detect threats that are relevant to your organization's assets. Given below is an example of a policy that looks for Windows devices with CrowdStrike installed but NOT configured to block suspicious registry operations. Ability to monitor these gaps will help threat defense teams stay on top of relevant threats by ensuring that security tools are configured properly.

 

Gopi37_0-1740975715315.png

 

Mitigation control detection for vulnerability prioritization

Not every vulnerability needs to be patched. Vulnerability management teams are overwhelmed by the number of vulnerabilities they must deal with every day. It is impossible to patch all the vulnerabilities discovered by vulnerability assessment tools.

 

Apart from providing visibility into security controls coverage, Security Posture Control goes a step further and analyzes how these tools are configured and as a result, what vulnerabilities are mitigated.

 

Security Posture Control analyzes the signatures, policy settings, and rules enabled in security tools such as Endpoint Protection (e.g., CrowdStrike or SentinelOne) and Web Application Firewall (e.g., F5 Big-IP) to automatically identify the vulnerabilities that are mitigated in your environment and populates the mitigation information on Vulnerable Item records in Vulnerability Response. Vulnerability managers can use this information to define risk calculators for downgrading the risk score of Vulnerable Items that already have mitigations in place in the form of endpoint protection or an upstream web application firewall.

 

The outcome is that vulnerability managers can focus on high-risk vulnerabilities while deferring patching for low-risk vulnerabilities with existing mitigations.

 

Gopi37_3-1740960741023.png

 

 

 

Gopi37_4-1740960741028.png

 

 

Gopi37_5-1740960741037.png

 

More blogs to follow on this topic of mitigation controls, stay tuned!

 

If you are interested in learning further about Security Posture Control or testing it in your sub-prod or dev environment, please comment or reach out to me directly at gopikrishna.boyinapalli@servicenow.com

#SecurityPostureControl #VulnerabilityResponse

  • 3,858 Views