Vulnerability Solution Management

Security and IT teams often spend a significant number of time researching vulnerability findings to identify the most effective treatments for their environment. Given the volume and complexity of vulnerabilities in large organizations, translating vulnerability findings into remediation tasks is a manual, tedious, and error-prone process.

With Vulnerability Solution Management, you can automatically correlate your vulnerability findings with the solutions that remediate them. Identify the software patches, configuration updates, and other controls that have the highest impact for your organization without the manual overhead.

Vulnerability Solution Management requirements

Vulnerability Solution Management is a feature available within the Vulnerability Response application. Vulnerability Solution Management requires a separate subscription.

For more information about getting entitlements for applications from the ServiceNow Store, see Get entitlement for a Security Operations product or application. See Install the Solution Management for Vulnerability Response application for more information about installing the application after you have downloaded it onto your instance.

After it’s installed, Vulnerability Solution Management provides you access to the Microsoft Security Response Center and the Red Hat solution data from within Vulnerability Response.

주:

You can configure both solution applications from within the Setup Assistant. See Configure installed solution integrations for Vulnerability Solution Management using Setup Assistant.

See Microsoft Security Response Center Solution Integration and Red Hat Solution Integration for more information on the imported solutions.

Available versions

For the most current version of Vulnerability Solution Management, verify you have the most current version of Vulnerability Response installed.


Release version of Vulnerability Solution Management	Compatible versions of Vulnerability Response	Release Notes
Vulnerability Solution Management v10.3	Vulnerability Response v18.0	For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

About solutions and supersedence

A superseded update is a complete replacement of a previous release or releases. For example, a hot fix update may be superseded by a Service Pack. Solutions are related to vulnerabilities. Solutions can also relate to other solutions in a supersedence chain. Solutions address vulnerabilities in preceding solutions as well as they’re cumulative. Vulnerability Solution Management automatically associates vulnerabilities from preceding solutions with superseding solutions. If an older vulnerability is found, any higher superseding solution can address it, but the highest supersedence solution is preferred, as it's the most cumulative.

Potential versus Preferred Solutions

A potential solution is one that could address a vulnerability. Vulnerabilities often have many potential solutions. A preferred solution is the single solution targeted for remediating a vulnerability or vulnerable item (VI). It communicates intention, and enables more detailed deployment metrics.

Preferred Solutions

Vulnerability Solution Management automatically sets the most effective solution (Preferred Solution) for the detected vulnerability based on highest supersedence when only one highest supersedence solution exists. If more than one highest supersedence exists for the vulnerability, no value is set. In Vulnerability Response, a Preferred Solution is the Microsoft Security Response Center or Red Hat solution with the highest supersedence derived from the solutions associated with the vulnerability.

Preferred Solution values can be set on the vulnerable item or the vulnerability. When set directly on the vulnerability, all vulnerable items associated with the vulnerability inherit that solution. Change the Preferred Solution values for multiple vulnerable items using the bulk edit feature. When bulk edited, only the Preferred Solution on the vulnerable item is updated as setting the Preferred solution at the vulnerability entry level would set the Preferred solution for all new VIs going forward. Bulk editing only applies to current vulnerable items.

주:

If multiple highest supersedence solutions exist for a vulnerability, Preferred Solution values at the vulnerability level are cleared, as that solution depends on the affected asset. When multiple highest supersedence solutions exist for a vulnerability, set a Preferred Solution on the vulnerable item. You can set a different solution using the Lookup list on the Vulnerable Item form.

All preferred solutions for the vulnerable items in a remediation tasks are in a related list on the Remediation Task record.

Not all solution imports result in full data refreshes. The supersedence process is updated when:

A vulnerable item is created.
Data has changed on an active VI.
주:
Starting with v22.0 of Vulnerability Response, the solutions aren’t queued in the above two cases.
A new mapping is created for a third-party entry with the CVE.
New solution data was released since last import, an existing solution is updated.

