VR Implementation .pdf
Document Details
Uploaded by BrighterRose509
Tags
Full Transcript
Vulnerability Response (VR) Implementation What is Security Operations? A collection of associated security activities that help to maintain the ongoing security posture of an organization, consisting of the monitoring, maintenance, and man...
Vulnerability Response (VR) Implementation What is Security Operations? A collection of associated security activities that help to maintain the ongoing security posture of an organization, consisting of the monitoring, maintenance, and management of the security aspects of the IT estate, and its people, and its processes. Consists of the collective processes, products, and people that provide security to business data and its safe usage, including network enclaves, applications, websites, databases, data centers, etc. Security is not just about preventative measures – it can also be about: o Detective measures – Understanding signs that a security outbreak has occurred. o Corrective measures – containment procedures to invoke post-breach to limit damage. Consequently good security is about being prepared for organizational breaches: o Which security incident do we tackle first? o What do we know about it ? o What should we do about it? o What can we learning from it? This consists of applications and modules built on the ServiceNow platform. Offering the same proven capabilities that supports thousands of organizations today, working in conjunction with other platform functionality. ServiceNow approaches Security operation from both a proactive and reactive approach. From a reactive perspective, many companies are faced with a ton of phishing attempts as well as malware issues and unauthorized access, ServiceNow security incident response application simplifies the process of identifying critical incidents by applying powerful workflow and automation tools that speed up remediation. Vulnerability management covers the proactive activities: so that they don’t become security incidents ServiceNow Vulnerability Response application manages both infrastructure vulnerabilities as well as application vulnerabilities Configuration compliance is another application in the VR suite that focuses on misconfigured software. Security Operations: Security Incident response: Integrates with 3rd party threat detection systems and Security information and Event Management (SIEM) Prioritizes incidents based on business impact Enriches incidents with threat intelligence Automation and workflows reduce manual tasks Improves collaboration between IT, End users, and security team The ServiceNow Security Operations applications suite integrate with an organization existing security tools like firewalls, endpoint security products, or Security information. Also Event management (SIEM) tools to collect and prioritize security incidents, collating security information from different sources to present a single unified picture of the current state, allowing fast analysis and quick decision-making concerning the appropriate response. Whether it is manual tasks or automated workflows Security Operations: Vulnerability Response: Integrations with National Vulnerability Database (NVD) Integrates with various 3rd party vulnerability scanners Identify infrastructure and application vulnerabilities Seamless integration with other ServiceNow functionality Represents a proactive opportunity by reducing the attack surface through understanding and addressing the most vulnerable components of the infrastructure. This toolset works with existing vulnerability assessment solutions (qualys, rapid 7 and tenable) which provides a second set of eyes, marrying up their results to enrich information about existing vulnerabilities. Security Operations: Threat Intelligence: Integrates and 3rd party threat detection systems and Security information and event management (SIEM) Provides information needed to help prioritizes incidents Enriches incidents with threat intelligence automation and workflows reduce manual tasks Relevant Threat intelligence data can be imported directly into the Security incident Response and Vulnerability response application, enriching information about record incidents – providing the very details that security analysts need to make decisions, reducing their need to perform manual mundane lookups. Why have a Security Incident Response Team (SIRT) Dedicated staff that provide analysis, rapid response, and recovery of security incidents to limit damages and reduce the cost of recovery. What was known as IT Security became Data security, with focus less upon who did it and more about what was being secured, with the understanding that security was everyone’s responsibility. Functional team with appropriate skills, these people are known as Computer Emergency response team (CERT) Computer Security Incident Response team (CSIRT) Security Incident Response team (SIRT) Lack of a dedicated team means skilled security activities become disseminated throughout other organization function which become overlooked during normal business-as-usual work, allowing