Vulnerability Crisis Management

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Crisis Management

    Vulnerability Crisis Management (VCM) provides a comprehensive workflow within ServiceNow to create, track, and manage critical vulnerability events. It enables customers to assess vulnerabilities, calculate risks, identify impacted configuration items, and coordinate a rapid, cross-team response to threats. VCM integrates vulnerability data with Software Asset Management, Software Bill of Materials (SBOM), scanner reports, and the Configuration Management Database (CMDB) to streamline exposure analysis and remediation efforts.

    Show full answer Show less

    Key Features

    • Vulnerability Assessment Records: Create detailed records capturing threat intelligence, vulnerability characteristics, and affected products to enable impact and exposure analysis.
    • Risk Scoring and Assessment: Perform structured risk assessments using initial and updated intelligence to prioritize response efforts based on potential exploitation impact.
    • Exposure Analysis: Automatically identify impacted Configuration Items (CIs) and applications by correlating vulnerability data with Software Asset Management, SBOM inventory, scanner data, and CMDB entries. Additional items can be added manually.
    • Vulnerable Items Creation: Generate vulnerable item records for uncovered exposure results, with configurable risk scoring to adjust priorities.
    • Major Security Incident Integration: Promote or link vulnerability assessments to Major Security Incidents to coordinate remediation activities, engage teams, create tasks, track status, and collaborate effectively using incident management features.
    • Software Asset Management and SBOM Logic: Utilize data from Software Asset Management and SBOM to identify affected software installations and components, populate affected configuration items, and create associated vulnerable items or application vulnerable items.
    • Access and Licensing: Starting with v1.0.1, VCM is available as a separate subscription via the ServiceNow Store and accessed through the Vulnerability Assessment workspace for entitled customers.

    Practical Benefits for ServiceNow Customers

    ServiceNow customers using VCM can expect a streamlined, data-driven process for managing vulnerability crises. By integrating multiple data sources and automating the identification of vulnerable assets, VCM helps prioritize and accelerate incident response workflows. The ability to escalate vulnerabilities into major security incidents ensures coordinated remediation and clear communication across teams. Regular status reporting maintains transparency throughout vulnerability events, supporting informed decision-making and reducing organizational risk exposure.

    Create and track critical vulnerability events through the Vulnerability Crisis Management (VCM) workflow. Create vulnerability assessment records, record key attributes of the vulnerability to calculate risk, perform assessment to identify exposure level, and engage stakeholders for a coordinated and swift response to vulnerabilities.

    Managing vulnerability crisis events

    Vulnerability Crisis Management is a complete workflow to handle vulnerability crisis events with the following capabilities.
    • Efficiently identify vulnerable configuration items by correlating critical vulnerabilities with software installation inventory from Software Asset Management and Software Bill of Materials (SBOM) inventory, scanner-reported vulnerabilities, and Configuration Management Database (CMDB).
    • Convert assessment results into vulnerable items for remediation.
    • Initiate a major security incident, to ensure a swift and coordinated response to the threat.
    • Engage and collaborate with teams across the organization, facilitating a unified response to vulnerabilities.
    • Provide regular status reports to cross-functional stakeholders and involved teams to maintain transparency and communication throughout the crisis.

    Vulnerability Crisis Management using the Vulnerability Assessment Workspace

    Note:
    Starting with v1.0.1 of Vulnerability Crisis Management, the application is available as a separate subscription in the store. You can access Vulnerability Crisis Management from the Vulnerability Assessment workspace only if you have fine-grained entitlement or have installed the application from the store. Previously, Vulnerability Crisis Management was included with the Vulnerability Emergency Response plugin. Starting with v3.2.2, the Vulnerability Emergency Response plugin has been renamed to Vulnerability Exposure Assessment.
    On identifying a vulnerability of interest, the vulnerability event manager creates an vulnerability assessment record with information on the threat intelligence source, vulnerability characteristics, and affected products. This information is used for further impact and exposure analysis.

    After the record for a vulnerability of interest has been created, a risk assessment is performed. This assessment comprises structured risk scoring, reviewing the record, and the observations of the analyst performing the task. The initial risk score for a vulnerability of interest is calculated using the attributes available at the time of event creation. The risk score for the assessment may change as additional intelligence becomes available. Use the risk score to determine the potential impact of exploitation and establish response priorities.

    After the assessment for a vulnerability of interest has been created and determined to present risk to the organization's infrastructure, you can analyze the threat further by updating the risk assessment with an in-depth exposure assessment with the software installation inventory from Software Asset Management, Software Bill of Materials (SBOM) inventory, scanner-reported vulnerabilities, and Configuration Management Database (CMDB). Impacted Configuration Items and Applications are automatically identified through assessment. Additional impacted items can be added manually.

    Once the assessment is completed, Vulnerable Items or Application Vulnerable Items can be created for the exposure results that do not already have a associated vulnerable Item. Risk score calculator of vulnerable items can be leveraged/configured to adjust risk score for vulnerable items linked to vulnerability assessment records. The Vulnerability Assessment record can be assigned exposure level and event priority. Based on the event priority, the Vulnerability Event Manager can choose to propose, promote or link the vulnerability assessment to a Major Security Incident.

    Use Major Security Incident Management to track and manage remediation activity, link ongoing security incidents, create ad-hoc tasks, engage affected teams, send status reports and collaborate using collaboration integrations available in Major Security Incident Management.

    ServiceNow® Software Asset Management and Software Bill of Materials (SBOM) assessment- processing logic

    Using the Software Asset Management data, the CPEs coming from NVD for the CVE, and then the discovery models are fetched using the string-matching logic. After fetching the discovery models, a scan for related installations is run, the related configuration items are fetched, and the Affected Configuration Item table is populated. You can provide further details like Publisher, Product, Version and Edition. Based on these, all the matching discovery models and the software installations for the record are fetched. Subsequently, the related configuration items are fetched and the Affected Configuration Item table is repopulated.

    For SBOM, the associated software for the CVE from the related (m2m) table (between CVE and Software) is fetched. After pulling in the software details, the related SBOM components are identified by matching the product and version from the SBOM component to the product and version of the software identified.

    After the associated components are found, the entities related to the components are fetched. The product model from the entities and the related CI (if found) are fetched and the configuration item is saved in the Affected Configuration Item table. If the configuration item is without vulnerable items you can use it to create the vulnerable item. If a configuration item is not found, the product model is saved in the Affected Software Model table and can be used to create application vulnerable items.

    For more information on using the Vulnerability Crisis Management workflow, see Using the Vulnerability Assessment workspace.