- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-29-2020 09:10 AM
Hello, I am looking for some recommendations as in how to deal with the below issue we are facing.
We are using Rapid7 DW Module . As per our configuration, Assets (CI's) in ServiceNow get decommisioned after a certain number of days but since Nexpose doesn't know these have been decommissioned in SN , so SN doesn't close the vulnerabilities for those assets. Basically the auto close of the vulnerabilities doesn't happen in SN. If we manually close these VI's , Nexpose will again open them.
What would you recommend doing in such a scenario ?
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-30-2020 10:01 AM
Hey there,
Specifically for the Rapid7 SecOps integration, there is a built-in stale record process that you can investigate using.
Think of the scenario where a CI in the CMDB is showing as `Retired` or `Decommissioned`, but that asset / host for that CI is technically still active on the network and R7 is detecting vulnerabilities on that asset.
You can use the stale record process that comes with the R7 app in ServiceNow - this is referred to a the "Close by age" feature. When you configure this, ServiceNow will periodically comb through the Vulnerable Items and if it finds a record where the [Last found] date is greater than what you've configured the "Close by age" to, it will set the state of the Vulnerable Item to Closed.
This way, if an asset truly is retired or no longer on the network - you have a method to close out stale Vulnerable Items. You then rely on your scanner managing the States of Vulnerable Items, and the "stale record process" for closing out "aged" Vulnerable Items based on [Last found] date.
If you really feel there is a disconnect between CIs in the CMDB with a "Retired State" and vulnerability detections (Vulnerable Items) on those CIs -> you can start creating reports on that. You can gauge over time, how many Vulnerable Items are Active, but tie to a CI with a "retired" status... Once you gauge this picture, then you can use that information to make strategic decisions on how to actually handle this scenario (and whether you even need to take action on that).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-29-2020 12:04 PM
Hi,
First of all, Rapid 7 is doing the right thing. Even the system got decommissioned, they are still on the network and still have active vulnerabilities. These assets still expose to Risks.
The objective is to manage the exposure during the transition period, and use the tool to adequately monitor risks and manage them properly.
Rather than close those Vulnerable Items in ServiceNow, one can group the decommissioned Configuration Item together and continue monitoring Vulnerability exposure. Consider using existing Vulnerability Response processes to manage the exposure (i.e. require risk assessment and exception approval).
If you really want to go ahead closing Vulnerable items, you could use Vulnerablilaty Calculator to set VIT state to Close.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-30-2020 06:20 AM
Hi Jing, thanks for the response. So in our case, the assets that are decommisioned are not active on the network anymore. How would you deal with such a case then ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-30-2020 10:01 AM
Hey there,
Specifically for the Rapid7 SecOps integration, there is a built-in stale record process that you can investigate using.
Think of the scenario where a CI in the CMDB is showing as `Retired` or `Decommissioned`, but that asset / host for that CI is technically still active on the network and R7 is detecting vulnerabilities on that asset.
You can use the stale record process that comes with the R7 app in ServiceNow - this is referred to a the "Close by age" feature. When you configure this, ServiceNow will periodically comb through the Vulnerable Items and if it finds a record where the [Last found] date is greater than what you've configured the "Close by age" to, it will set the state of the Vulnerable Item to Closed.
This way, if an asset truly is retired or no longer on the network - you have a method to close out stale Vulnerable Items. You then rely on your scanner managing the States of Vulnerable Items, and the "stale record process" for closing out "aged" Vulnerable Items based on [Last found] date.
If you really feel there is a disconnect between CIs in the CMDB with a "Retired State" and vulnerability detections (Vulnerable Items) on those CIs -> you can start creating reports on that. You can gauge over time, how many Vulnerable Items are Active, but tie to a CI with a "retired" status... Once you gauge this picture, then you can use that information to make strategic decisions on how to actually handle this scenario (and whether you even need to take action on that).
