Importance of CMDB after VR implementation

Martin Dewit
Kilo Sage

I have recently read up on a lot of documents and videos on proper VR configuration prior to production deployment. A lot of it had to do with a properly configured and established CMDB. Well, my organization setup VR before even starting to mature our CMDB. We have many discrepancies with our Qualys VR data and matching with our CMDB. We have brought up to the CMDB team the importance for VR. I see it like this: we have so much good data from Qualys (IP, DNS, Hostname, Vulnerabilites, etc) and it seems the CMDB team prefers their own methods of discovery. Their discovery is still in beginning stages, so we either try to persuade them to use existing good data from Qualys, or we sit and wait until their discovery is at finished and deployed across the enterprise.

How can we get CMDB team buy-in post production deployment on using existing Qualys/VR data to mature the CMDB (as a result improving both databases, VR and CMDB).

10 REPLIES 10

Adam Horwitz
ServiceNow Employee
ServiceNow Employee

Hi Martin,

Here are a few things to keep in mind:

  1. You're probably not scanning 100% of the enterprise. Only production systems? Only servers? Are you scanning VoIP Phones and printers? All of these are sources of vulnerabilities that can be exploited in an environment. I rarely hear a customer tell me they're scanning everything for vulnerabilities but Discovery, well, the goal there should be to find 100% of the devices.
  2. You can certainly make use of the information provided by your scanners. You could even create a security incident (if you have Security Incident Response) if the scanner reports a device that's in a secure network segment where an unknown device should never be found.
  3. The CMDB team likely has a well defined process for managing CMDB records. How new records are added, who verifies the information, which services it supports (ITOM Visibility can do this - vulnerability scanners cannot), commission/de-commission process, etc.

The bottom line is that it's a team effort, not security vs. CMDB (or IT operations). ServiceNow gives you the flexibility to leverage data you have already collected to execute whatever business process you define. The data is exists in different tables and you could write a script to perform some sort of cross-check, before or after the Discovery project has been completed and then on-going (daily?).

At the end of the day, vulnerability management is a company business problem, not an IT or security problem. We are simply the people, tools and processes that detect and remediate for the broader business needs that depend on our outcomes.

Hope this helps.

--Hollywood 

Stephen Laseau
Kilo Guru

SecOps has a dependency on a mature CMDB.  We recommend to our customers the need to mature the CMDB as much as possible before implementing VR.  This includes:

- Proper network scanning (ie Discovery)

- Defining ownership, environment (prod, dev...), exposure (internet facing)...

In your situation, I would impress the following on the CMDB team:

- Vulnerability scanners ALWAYS find assets that are not in the CMDB.  This can be thousands or even tens of thousands.  Therefore, it is bad practice for that team to ignore the CIs discovered by a VR scanner.

- Let them know you want to work with them to define an appropriate triage process to make that task as efficient as possible.  For example, is there a reliable naming convention for desktops or servers?  If so, you can create scripts to automatically reclassify systems in the unmatched table.

- Ensure they focus not just on getting the systems into the CMDB, but embellishing them with appropriate data such as ownership (there can be multiple types), environment, exposure...

- If you are using tags effectively in Qualys, let them know you can effectively supplement data in the CMDB based on the Qualys data.

- Explain that all SecOps data (VITs and Sec Incidents) are valuable to the CMDB.  All of these records are linked to a CI and can help IT in many ways.

 

This is a very interesting point in your reply as I had put this in as a feature request, "If so, you can create scripts to automatically reclassify systems in the unmatched table".  The whole ingestion of scanner discovered items and reclassification is still very Discovery centric.  When you push the reclassify button for example all of the information provided by the scanner is removed to be added in manually. 

Do you have any example scripts?

Vulnerability scanners ALWAYS find assets that are not in the CMDB.  This can be thousands or even tens of thousands.  Therefore, it is bad practice for that team to ignore the CIs discovered by a VR scanner. - May I know what is the best way to ignore VR data so that It should not update CMDB.