Have you registered for Risk Calculator and Remediation Target Rule success webinar (Mar 15-16)?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2023 11:05 AM - edited 04-13-2023 09:14 AM
Hello all,
Ther "Success with Vulnerability Response" series of recommended practices deep-dive webinars continues. After the great feedback from the VR Performance, CI Matching and Assignment & Classification rules calls earlier this year, I am now pleased to invite you to the next installment.
On March 15 & 16, Elizabeth Skogquist, Senior Product Success Manager, Security and Joe Harvey, Senior Technical Consultant, Security will be presenting to you the team's recommendations to be successful with Risk Calculators and Remediation Target Rules.
There are 3 opportunities for you to attend this call:
Option 1: Mar 15 at 8AM Pacific time (US and Canada) = 4PM London UK time. 60 minutes, including live Q&A. Register here: https://servicenow.zoom.us/webinar/register/WN_0sh3l3oqSzGdLMTOFYIBqg
Option 2: Mar 15, at 9PM Pacific time (US and Canada) = Mar 16, at 4PM Sydney Australia time. 60 minutes, replay with live Q&A. Register here: https://servicenow.zoom.us/webinar/register/WN_KcjuMq8zTxi6iSQIREbiqA
Option 3: Mar 16, at 8AM Pacific time (US and Canada) = 4PM London UK time. 60 minutes, replay with live Q&A. Register here: https://servicenow.zoom.us/webinar/register/WN_kOkFPdeYSMqS2REcVI4UoA
Please register ONLY with your corporate email address.
Cheers,
EF
And here is the video recording:
The PDF version of the slides is attached:
- 1,785 Views
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2023 05:15 PM
Here is the full Q&A of the three sessions.
| Question | Answer |
| what about calculation based on the published date of the vulnerability? | The Vulnerability Date Published is not currently one of the available options. This would be an excellent candidate for the Idea Portal. Ideas can be up-voted are prioritized to be included in future releases by votes. Be sure to search existing Ideas before submitting new one in case it has already been requested. Idea Portal: https://support.servicenow.com/ideas |
| What are some popular fields in the CMDB to use in the Risk Scoring? | This is not a comprehensive list and every customer has different levels of detail in their CMDB but, conditions could include one of the following: Business Criticality, Internet Facing, Environment (if Prod is different from non-Prod data ?), DNS Domain (sensitive data by DNS?) Don't forget somewhat recent Classification and Classification Type fields available on both the Vulnerability Entry and Discovered Item tables as possible fields to be included in Conditions. Also, some customers have added customized fields to the Discovered Item table that could be considered. |
| Is there a solution for manual override of Risk Rating for vulnerabilities without changing the rule criteria? Lets say rules work for 99.9% of the time, but for some reason company wants to increase risk rating? | There is currently no way to manually override a risk score. Consider using a Watch Topic as a way to monitor a specific group of vulnerable items. A way to manually override a risk score would be an excellent candidate for the Idea Portal. Ideas can be up-voted are generally prioritized by that value. Be sure to search existing Ideas before submitting new one in case it has already been requested. Idea Portal: https://support.servicenow.com/ideas Creating Watch Topics: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons... |
| We are looking into the possibility of using a different risk scoring algorithm (EPSS) - is there any plan to integrate the EPSS risk scores into the third party vuln entries table, or guidance on how to do this if not? | We do not currently have any roadmap plans to integrate EPSS risk scores. Should you need to implement this yourself, we recommend an API integration with FIRST.org into the Vulnerability Entry table, to populate custom "epss" and "epss_percentile" and "epss_date" fields for each CVE. See their API Docs here: https://api.first.org/epss/ |
| Do Risk Calculators and its associated process discussed today apply to the Configuration Compliance application as well (meaning do the risk calculators work the same way between VR and CC)? | Yes, the Risk Calculators module in Configuration Compliance work the same way as the Vulnerability Calculators module in Vulnerability Response. You can create a Calculator group, with child calculator rules to set values using template or script, or a Risk Rule to set values using weights for field values across different tables. |
| Is there an easy way to view VITs that have changed risk rating? | It is not quite possible to just isolate VITs whose risk score have changed. It is possible to easily filter on the "last_updated_by_source" field to show VITs which have been updated by the scanner. However, this is a classic use case for a core platform feature called "Metrics". You could accomplish a report showing VITs with changed Risk Scores by creating a Metric Definition to monitor the Risk Score field for changes, generating a Metric Instance under the conditions you define. You would then be able to easily report on the Metric Instances for your Metric Definition, which would show you VITs whose Risk Scores have changed. This is common practice to accomplish use cases like reporting on Incident first-touch resolution, or Incidents by number of reassignments. See documentation on creating new Metrics here: https://docs.servicenow.com/bundle/utah-platform-administration/page/use/reporting/task/create-metri... |