Starting with v24.0.6 of Vulnerability Response, you can ingest solution from scanners in addition to vendor solutions. The remediation data from scanners such as Tenable, Qualys, and Microsoft TVM is leveraged to create the solutions. These scanner solutions are imported using the following integrations:

Tenable.sc Plugin Integration
Tenable.io Plugin Integration
Qualys Knowledge Base (Backfill)
Microsoft TVM Machine Vulnerabilities Integration (Full Import)
Microsoft TVM Machine Vulnerabilities Integration (Delta Import)

When the vulnerability integrations run, a payload of remediation information is created before processing third-party entries. For Tenable and Qualys, the remediation data is received at the vulnerability or third-party entry level. Conversely, for Microsoft TVM, solutions are created at the detection level, enabling a direct population of preferred solutions on the vulnerable items without the need for further processing. These solutions are created based on this remediation information and processed as needed. On processing, the preferred solution is populated on the vulnerabilities and rolled-down to the vulnerable items. The preferred solution is populated in the following order:

Manual selection: If you select a solution manually, it isn’t overridden.
Vendor solutions (Microsoft, RedHat, CVRF, and CSAF imports): If you don’t select a solution manually, the vendor solution is selected automatically.
Latest solutions (if enabled): If there are multiple higher-superceding solutions available for a vulnerability, then the preferred solution field remains empty. In such cases, if you enable the property sn_vul.latest_solutions, the latest higher supersedence vendor solution is populated as the preferred solution.
Scanner Bulletin solutions (if enabled): If you don’t select a solution manually or vendor solutions are unavailable, the Preferred solution field is populated with the scanner solutions provided there's a single scanner solution. You must enable the property sn_vul.populate_scanner_solutions to populate the scanner solutions.

Solutions received from multiple sources — 그림 1. Solutions from multiple sources

This example illustrates the selection of a solution if multiple solutions are available from different sources. In this case, there are two solutions for a vulnerability - one from a vendor and another from a scanner. As the solution VS0116107 is received from a vendor i.e., Redhat, that has higher preference, it is selected as the preferred solution.

Solutions from the same vendor — 그림 2. Solutions from same vendor

This example illustrates the selection of a solution if multiple solutions are available from the same vendor i.e., Redhat in this case. If the sn_vul.latest_solutions property is enabled and no other vendor solutions are available for a specific vulnerability, these solutions are processed, populating preferred solutions on the vulnerabilities and subsequently on vulnerable items. If you enable the property sn_vul.latest_solutions, the latest solution is selected as the preferred solution.

This example illustrates the selection of a solution if only one scanner solution is available from the scanners. If the sn_vul.populate_scanner_solutions property is enabled, the solutions are processed, populating the preferred solutions on the vulnerabilities and subsequently on the vulnerable items. If there are multiple scanner solutions, the Preferred solution field is left empty due to ambiguity.

Enhancing solution management and performance optimization

Solutions are received from various integrations, including Microsoft and Redhat. The former provides monthly updates, and establishes a chain of dependencies to track the preferred solution for vulnerabilities. However, other integrations don’t follow this update format, and don't need to establish a chain of dependencies for them. Previously, a processing logic was used that involved creating a graph to maintain precedence and identify the highest superseding solutions. These solutions were suggested as the preferred solution for the vulnerabilities. However, as constructing the graph is time-consuming, the other integrations are excluded from this process. To improve the performance, starting from v22.0 of Vulnerability Response, the method utility.processNonGraphSolutions() is called in the Process Vulnerability Solutions Metrics Queue scheduled job. This method handles solutions from integrations other than Microsoft.

Secondly, the solutions are queued up from various sources using the scheduled job Process Vulnerability Solutions Metrics Queue. This scheduled job involves rolling up solutions from NVD entries to third-party entries, populating preferred solutions on vulnerabilities and updating the remediation status metrics on the solutions. In the following scenarios, only the remediation status metrics must be updated:

When the preferred solution changes on the vulnerabilities
When the VITs are created or deleted
When a VIT import is completed

Though the solutions are queued up to update only the remediation status metrics, they still attempt to roll up solutions from NVD entries to third-party entries and populate the preferred solutions. To optimize this process, in the Vulnerability Solution table, the column Update status is introduced. When the remediation status metrics on solutions must be updated without requiring the roll-up or population of preferred solutions, the solutions are no longer queued. Instead, the Update status column is directly updated as true. This approach enables handling cases where only the remediation status metrics must be updated, resulting in time and resource savings. In the scheduled job, once the processing of the queued solutions is completed, solutions that are marked with an Update status as true are identified. Then, they’re iterated through these solutions, calculating the counts and updating the remediation status metrics accordingly. This step plays a significant role in improving the performance of the scheduled job, as the number of solutions that must be queued is reduced. To view remediation status metrics, navigate to Vulnerability Solution [sn_vul_solution] table and select a vulnerability solution. Then, select the Remediation Status tab. The tab provides the following fields:

