Security analysts gain insights into how well security tools are deployed and covering their assets based on their asset inventory and imported data from service graph connectors and ServiceNow products such as Hardware Asset Management (HAM) and ITOM Discovery.

Security analysts can also create custom policies and configure insights to monitor the compliance of assets with internal security standards. Vulnerability managers can use insights from Security Posture Control (SPC) to prioritize remediation of vulnerabilities on high-risk assets.

The SPC product is based on Cloud Security Posture Management (CSPM) and Cyber Asset Hygiene Management (CAHM). Security Posture Control consists of two applications that are available by separate subscription from the ServiceNow® Store.

With the SPC product, Info-Sec teams can perform the following tasks:

• View security posture insights for your on-premise and cloud assets. SPC helps your Info-Sec teams identify assets that are missing endpoint protection, unmanaged assets, assets exposed to the internet, and any high-risk combinations involving vulnerabilities.
• Monitor your assets for their compliance with internal security tool configuration standards. For example, ensure that the latest version of an endpoint protection product is being used.
• Automate your remediation workflow for the security posture gaps you find with the ServiceNow Configuration Compliance application.
• Create custom policies and insights based on asset metadata, security tool coverage data, and vulnerability data.
• Gain insight into which threats to your assets are mitigated by available mitigation controls based on how various security tools are configured with Mitigation Controls Monitoring.

How Asset Security Posture Management works

Asset Security Posture Management (ASPM) identifies security tool coverage gaps in assets by using API integrations with various third-party tools (Service Graph Connectors) along with ServiceNow products.

ASPM relies on data populated in your CMDB about your assets. The asset data is imported by various categories of monitoring tools and compared to identify any potential security gaps.

For example, say there is asset data populated in the CMDB that is reported by tools that cover infrastructure monitoring and networking tools. However, this data for those same assets is not populated or reported by endpoint protection tools. If you compare the asset data reported by these different tools you can see that there are assets missing an endpoint protection agent.

Asset Security Posture Management identifies security tool coverage gaps in assets by using API integrations with various tools (Service Graph Connectors) and ServiceNow products. Categories include but are not limited to the following:

• Digital Employee Experience
• Discovery
• Endpoint Management
• IT Asset Management
• Infrastructure Monitoring 
• Networking
• Network Security
• Network Performance Monitoring
• Configuration and Patch Management  
• Endpoint Protection
• Cloud Provider
• Application Performance Monitoring
• Directory Services
• Vulnerability Assessment

The Security Posture Control workflow

Identifying security tool gaps involves the following steps:

1. Set up and activate API connections with any of the tools that you are using in various categories. You can use Service Graph Connectors for products that are available from the ServiceNow Store for the API connections that are required. For more information about the supported service graph connectors, see Service Graph Connectors. Supported service graph connectors are available from the ServiceNow® Store with separate subscriptions.
2. Activate the policies shipped with the Security Posture Control application. The Security Posture Control product finds security tool gaps by performing the following tasks:
   1. Identifies the list of all unique assets populated by various Service Graph Connectors in the CMDB.
   2. Identifies assets that are not reported by specific categories from this asset pool, for example, Endpoint Protection. Assets are identified based on the active policy that is being evaluated.
   3. Assets identified as not reported by specific categories are reported as ‘Findings’ or ‘Test Results’ in the Configuration Compliance application.
3. Automatically assign ‘Findings’ to different teams for remediation with the Configuration Compliance application.

High-risk combinations

With Asset Security Posture Management, you can also identify assets that have high-risk combinations. An example of a high-risk combination might show assets that are missing security tools, have critical vulnerabilities, and are exposed to the internet.

Some of the policies shipped with the Security Posture Control application look for these high-risk combinations of critical vulnerabilities and security tool coverage gaps. However, for these combination policies to work, you must have the Vulnerability Response application and at least one vulnerability scanner integration product such as Qualys, Rapid7, or the Tenable Vulnerability Integration application installed. These applications are available with separate subscriptions from the ServiceNow Store.

Mitigation Controls Monitoring

From within in the Security Posture Control (SPC) Workspace, gain insight into which threats to your assets are mitigated by available mitigation controls based on how various security tools are configured. See Mitigation Controls Monitoring for more information.