important security incidents to “slip under the radar” and remain undetected for so long. 1.2 Vulnerability Response: Not many manual tasks anymore except for the analysts. Level 0: manual Operations: Using spreadsheets for tracking and email/calls/texts for comms No centralized system for security response leaving teams crossing their fingers and hoping for the best when there is problem. This leads to limited visibility and long response times, as there are thousands of vulnerabilities with no context for prioritization beyond basic scoring like CVSS>. Level 1: automated Prioritization Live with one scanner integration and importing data for critical or high Critical infrastructure/assets defined (about 75%) Assets owner defined for about half of assets for automated assignment Remediation task rules Prioritization by risk score using vulnerability severity Basic exception handing/deferrals Remediation target rules (SLAs) defined Basic visibility into current status (stand reports) Level 2: Improved Remediation: Importing scans for all infrastructure for medium criticality and above CI matching for nearly all assets CI matching for nearly all assets Risk Scoring with basic asset criticality and exploit availability Automated vulnerability assignment for 95% of vulnerabilities Automated re-scans (where supported) Change request integration Reporting with historical trends Level 3: enterprise Risk Trending Importing scans for all scanned assets, with nearly complete (~95%) re-classification and valid owner information Importing all vulnerabilities Other support scanners added if used Risk score adds advanced asset critically with Discovery and Service Mapping Risk score adds threat intel (future) End-to end- deferral and risk Acceptance Risk metrics rolled up to GRC Defining performance goals and forecasting completing with Performance Analytics You can go up and you want to get to the automation stage. The step to step in the maturity level. Explains the different metrics and phases that are involved. Vulnerability Response is not a one-time occurrence, it is ongoing journey. Safeguarding Business assets You can secure what you don’t know about! What assets does the organization have? How are they related? What purpose does each asset serve? What is the business value of that asset? What is the impact were this asset lost or compromised? Who should be monitoring/maintaining this asset? All your assets are managed in the CMDB. Need to make sure all your CI’s are in the CMDB and they are correctly related, and you know exactly what different purpose of each of those are Proper Asset Management and configuration management is essential to effective security. Deviations in normal expected behavior of an individual configuration Item requires the business to understand the wider impact upon the overall infrastructure to correctly categorize and prioritize the response. Lack of an accurate CMDB leads to misunderstanding the “bigger picture” in which the business value of assets and how they all interrelate is unclear: Security teams lack insight into mission-critical business services and applications aligned to underlying infrastructure. Business-critical system components going offline (either scheduled or unplanned) can cost dearly from huge business disruption Lack of asset ownership information hampers investigation and lines of communication SLAs are missed due to misunderstood impact and priority A small fault in seemingly insignificant area may be overlook (for over 200 days) and quickly become a very expensive data breach, with large fines per day the breach remains uncontained (70 days) ; this leads too: Loss of trust and faith internally, retarding moral and eroding productivity Loss of reputation externally, affecting an organization’s ability to continue in business partnership. The CMDB and CI relationships help determine of how vulnerabilities affect the infrastructure. Not only can vulnerabilities be represented visually, but configuration information can be baked directly into the Vulnerability Response process. Terminology Vulnerability: any weakness that allows exploration or an attacker to further reduce security posture. They are the leading cause – 44% of data breaches National Vulnerability Database (NVD) Online repository of vulnerability management data, security checklists, security related software flaws, misconfigurations, product names, and impact metrics List of all the vulnerabilities that are discovered, all the weaknesses that are allowing an exploit to run and attack the network. o Common vulnerability and Exposures: (CVE) ▪ A dictionary of publicly known security vulnerabilities and exposures ▪ Started in 1999 and you can see stuff before that also o Common weakness enumeration (CWE) ▪ A list of software weakness o Common Platform Enumeration (CPE) ▪ A structured naming scheme for IT systems, software and packages ▪ Name systems and machine accordingly amongst the industry. Vulnerability Scanner: Software system designed to perform automated scans/analysis of IT operating, systems software, network devices, and