Vulnerability groups

Chuck S1 · ‎08-15-2019

Does anyone have a recommendation and / or best practices on how to group, categorize or define Vulnerability groups recieved from Rapid7. I am trying to reduce the number of groups and auto assign vulnerability items as they are received in ServiceNow.

Chris McDevitt · ‎08-16-2019

Chuck,

"... I am trying to reduce the number of groups and auto assign vulnerability items as they are received in ServiceNow...."

I would recommend that you do not focus on reducing the number of groups. I recommend concentrating on accurately assigning the vulnerability groups to the correct teams for remediation.

The first thing you need to consider is "Assignment Rules (AR)." AR run and decide which assignment group to set on the Vulnerability Item(VIT). Think about how you want to assign the VIT's and then make sure you have a "default" rule that catches things that do not match your parameters. The rules run or order lowest to highest, and the first match stops the run.

Moving on to Vulnerability Grouping Rules(VGR). First, take a look at "Group by". You have five keys to play with, (Really Four, because you always want to keep the first key as Vulnerability) you have thee basic and two advanced keys. Typically, I see people wanting to group vulnerabilities that are most impactful to the organization. For example, the next keys could be: priority, active threat, external-facing asset, PCI, etc. (you will dot walk from the VIT to these other items).

Once that is done, you need to consider filtering ('Limit vulnerable items') on the same VGR. For example, you may want a positive and negative filter: '~items that contain PCI' and then '~items that DO NOT contain PCI'.

The goal is to get a very focused VG to the team who can take action AND know which VG to act on first.

Go ahead and smash that correct or helpful button!

-Chris

View solution in original post

Chris McDevitt · ‎08-16-2019

Chuck,

"... I am trying to reduce the number of groups and auto assign vulnerability items as they are received in ServiceNow...."

I would recommend that you do not focus on reducing the number of groups. I recommend concentrating on accurately assigning the vulnerability groups to the correct teams for remediation.

The first thing you need to consider is "Assignment Rules (AR)." AR run and decide which assignment group to set on the Vulnerability Item(VIT). Think about how you want to assign the VIT's and then make sure you have a "default" rule that catches things that do not match your parameters. The rules run or order lowest to highest, and the first match stops the run.

Moving on to Vulnerability Grouping Rules(VGR). First, take a look at "Group by". You have five keys to play with, (Really Four, because you always want to keep the first key as Vulnerability) you have thee basic and two advanced keys. Typically, I see people wanting to group vulnerabilities that are most impactful to the organization. For example, the next keys could be: priority, active threat, external-facing asset, PCI, etc. (you will dot walk from the VIT to these other items).

Once that is done, you need to consider filtering ('Limit vulnerable items') on the same VGR. For example, you may want a positive and negative filter: '~items that contain PCI' and then '~items that DO NOT contain PCI'.

The goal is to get a very focused VG to the team who can take action AND know which VG to act on first.

Go ahead and smash that correct or helpful button!

-Chris

Chuck S1 · ‎08-17-2019

Thx. Great response. I agree, my goal is to assign the groups in a manner that the teams can really work these VIT's.

Eric Feron · ‎08-16-2019

Excellent advice here.

I particularly like the approach that favors building the right Groups for assignment to the correct remediation teams.

We will soon have a tutorial on Vulnerability Groups. It will be announced here (Subscribe to that thread to get an alert).