| We have various remediation states including: In-flight, Approaching Target, and Target Missed. Sometimes a severity changes and a ticket jumps straight from In-flight to Target Missed, something we want to prevent. | While this can be changed, it would require customisation of the "Run remediation target rules" Business Rule on the Vulnerable Item table, and is not recommended. Rather, we recommend adding additional conditions to your Remediation Target Rules to suit your needs. |
| When it comes to risk calculaiton in VR - Qualsy QDS, Tenable VPR and True-Risk of Rapidy inisightVM plays an important role. Is there any documentation (for eacy) or more explanation from your team? | We do not offer documentation for vendor-specific risk scoring strategies. However, you can certainly incorporate the fields in which these scores reside on the Third Party Entry table, into your risk score calculators. For more information on creating risk score calculators, and using field values in calculations, see these docs pages: https://docs.servicenow.com/bundle/utah-security-management/page/product/vulnerability-response/task... https://docs.servicenow.com/bundle/utah-security-management/page/product/vulnerability-response/task.... |
| Does SecOps provide a flag when a CVE has exploit code become available? Our would a third party feed be needed for this? | An integration that has recently become available is the "Vulnerability Response Integration with CISA" which retrieves the latest exploit data from CISA and updates affected vulnerabilities. |
| Risk Score and Risk rating are OK, but ultimately Risk Quantificaton (ecomonic impact) is more interested in for C-levels/BODs. | Are you using ServiceNow’s Risk solution alongside VR, which could support risk quantification with configuration using the VR data. |
| Is Vulnerability Published Date available for Remediation Target Rules? We use this date to take into account risk from aged vulnerabilties being introduced into our environment. | As a part of the condition for applying a RTR, yes, but not as one of the fields to derive the target from. Other customers have certainly requested this, I’d recommend submitting the use case in our idea portal to be upvoted by other customers: https://support.servicenow.com/ideas?id=ideas_list&sysparm_module_id=enhancement_requests |
| Is there any global list or best practice for the CI lookup rule that can be utilized while configuring vulnerability management application. | At the moment - there is no single “best practice” list of CMDB CI Lookup Rules for Vulnerability Response. If you are using a ServiceNow Store App for a given 3rd party scanner such as Qualys, Tenable, Rapid7, etc - we do ship with a set of CI Lookup Rules to begin with. That said, there are still some tuning elements you will want to consider, such as ignoring certain CMDB CI Classes to match on (e.g. VMware Machine Instance) … also shaping how you match to CIs - e.g. do. you want to ignore matching to CIs in CMDB that are retired? We have some recorded webinars where we walk through challenges to be aware of and thoughts as you look at your CI matching with VR. Check this out: https://www.servicenow.com/community/for-new-customers-vr-articles/ci-matching-how-to-do-it-right-20... |
| Can the remediation target be linked to the KEV due date? I'm unclear on how that "static" due date from the KEV catalog can be linked when it appears the target rules are calculated from X number of days from a first found, last opened, etc | At this time, remediation targets are not able to be calculated with the KEV due date. |
| Do these calculations presuppose All CIs are related to an Application Service? Therein, all Application Services are mapped to a Buisness Application? | Calculations are being applied on all types of CIs being brought in with vulnerabilities with no dependencies on service mapping. |
| Where does the risk calculation come from? NIST or ServiceNow own formula? | Customers have risk calculators provided out of box (OOB) for use. The OOB calculation provided is designed with ServiceNow’s recommended attributes for risk calculation based on data available in the platform. Customers have the ability to customize which attributes are being used in the calculation and weightings to tune for their organization’s preference. |
| How would you suggest handling false positives, where we have to keep re-deferring vulnerabilities | For those, I’d recommend looking into the “exception rule” feature. That could allow you to automate that process for the specific cases you identify. |
| Is there list of CI lookup rule for the OT devices? | Great question - part of this will depend on the integration / ServiceNow Store App being used. For example, with the MS Defender for IoT integration - part of the setup with that application incorporates on-boarding CIs into the CMDB before getting to the VR part If you are on-boarding vulnerability data from OT gear using agents or traditional infrastrucutre scanning tools - we’d be working with the usual data objects like Hostname, FQDN as the primary ones to begin with — before falling back to less reliable objects like IP Address;https://www.servicenow.com/community/secops-forum/recommended-practices-for-ci-matching-success-cust... |
| Has there been new field introduced in Tokyo to be used to calculate RTR from? | Great question - v17.1 of VR - this has been enhanced to be configurable. You can select which particular date field is used to “drive the clock” … This will be driven by the “Target from (date)” field https://docs.servicenow.com/bundle/utah-security-management/page/product/vulnerability-response/task... |
| Last I remember was for Application Vulnerability OOB there was no concept of Remediation Task ( group), is it now available? | Grouping of AVITs is currently not available. |
