K20 Lab 3019 Improve Security with Vulnerability Management

Enter your Questions as a Comment and one of our gurus will answer.

Student Instance Reservation URL for Thursday May 7th:  http://clabs.link/lab3019-131 

https://developer.servicenow.com/connect.do#!/event/knowledge2020/LAB3019

https://community.servicenow.com/community?id=community_article&sys_id=14e871c1dbac50101cd8a345ca961...

Also, when you register for your lab instance - links to the guidebook and this community are provided.

Where is the link to register for the lab instance?

Student Instance Reservation URL for Thursday May 7th:  http://clabs.link/lab3019-131 

Student Instance Reservation URL: https://clabs.link/lab3019-686

In case you missed it:

Student Instance admin password: lab3019-619#K20
Student Instance Reservation URL: https://clabs.link/lab3019-131

Lab Guide: https://developer.servicenow.com/connect.do#!/event/knowledge2020/LAB3019

Lab Guide: https://developer.servicenow.com/connect.do#!/event/knowledge2020/LAB3019

Question: Imagining i am a Vulnerability Admin and i want to ensure that 'admin' user or any user with 'admin' role should NOT access my Vulnerability area. What would i need to do?

SIR i know there is a Lockout Admin action

Good question, and it's exactly the same way, with VR having its own locked out set of access controls.  It's separate to itself, so SIR application admins cannot necesarily see vulnerability details either.

Unfortunately that Lockout is not there in VR i just checked in the lab instance. Are we talking about customzitng it?

Thanks for the question Sankalp.

Short answer is that the vulnerability response module is a scoped application but is not "scoped admin"...So there is RBAC to keep 99% of users in their proper lanes, but admin is not one of those users/roles.  VR does not have the same lockout admin capability as SIR.

@jonathanwalker Thanks for that. It helps!

Lab Guide: https://developer.servicenow.com/connect.do#!/event/knowledge2020/LAB3019

Definitely something that could be worked out.  Just need to spend some time noodling the use case.  Also, please consider an alternative, instead of keeping them from looking, log and tattle when they do 🙂

Thank you Lab Guru's for helping me out with the assignment rule confusion 🙂 appreciate it

You're right E.D....you definitely CAN do it same as SIR.

Customers should be very cautious though...the scoped admin for VR is not enabled by default and can break some OOB features if enabled.

Doesn't mean it can't be worked around...but should be carefully planned for and tested in a DEV environment.

Don't hesitate to post questions on Vulnerability Response or the lab.  Someone will be monitoring and will get back to you as soon as possible.

Mahalo

no problem - as we discussed the lab sets up an assignment rule to auto assign on a Vul Group record.  The Assignment rule within the Vul Response app in the admin section is specifically for Vul Item records.

Definitely something that could be worked out.  Just need to spend some time noodling the use case.  Also, please consider an alternative, instead of keeping them from looking, log and tattle when they do 🙂

Can you give me a rough estimate of cost for this module?

If your patching cycle was monthly, would creating the groups be a task that the vuln admin should conduct monthly?

I can certainly connect you with someone who can.  Give me a few minutes.  

That would certainly be a solid approach. One of the things to keep in mind would be if vulnerable items were patched.  

what I did was automate it using the grouping rules so that a security analyst did not need to spend time doing it

Just sent you an email and copied your "cost" contact.

Thank you for attending the lab today.

I guess the cycle on how this would work hasn't been clicking with me. Would this work or is there a more efficient way? Example:

1. Vuln Admin/Security team creates a group in January for all Windows Updates. Assignment rule assigns that to the Windows team. 

2. Windows team creates a change request, patches all servers during the Jan maintenance cycle.

3. After, the scans should so those vulns as remediated/patched. 

4. February comes, and the cycle begins again. 

Did you create new groups with each cycle, or use the same group over and over?

we used the same groups over and over, HOWEVER, we were regularly reviewing the groups and making changes or additions or deletions as appropriate...the idea was that the grouping rules in the application would group the vulnerable items for us, thus saving us time and effort...then all we had to do was QA it

For the Wednesday May 6, 202 Session:  

Student Instance admin password: lab3019-908#K20

 Student Instance Reservation URL: https://clabs.link/lab3019-541

I see noting wrong with that approach.

It can be monthly, event driven (new vulnerabilities) or as a confirmation (after a patching cycle).

The key is the look at the value you are getting for the effort.  The Value is reducing risk, If risk remains, add additional cycles.  If you get to the point where you are going through cycles knowing full well there is no risk, it's time to review the process.

Mahalo

You 

Is it recommended to load the vulnerable items via flat file / email.

via this approach, I see that the step for CI lookup rules / CI matching rules will get skipped. 

Favorites in my instance is empty

you could do that, but you'd be better off using the standard out of the box integration with your vulnerability scanner so the ServiceNow is ingesting data from the scanner. You could also use the third party or API integrations. You can load via flat file, but I would recommend against it.

can you please log out and log back in and see if that fixes it?

Can you confirm that you are logged in as admin?  Worst case you could request a new instance. Once we go into breakouts you'll be able to share your screen and one of the gurus will be able to help.

We'll be here to help in depth after overview.

Yes I am logged in as admin - I have logged off and back on but they are still empty

Yes I am logged in as admin - I have logged off and back on but they are still empty

Vulnerability item id and group id (VUL***) are pre-defined for particular CVE in Service Management?

Hi, if you follow the lab guide, you don't truly need the favorites, so if you are comfortable doing that, you can proceed as is, otherwise when we get to the breakout rooms, let the Guru in your room know and they can help you

I agree we may load Pen test results via data import or via API but how to close those VULs.

VULs from scanners will be closed once remediated.But how to deal with the vulnerabilities from pen test on closure part?

I can think about Performance being another concern for loading flat files / email. In case there are 1000's of vulnerabilities in a short span of time

I agree you could get through the lab without favorites, however, I am concerned there may be more wrong. 

Would you mind requesting a new instance?

yes, I agree with Scott; getting a new instance would be best; should only take a few minutes and let us or your breakout room Guru know if you need help

VULs (VITs) from scanners will be closed once remediated.But how to deal with the vulnerabilities from the pen test on the closure part?

you could configure a similar workflow in Flow Designer that would handle them in the same manner; the only difference might be whether or not you are doing a re-scan or not

Hi, you could configure a similar workflow in Flow Designer that would handle them in the same manner; the only difference might be whether or not you are doing a re-scan or not

Hello, just checking to make sure you are all set now