web service against repositories stated above to discover weakness known as vulnerabilities Vulnerability Response vs Application Vulnerability Response Vulnerability Response is, quite simply: The process of identifying, classifying and prioritizing vulnerabilities Deciding upon an appropriate correct response: o Remediation: Fix, change, patch, correct, mend, repair – something that reduces the vulnerability o No remediation: Document the risk to the organization – something that accepts the vulnerability Although vulnerabilities are flaws that affect business assets, this vulnerability must itself be exploited by a threat (such as an email borne work or virus). Similarly, if the cost of remediation outweighs the value of the business value, a secision could be take to justify no remediation and accept the risk (fixing a dripping roof that’s due to be demolished) Vulnerability Response is ineffective if used in isolation, relying not just upon good security operations being present but other processes, and that weaknesses in other processes hampers the effectiveness of Vulnerability Response – and therefor affect the customers overall security posture. It is worth building a series of questions for discussion point concerning this process jigsaw, designed to ascertain organizational readiness for process support outside of vulnerability response: Is there an expectation on team further down the process chain? Are they aware of their responsibilities? Is more training/awareness needed? How would they handle records fed from security-related processes? Infrastructure Vulnerability Response Single system of Record – VIT A single record that captures all collateral related to the infrastructure vulnerability: o Tasks o Attachments o Work Notes o Approvals o Vulnerability Details Record Visibility is restricted to appropriate stakeholders through the means of role-base access controls Vulnerable item record presents an actual occurrence of a vulnerability in the organization, i.e.. An actual affected CI. However, ServiceNow’s Single system of record allows related information to be displayed about that occurrence, allowing progress to be tracked and monitored through the remediation process. Relationships include: Configuration item Vulnerability (sn_vul_entry) Detections Remediation steps Other related tasks Other impacted CIs The vulnerable item table does not extend from the Task table Baseline integrations also include change, problem, and Security incident with ACLs ensuring sensitive information is restricted to those holding certain roles (in the Sn_vul scope) Application Vulnerability Response Single system of record – AVIT A single record that captures collateral related to the application vulnerably based on scanned applications/ Focused on Dynamic application security testing (DAST) data. Vulnerabilities in the behavior of your overall application are identified by a third-party scanner. The application vulnerable item record represents an actual occurrence of a vulnerability of an application. These are generally custom application. These are generally custom applications The application vulnerable item table does not extend form the task table This table is not related to the vulnerable item table Vulnerability response vs Patching Be sure to understand different mindsets a customer might hold, if they are patch management – focus or vulnerability response-focused Vulnerability response focused: Proactive typically grown from a more mature IT/SecOps team, or from business need: Primary focus is on the current state of the environment Tools used: vulnerability scanner (qualys, Rapid 7) Example reports may include: o Vulnerabilities found since the last scan o Vulnerabilities over 30 days old o Vulnerabilities resolved in the last scan o Business-critical vulnerabilities Patch management focus: reactive, typically grown from IT patching/hot fixing practices Primary focus is on patches being available or attempts to apply to existing environments. Tools used: patch deployment tools (Altiris, SCCM) Example reports may include: o Failed patch attempts this week o Installed patches this week. 1.3 Vulnerability Response within the ServiceNow Platform: Scoped application Runs in its own scope to help with security Security Measures: Each application is scoped New application-specific roles Default ACLs restricting access Complications and considerations: Developing within a Scoped app Initial role setup Data security when using global functionality: o Email o Notifications o Workflows Although this encapsulation concept is a great design feature, there are several important considerations when developing within scoped applications: - Verify the correct scope during development work - Functional records in a scope have an Application field displaying the scope - Update sets can only be merged with others in their scope – commit one scope at a time then check - Some development may require working in multiple scopes, so needs additional attention to the order in which update sets are committed - Scripting is limited to the development of Scoped API - Always invoke classes with a scope prefix, e.g. new global.JSUtils() - A script include can be changed from accessible to all scope to only this scope, but not the other way around. - On evaluation, functions are wrapped in an additional scope-checking function, so style and code hygiene is important - Cross-scope table extensions may not behave as expected and are generally best to avoid - Some base platform functionality must remain in the global scope The plugin, once activated, provides several related artifacts: - Application scopes: Vulnerability (sn_vul) and security Support common (Sn_sec) - Tables ~76 in the vulnerability application scope and 82 in the security support common scope. o Task extensions: remediation Task [sn_vul_vulnerability) o Vulnerability Databases: Vulnerability Entry [sn_vul_entry], Common Weakness Enumeration (sn_vul_cwe), national Vulnerability Database Entry [sn_vul_nvd_entry] and Third-Party Vulnerability entry [sn_vul_third_party_entry] - Script include: 67 scripts includes in the Vulnerability application scoped, used a critical design elements Vulnerability Response Teams and Responsibilities Note that SecOps teams are not necessarily positioned at higher levels than vulnerability response teams – both are required to collaborate to meet their organization’s shared security objectives. Tracking, reporting, and Prioritization o Vulnerability response o Corporate risk and compliance Assignment o Vulnerability Response (Team/group) ▪ Remediate vulnerability Remediation o Network Operations o IT Service Desk Vulnerability escalation Investigations o Security Operations Over 351 properties are also provided upon installation of the plugin which affect the behavior of Vulnerability response System properties can be seen by typing sys_properties.list in the navigation filter. To chancge any property, locate in the presented list and modify its value accordingly. Vulnerability Response Workflows: Associate customized workflows to vulnerabilities, or any configuration detail Workflow facilitates collaboration and a consistent process that all stakeholders can follow and use to track response progress. Vulnerability scans for single or multiple vulnerabilities can be automated using the Vulnerability Response – Scan Vulnerability Workflow included baseline, which creates a scan record for the vulnerability or group of vulnerabilities from which it was invoked. There is also a workflow to run a scan on an individual vulnerable item. Approvals to change the Vulnerable item’s state to a terminal state is controlled using the Vulnerable Item State Approval workflow Interaction with other Platform applications Terms and abbreviations: Security information and event management (SIEM), Security Indicdent response (SIR), Vulnerable item (VIT), Threat intelligence (TI), Governance, Risk, and Compliance (GRC) SIEM o A VIT could trigger SIR for further analysis Threat o A VIT is discovered by TI could enrich the VIT record with further details GRC o Keep track of VR activities to demonstrate compliance A mature CMDB helps organization gain visibility into impacts of SecOPs activities upon operational infrastructure, but there are some other components that can also enrich an organization security obscurity: - Service Mapping can correlate SecOps dynamically with key business services, so network changes never create Security Obscurities - Event Management and Orchestration can gain efficiency and reduce reaction times by automating SecOps activities - Performance Analytics can visualize SecOps data, cross-referenced with existing data collections. - Governance, risk, and compliance: Provides the opportunity to align security events with organizational risk and controls, automatically appraising other business functions of potential impact. Knowledge Check: What are the responsibilities of a remediation owner? = No idea >>>>> What are the three core applications in ServiceNow Security Operations? Vulnerability response (VR), Security Incident Response (SIR), Threat Intelligence (TI) Security Champion is responsible for the acknowledgement and assignment of relevant Application vulnerable items (AVI) True 2.1 Definition of Vulnerabilities and Vulnerable items Questions to Ask: Questions to ask regarding the current process within your organization What tools are currently used for vulnerability scanning? Which tools are to be integrated with Vulnerability response? o Is toolset API documentation available? o Who are the toolset SMEs? o DO tools have API call limits? What additional Vulnerability databases are used? What is the current scan schedule? o How long does each scan take? o How long to complete a company-wide scan? Are vulnerability imports going to be limited? o BY what criteria (e.g: severity, CI Fields) A vulnerable item is some sort of recipe that contains two major ingredients, which are on one side vulnerability and the other side your CI. o Vulnerabilities can come from the NVD, the online repository which contains the weakness to CWE, or this vulnerability can come from an external knowledge base hosted on the vendor