| How do you get the large block colored scores on the VR Group List View? | Grouping of AVITs is currently not available. |
| Whats the rating for MS TVM (Defender)? | There is not a MS TVM-specific risk calculator shipped with that integration. However, the Severity values we record for vulnerabilities from MS TVM are taken from the MS Source severity. You likely have your own risk calculator implemented (or just the default one) that uses that Vulnerability Severity value sourced from MS TVM. |
| How do we determine a CI is external / internal? does Qualys sends this info? | Ideally, the CI would have some sort of Internal/External indicator. This is often not the case. In these instances, customers often are able to derive this using data from the third party scanner (Qualys/Tenable/Rapid7) where it can be stored in the Discovered Item table. |
| What is the value of Remediation Targets when you could just create Resolution SLA's for VIT's and leverage an associated Workflow or Flow to handle notification triggers? | If Remediation Target Rules were configured, they would apply as usual. SLA would run outside of the Remediation Target assignment and processing. |
| How are SLAs impacted when the overall score of a VUL group drops? | If you are defining SLAs vs. Remediation Targets, the SLAs progress on reduction of a Risk Score is going to depend on if it has been defined for use in the SLA. |
| Are the risk score triggers configurable aka can one or more of them be disabled to prevent an update? | If you were to customize the business rule, yes, or disable the OOB business rule and create your own trigger with your desired conditions. |
| is it configurable to use Threat Indicators, in addition to risk score, to define risk ratings? | In theory - were you to write a scripted Risk calculator it is entirely possible to look up threat indicators as a part of the scripted calculation. The lookup logic and scoring would be entirely up to you to determine, however. And this can be a performance intensive operation for numbers of vulnerable items in the millions, as the risk calculator is run for every vulnerable item record. If you were to implement this, we suggest making conditions such that the rule is only run for a exceedingly small number of circumstances - say the highest risk Vulnerable Items. |
| The automated exception rule takes forever for large (Millions of records) dataset, what's the solution in such scenarios? | We recommend narrowing the condition and splitting out the rules. The large volume for evaluation should be a one-time thing, followed by smaller volumes subsequently. |
| For Tenable, without a VPR score - how is the VPR score weighted? | Weightage in default Tenable risk calculator is 70 for VPR, 15 for Asset Exposure, and 15 for Business Criticality. Without a VPR score, risk score would be <=30 |
| Can we dot walk to the detections table? | No |
| is there future plans to add vulnerability published date in the drop down of the Target From (date)? | Not currently, would you be willing to submit your use case in our idea portal, to be upvoted by other customers: https://support.servicenow.com/ideas?id=ideas_list&sysparm_module_id=enhancement_requests |
| How customizable are the Remediation target notifications? If its not recommended to use SLAs what is the recommendation to notify assignees of upcoming vulnerabilities coming due | Remediators are encouraged to look at the “volume” of Remediation Tasks approaching Remediation Targets from their Remediation Workspace. Notifications could be burdensome for this use case. |
| How does the calculator work with zero day MS patching- eg Outlook we had yesterday? | Risk calculators are set up with fields available in the platform. If your organization is providing a field that has zero day noted (checkbox?) and the risk calculator has that field defined in a rule it could impact the risk score. |
| What is the impact to performance on evaluating 100,000+ vulnerabilties thru risk rules? If we needed to re-apply rules to existing VIT's, what needs to be considered? | Timimg of schedule job is critical for rerunning all. If using the Reapply UI Action, the job queues as a background job and you can increase the threads to allow more processes to be used on the job. If not using the Reapply UI Action, confirm the schedule of the job will not impact other jobs scheduled during that extended time for update. |
| What is VPR | VPR - Vulnerability Priority Rating. This a Tenable supplied rating. |
| When are you planning to have Deferral extension feature? | We don’t currently have plans for a Deferral extension feature, but would be interested your use case described in the Idea Portal. Usually we have customers tell the opposite story, trying to crack down on abuse of the deferral feature. |
| Are these calculators also available for Application and container vulnerability? | Yes, Vulnerability Calculators are available for Application and Container vulnerability. |
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2023 12:30 PM
Make sure you do not miss the Q2 webinars: https://www.servicenow.com/community/secops-forum/vulnerability-response-recommended-practices-webin...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2023 07:15 AM
Hi Eric, thanks for this. The table within a frame format makes it difficult to consume this, as we have to constantly scroll to the bottom of the list to move left to right, then back up the list to the question we were trying to read. Any other way to post this information that works better?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2023 01:51 PM
