Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Zero day Vulnerability - Best Practice

sach1
Tera Guru

3 weeks ago

Hi All,

 

I am looking for guidance and best practice on how to handle Zero day Vulnerabilities in ServiceNow for cases where CVE's are not available.

 

Came across the below KB article which talks about creating a new table by extending OOTB Vulnerability table, is that the only way ?

How to handle Zero Day Vulnerabilities in Vulnerability Module - Support and Troubleshooting

 

We want to create VIT's and remediation tasks for the vulnerabilities for which CVE's are not created.

 

#secops #vulnerability 

#SIR #VR

0 Helpfuls
  • 1,005 Views
15 REPLIES 15

QM_SSJ4
Tera Contributor

2 weeks ago

A zero day by definition is a vulnerability that is published prior to the vendor/owner having a patch. In other words its a flaw you cannot fix on 'day zero'. While you could create VIT's via Exposure Assessment if there is a known CVE published, using the software publisher, product, version option, or even manual upload, you may want to think thru the necessity of doing so. Big 3 scanning vendors (Qualys, Tenable, Rapid7) are pretty quick to publish their signatures and most likely would be 24 hours or less. Going thru the trouble of creating VIT's outside your BAU process might be an overkill during this short window. There is also the issue of duplicate tickets once the scanners start feeding you detections as well. You may want to look at beginning a Security or regular Incident process (if the zero day is Critical) for tracking, running targeted scans once the signature is published, and adhoc imports of the results into ServiceNow for holistic tracking.

In my experience, anything truly Critical usually has a more manual and focused response and we backfill the documentation of VIT's while "flying the plane". If a Zero Day is not Critical (not all of them are!), your routine SLA's should not be greatly impacted by a day or two of missing VIT's.

0 Helpfuls

Aaron Molenaar
Mega Guru
In response to QM_SSJ4

2 weeks ago

In general, I agree that scanning vendors are mostly responsive to providing checks for new vulnerabilities - though we have had cases of weeks for some critical items, but that is rare. I think the greater case for a non-scan driven VIT process is for software not covered by scan vendors, which we find to be more common as time goes by and malicious actors investigate greater parts of the technology stack.

 

This is where we often find ourselves "flying the plane" (as you aptly say) and building the documentation as best we can in VR using manual determinations of impacted assets/software. This is frequently just a list attached to a VUL with no VITs in it. 

MaxMixali
Kilo Sage

2 weeks ago - last edited 2 weeks ago

 

  

0 Helpfuls

Simon Hendery
Tera Patron
Tera Patron
In response to MaxMixali

2 weeks ago

@MaxMixali 

 

Stop cutting and pasting #AI_slop !

 

slop.jpg

---

 

Everyone: Please consider joining the efforts to keep AI content out of the community:

https://www.servicenow.com/community/community-resources/servicenow-community-code-of-conduct-for-al...

 

0 Helpfuls

MaxMixali
Kilo Sage
In response to Simon Hendery

2 weeks ago

I'm trying to help 

0 Helpfuls