side o CI is hosted in your CMDB within ServiceNow, and this CMDB can be populated manually by people, can also be added via the service mapping which is a ServiceNow product, also discovery which is another ServiceNow product, or you can also use some third party integration to populate your CMDB with CI. Once you find vulnerability that affects a CI, it becomes a vulnerable item. o Vulnerability data (CVE and CWE records) can be imported from internal and external sources, such as the NVD, either manually on demand or scheduled for regular updates. This vulnerability data can then be compared to CIs in the CMDB to assess which items in a customer’s infrastructure contain exploit flaws and weakness. Important Terms Include: - The national Vulnerability database (NVD) - Common Weakness Enumeration (CWE) - Common Vulnerabilities and Exposures (CVE) - Configuration Management Data Base (CMDB and Configuration item (CI) The main vulnerability XML feeds provide the common Vulnerabilities and Exposures (CVE) data organized by the four digits of a CVE identifier. One exception is the 2002 feed which included vulnerabilities prior to and including “CVE-2002” NVD data feeds are only updated when modifications to the entries change. Ie. Content of that feed has changed. Ex. The 2004 feeds will be updated only if there is an addition or modification to any vulnerability with a starting CVE identifier of CVE-2004- In addition, the recent feeds are a list of recently published vulnerabilities and the modified feeds are a list of recently published and modified vulnerabilities where “recently” and “modified” are defined as the previous eight days. These feeds are updated every two hours. Common Weakness Enumeration (CWE) is a community-developed list of common software security weaknesses which serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Common Weakness Enumeration (CWE) is a community-developed list of common software security weaknesses which serves as a common language, measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. When common Vulnerabilities and exposures CVE-ID records are downloaded from the national vulnerability Database (NVD) they could be compared to software in a customer’s network as identified by their Software Asset discovery model. - When a CVE-ID matches a recorded software or configuration items (CIs), a vulnerable item (VIT) is created. Information in the CVE-ID record is used to decide whether to escalate the Vulnerable item (VIT) for remediation. A Vulnerable item (VIT) is the Vulnerability as it relates to a specific Configuration Item (CI), so a VIT cannot exist without a specific configuration item (CI) CVE-ID: the CVE name(s) associated with the vulnerability. CVE (Common vulnerabilities and exposures) is a list of common names for publicly known vulnerabilities and exposures. When a common vulnerabilities and Exposures (CVE-ID) matches vulnerable software or CIs on a network, a Vulnerable item (VI) is created. - Detections are distinct occurrences of vulnerabilities as reported by the scanners of third-party integrations - Vulnerability Response allows the Remedition of Vulnerabilities according to a customer’s security processes. IT is possible to work with Vulnerable items (Vis) directly or from remediation tasks records Hosted in a table called sn_vul_vulnerability details, o Doesn’t extend from the task table o You can see the remediation target. You can see detection, the recap of your CI which is vulnerable and some details about it Remediation Tasks are used to help analysts prioritize vulnerable items and analyze them in bulk The criteria by which groups are formed is calculated so that you do not have manually assign these groups. Using remediation tasks, the analyst can monitor progress and drive the remediation process more efficiently. Remediation Tasks are created as follows: - Automatically using remediation task rules - Manually using one of three options, to add vulnerable items to the task o Add vulnerable items to the task as needed o Use a Condition filter that automatically adds vulnerable items to the remediation task o Use a Filter group that automatically adds vulnerable items to the remediation task. Is a collection of vulnerable item that match a certain type of criteria that you can design? Extends from the task table. So, you create SLA against this remediation task table and all the records in there. Remediation Task – Vulnerable item Roll ups These are various values that are kept on a Remediation Task These are the scripts includes and scheduled jobs that keep all the data in sync. 2.2 Application Vulnerability Response Application vulnerabilities are vulnerabilities on custom software applications scanned throughout the application’s development lifecycle. - It’s very often that a team works together to create, manage, and oversee the management of application vulnerabilities. Three are strategic roles, as well as operational roles, among the team members. In most organizations, you may participate in more than one role and often share roles with others. Application Vulnerability