Vulnerability Crisis Management

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 10분

    • Create and track critical vulnerability events through the Vulnerability Crisis Management (VCM) workflow. Create vulnerability assessment records, record key attributes of the vulnerability to calculate risk, perform assessment to identify exposure level, and engage stakeholders for a coordinated and swift response to vulnerabilities.

    Managing vulnerability crisis events

    Vulnerability Crisis Management is a complete workflow to handle vulnerability crisis events with the following capabilities.
    • Efficiently identify vulnerable configuration items by correlating critical vulnerabilities with software installation inventory from Software Asset Management and Software Bill of Materials (SBOM) inventory, scanner-reported vulnerabilities, and Configuration Management Database (CMDB).
    • Convert assessment results into vulnerable items for remediation.
    • Initiate a major security incident, to ensure a swift and coordinated response to the threat.
    • Engage and collaborate with teams across the organization, facilitating a unified response to vulnerabilities.
    • Provide regular status reports to cross-functional stakeholders and involved teams to maintain transparency and communication throughout the crisis.

    Vulnerability Crisis Management using the Vulnerability Assessment Workspace

    주:
    Starting with v1.0.1 of Vulnerability Crisis Management, the application is available as a separate subscription in the store. You can access Vulnerability Crisis Management from the Vulnerability Assessment workspace only if you have fine-grained entitlement or have installed the application from the store. Previously, Vulnerability Crisis Management was included with the Vulnerability Emergency Response plugin. Starting with v3.2.2, the Vulnerability Emergency Response plugin has been renamed to Vulnerability Exposure Assessment.
    On identifying a vulnerability of interest, the vulnerability event manager creates an vulnerability assessment record with information on the threat intelligence source, vulnerability characteristics, and affected products. This information is used for further impact and exposure analysis.

    After the record for a vulnerability of interest has been created, a risk assessment is performed. This assessment comprises structured risk scoring, reviewing the record, and the observations of the analyst performing the task. The initial risk score for a vulnerability of interest is calculated using the attributes available at the time of event creation. The risk score for the assessment may change as additional intelligence becomes available. Use the risk score to determine the potential impact of exploitation and establish response priorities.

    After the assessment for a vulnerability of interest has been created and determined to present risk to the organization's infrastructure, you can analyze the threat further by updating the risk assessment with an in-depth exposure assessment with the software installation inventory from Software Asset Management, Software Bill of Materials (SBOM) inventory, scanner-reported vulnerabilities, and Configuration Management Database (CMDB). Impacted Configuration Items and Applications are automatically identified through assessment. Additional impacted items can be added manually.

    Once the assessment is completed, Vulnerable Items or Application Vulnerable Items can be created for the exposure results that do not already have a associated vulnerable Item. Risk score calculator of vulnerable items can be leveraged/configured to adjust risk score for vulnerable items linked to vulnerability assessment records. The Vulnerability Assessment record can be assigned exposure level and event priority. Based on the event priority, the Vulnerability Event Manager can choose to propose, promote or link the vulnerability assessment to a Major Security Incident.

    Use Major Security Incident Management to track and manage remediation activity, link ongoing security incidents, create ad-hoc tasks, engage affected teams, send status reports and collaborate using collaboration integrations available in Major Security Incident Management.

    ServiceNow® Software Asset Management and Software Bill of Materials (SBOM) assessment- processing logic

    Using the Software Asset Management data, the CPEs coming from NVD for the CVE, and then the discovery models are fetched using the string-matching logic. After fetching the discovery models, a scan for related installations is run, the related configuration items are fetched, and the Affected Configuration Item table is populated. You can provide further details like Publisher, Product, Version and Edition. Based on these, all the matching discovery models and the software installations for the record are fetched. Subsequently, the related configuration items are fetched and the Affected Configuration Item table is repopulated.

    For SBOM, the associated software for the CVE from the related (m2m) table (between CVE and Software) is fetched. After pulling in the software details, the related SBOM components are identified by matching the product and version from the SBOM component to the product and version of the software identified.

    After the associated components are found, the entities related to the components are fetched. The product model from the entities and the related CI (if found) are fetched and the configuration item is saved in the Affected Configuration Item table. If the configuration item is without vulnerable items you can use it to create the vulnerable item. If a configuration item is not found, the product model is saved in the Affected Software Model table and can be used to create application vulnerable items.

    For more information on using the Vulnerability Crisis Management workflow, see Using the Vulnerability Assessment workspace.