표 1. Remediation Status metrics
Field	Description
Preferred Solution Targets - Remediation status for VIs for which this is the preferred solution
Vulnerable items	Number of active (non-closed) vulnerable items for which this solution is preferred for remediation. This count excludes deferred vulnerable items.
Remaining CIs	Number of CIs associated with one or more active vulnerable items for which this solution is preferred for remediation. This count excludes deferred vulnerable items.
Total VIs	Number of active and closed vulnerable items for which this solution is preferred for remediation. This count excludes deferred vulnerable items.
Total CIs	Number of CIs associated with one or more active and closed vulnerable items for which this solution is preferred for remediation. This count excludes deferred vulnerable items.
% VIs remediated	Percent complete for vulnerable item (VI) remediation. Applies to VIs for which this solution is preferred. This count excludes deferred vulnerable items.
% CIs remediated	Percent complete for CI remediation. Applies to VIs for which this solution is preferred. This count excludes deferred vulnerable items.
Preferred Solution Targets (Includes Deferred) - Remediation status for VIs, including deferred, for which this is the preferred solution
Vulnerable items	Number of active (non-closed) vulnerable items for which this solution is preferred for remediation.
Remaining CIs	Number of CIs associated with one or more active vulnerable items for which this solution is preferred for remediation. This count excludes deferred vulnerable items.
Total VIs	Number of active and closed vulnerable items for which this solution is preferred for remediation.
Total CIs	Number of CIs associated with one or more active and closed vulnerable items for which this solution is preferred for remediation.
% VIs remediated	Percent complete for vulnerable item (VI) remediation. Applies to VIs for which this solution is preferred.
% CIs remediated	Percent complete for CI remediation. Applies to VIs for which this solution is preferred.
Potential Solution Targets - Remediation status for all VIs with a vulnerability related to this solution
Vulnerable items	Number of active (non-closed) vulnerable items for which this solution is potential solution for remediation. This count excludes deferred vulnerable items.
Remaining CIs	Number of CIs associated with one or more active vulnerable items for which this solution is a potential solution for remediation. This count excludes deferred vulnerable items.
Potential Solution Targets (Includes Deferred) - Remediation status for all VIs, including deferred, with a vulnerability related to this solution
Vulnerable items	Number of active (non-closed) vulnerable items for which this solution is a potential solution for remediation.
Remaining CIs	Number of CIs associated with one or more active vulnerable items for which this solution is a potential solution for remediation.

Thirdly, the availability of a preferred solution for vulnerabilities and VITs must be ensured to remediate the vulnerabilities. However, in situations where multiple higher superseding solutions exist for a vulnerability, a preferred solution isn’t populated due to ambiguity. To address this scenario, an approach is implemented that involves running the processing logic and populating the preferred solution when it’s available. In cases where there’s only one higher superseding solution, it’s populated as the preferred solution. When multiple higher superseding solutions are present, the preferred solution field remains empty. However, the aim is to populate the highest superseding solution, which is published as the latest, as the preferred solution. To achieve this, a system property sn_vul.latest_solutions is introduced. By default, this property is set to false. If you want to enable the capability of populating the latest solutions as the preferred solution when no preferred solution is available, then you can enable this property. Once enabled, the Solution type column is updated in the vulnerability table with the following options:

Preferred: When the preferred solution is populated
Latest: When no preferred solution is available, the latest solution from the set of highest superseding solutions is selected based on the date published value. The field to be selected as the latest solution can be customized using the sn_vul.latest_solutions system property. By default, the value is set to "date published," but it can be changed to "last modified" to select the solution based on the last modified column in the solutions.
Manual: When the preferred solution type is updated manually. The precedence for this type of solution is the highest.

In certain scenarios, the preferred solution on a vulnerable item (VIT) may differ from the preferred solution on the corresponding vulnerability. This occurs when the preferred solution is manually updated on a VIT and not on the vulnerability. In such cases the Solution type field is hidden on the VIT.

What Vulnerability Solution Management does

Automatically associates new vulnerable items (VITs) and remediation tasks with solutions during Microsoft Security Response Center Solution Integration and Red Hat Solution Integration import.