response use 3 user groups containing granular roles: app-Sec manager, Application Security Champion, and Developer. Here we have the application security manager, application security champion, and have the developer that are all working together in order to go through the process of the application vulnerability scanning. When an application is developed you need to go through a lifecycle like the one of top here. From Code to operate Code needs to be tested as early as possible to help lower expenses later. When vulnerability testing occurs later in the lifecycle, issues can be more expensive to resolve. There are several different types of security testing and there are various third-party tools that support each testing type. ServiceNow’s application vulnerability Response application initially focuses on DAST. DAST tools is a program which communication with a web application through the web front-end in order to identify, potential security vulnerabilities in the web application and architectural weaknesses. It performs what we call a black-box test. And unlike static application security testing tool, the dynamic one does not have access to the source code and therefor detect vulnerabilities by actually performing attacks. The application vulnerability response, features imports application vulnerable items which are called AVI’s, and according to some rules allows you to remediate those application vulnerabilities. Similar to the infrastructure vulnerability response, the AVR matches vulnerabilities with items in your environment to create application vulnerable item record. Currently, ServiceNow has a single integration with Veracode to support this feature o The vulnerabilities in Veracode are based on the weakness, the CWEs versus the CVEs. The CWEs are the potential software flaws in the application. When Veracode passes the data into ServiceNow, ServiceNow uses CI Lookup rules and identifies the Scanned Application and/or Application Release. That information is populated on the record. Similar to infrastructure vulnerability response, AVR some of the triage can be automated The resolution of the vulnerability will be managed and recorded in Veracode. Those updates will be pushed to ServiceNow to update the Application vulnerable item table Except for the Assignment group, Assigned to fields and notes, all other fields in the AVI are read only. Scanned application: are populated from the integrated scanner – such as Veracode. After they are populated, additional configuration is needed. The scanned application table {sn_vul_app_scanned_application] is a CMDB table. It extends from application [cmsb_ci_appi] Scanned applications often correspond to Mapped Application Services in the CMDB, and these dependencies can be valuable source of information for assignment and risk scoring. To update a Scanned Application, navigate to Application Vulnerability Response > administration > applications. ServiceNow doesn’t expect you to modify this schema, however, you can use it in order to troubleshoot things Use this if your organization doesn’t use Veracode for the DAST testing. Then you may use this to build your own integration The input flow on my screen is what is used in the baseline integration and might be helpful if you want to develop your custom integration for application vulnerability scanning. 2.3 Qualys integrations and Store Preview Items on the app store may be built by – and supported by – the vendor that created the app. If the integration app was developed by the vendor, then support should be provided by the vendor. Qualys is a popular scanner used by many organizations. They have partnered with ServiceNow to offer seamless integration with the platform CMDB to keep it updated in real-time with assets and attributes discovered by Qualys. When the Qualys scanner detects vulnerabilities, that data is imported to Vulnerability Response for tracking, prioritization, and resolution. Customers using the Qualys Cloud Platform to detect vulnerabilities can integrate it which Vulnerability Response. When the third-party Qualys scanner detects vulnerability data, and that data is imported to vulnerability Response for tracking, prioritization, and resolution. - After the qualys Cloud Platform plugin is activated, various settings need to be configured to make data retrieval more flexible and scalable. - Qualys has schedule jobs that query and load Qualys scan in the ServiceNow instance. - Qualys Plugin for the ServiceNow configuration management Database (CMDB) system - Qualys plugin for the ServiceNow CMDB synchronizes Qualys IT Asset Discovery and classification with the ServiceNow CMDB system. QID: The unique Qualys ID number assigned to a vulnerability. Note the use of QID numbers for Vulnerability definition The QID information imported from Qualys is put in the third-parry Vulnerability entries {sn_vul_third_party_entry] table. The third – party vulnerability entries table is extended from the Vulnerability table, and the third-party table contains fields that are not in the vulnerability table. When the Veracode plugin is