MSRC solutions are associated with the latest bulletin the solution appears in.
Automatically associates vulnerable items and remediation tasks with solutions when vulnerability records are associated manually with solutions.
주:
Vulnerable items manually reassigned to another solution aren’t automatically updated with solution changes at the vulnerability level.
MSRC: Creates supersedence chains during import that you can view in the solution's related list.
Indicates whether a solution is a highest-supersedence solution or not.
Lists the Solution Risk score associated with each solution to provide you with the biggest opportunities for risk reduction.
Maintains Remediation Status for solutions on third party Vulnerability Entries, Remediation Tasks, and Vulnerability Solution records so you can track remediation progress.
It contains:
- Vulnerable item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
- Configuration Item (CI) counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
- Vulnerable item counts by percent remediated, for those VIs with Potential Solutions, with and without those VIs in the Deferred state.
- Configuration Item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.

What you can do with Vulnerability Solution Management

Create, update, view, or delete solutions associated with vulnerabilities, so that you can track vulnerability solutions that aren’t covered by third-party solution content. Solution Integration with the Rapid7 Data warehouse is not supported.
Associate third-party vulnerabilities and NVD entries with a solution record.
Remove and reassociate vulnerable items and remediation tasks with a solution.
View the Preferred Solution applicable to a given vulnerability on the vulnerability and vulnerable item forms.
View a Preferred Solutions related list on remediation task forms that list all the solutions that have been preferred by at least one active VI within that group.
View the Remediation Status details on a solution that show the risk reduction associated with deploying the Preferred Solution on vulnerability, vulnerable item, remediation tasks, and solution forms.
View vulnerabilities applicable to a given solution on the solution form.
MSRC: View the superseding solutions for a given solution on a vulnerability, to find the latest update to deploy, or an earlier, more focused, efficient update.
View lists of solutions sorted for different characteristics.
- All: Solutions sorted by Date published and Number.
- MSRC: Highest Supersedence: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence, Date published, and Number.
- With Vulnerable Items: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence or Preferred, Risk Score, and Number. If deployed, the top entries in the list provide the largest risk reduction for the assets in your environment.

Solution record Risk score and Risk rating

주:

The Solution record Risk score and Risk rating are distinct from those fields used for vulnerabilities, vulnerable items, and remediation tasks.

The Solution record Risk score is a weighted calculation based on the vulnerable item Risk score and a count of active vulnerable items with this solution as their Potential Solution. The solution Risk score provides an estimation of the reduction in risk that the solution is expected to accomplish.

The solution record Risk score is calculated as follows:

It starts by taking 85% of the highest or maximum Risk score of an active vulnerable item with that potential solution.
The solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
- 0–09 vulnerable items adds no points
- 10–99 vulnerable items adds 5 points
- 100–999 vulnerable items adds 10 points
- 1000 and beyond vulnerable items adds 15 points
For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution Risk score would be 78.

The Solution record Risk rating separates the Solution record Risk score into ranges from Critical to None. Solution Risk rating rates the risk reduction for the vulnerable items that this solution remediates.

Upto VR v16.1, risk ratings separated the resulting Solution Risk score into the following ranges:

1 — Critical (90+ Solution Risk score)
2 — High (70-89 Solution record Risk score)
3 — Medium (30-69 Solution record Risk score)
4 — Low (1-29 Solution record Risk score)
5 — None (0 Solution record Risk score)

Starting from VR v16.1, risk ratings separate the resulting Solution Risk score into the following ranges for Solution Management:

1 — Critical (90+ Solution Risk score)
2 — High (70-89 Solution record Risk score)
3 — Medium (40-69 Solution record Risk score)
4 — Low (1-39 Solution record Risk score)
5 — None (0 Solution record Risk score)

Use Cases

View the status deployment progress of a current patch cycle using the highest-supersedence module, sorted by date.

View highest value solutions using the With Vulnerable Items module, sorted by risk score.

Solution lists communicate key solution details, risk scores, and deployment metrics. Use Risk score and active VI counts for prioritization. See which solutions in the current patch cycle aren’t progressing, possibly an indication of a missed deployment prerequisite.

주:

Add %VIs remediated(percent_nd_pref_vis_remediated) from the personalize List Columns menu for remediation progress on the Vulnerability Solutions form.