installed, there is a configuration record and 3 integration records populated in the instance. Only one of the integration records is active. This is the one that will populate the Scanned Applications table in ServiceNow. This should be run first. Then the organization needs to update the department, business unit and supported by fields on this table. These fields were discussed on a previous slide. After those updates have been made and any triage rules have been generated, then the other two integrations can be activated and run. The other two integrations will populate ServiceNow with Vulnerabilities found by Veracode. During the creation of AVIT records, the data on the scanned applications and the triage rules will be leveraged. That is why those steps need to occur before the vulnerable item integration and the scan summary integration can be run. 2.4 Scanner Integration Qualys integration Asset management – Default Behavior The qualys host detection integration queries hosts from qualys and runs a qualys host transform to insert and update corresponding CIs into the ServiceNow CMDB. The transforms target the CMDB Ci base class of the CMDB ad primary populates the class name, CI name, DNS name, fully qualified domain name and the IP address. The vulnerability management plugin also adds and populates a qualys ID, a qualys host ID, and create a filed called created by qualys to the CMDB_CI. o The transform will update a CI with the value provided by qualys that it switches and located by a search sequence. o The search and the population logic used by the transform is located within the script include entitles qualys util and qualys simple CI transform. When data is imported from a third-parry integration, Vulnerability response automatically uses host data to search for matches in the Configuration Management Database (CMDB). It does this using CI lookup rules. These rules are used to identify configuration items (CIs) and add them to the vulnerable item record to aid in remediation. You can also create configuration items in the Configuration management database using the IRE for identification and reconciliation engine API. By using this IRE API to create your CI’s, you can prevent duplicate CIS from being created and you can reconcile CI attributes by allowing only authoritative data source to write to the CMDB When an integration, such as qualys is installed the default CI Lookup Rules will be populated on the CI Lookup Rule table. The CI Lookup rules module contains rules that define what fields have matching data in the configuration management database( CMDB) The rules provided with the baseline are provided as examples of data that can be compared to find a match Organizations need to fine tune these rules to increase the likelihood that an incoming scan record will be matched with an existing CI. To ignore some configuration items (CI) classes, for example Load Balancer {cmdb_CI_lb], when running CI lookup Rules, set the IgnoreCIClass [sn_sec_cmn.ignoreCIClass] system property. When incoming scans do not find a CI match, then an entry is made in the discovered items table. These unmatched entries need to be resolved. 2.5 Software Exposure. Exposure Assessment is a module in the Vulnerability Scanning section of the Vulnerability Response application. This module works in conjunction with ServiceNow’s Software Asset Management Application. SAM foundation or SAM pro must be implemented. Vulnerable Item records are created for each of the identified items on the Exposure Assessment record. These are all grouped into a single remediation Task Vulnerable items in the task can be separated into other tasks if desired. VRI module 2: Knowledge Check Detections are distinct occurrences of vulnerabilities as reported by the scanners of third-party integrations. True What are the components of application vulnerability response? Extends from the vulnerable item table Business rules are separate from Vulnerable Item Business Rules. What are the properties of a Vulnerable item? Does not extend from Task. 3.0 Tools to manage Vulnerability 3.1 Vulnerable items – Automated Triage. Questions to Ask: Current Processes What are the rules for vulnerability assignment? o Which groups(s) are responsible for triage and prioritization of vulnerabilities? o Which group(s) are responsible for which Vulnerability Remediation? What is the authoritative source for your CMDB if not ServiceNow? What fields influence the severity of the Vulnerability upon a CI? How is business impact factored into calculations? Some point to raise with customers What data need to be seen for vulnerabilities or vulnerable items? o E.g. Results, threat, proof, solution, etc. will these fields need to be added? Is there a requirement to enter VITs manually o Are there any other specific fields needs for manual entry? o What happens to VITs associated with previously unknown CIs o What is the process for reconciliation of these CIs o Is a structure needed to assist this reconciliation (modules, reports, etc) Is there a requirement to add the vulnerable item related list to any particular CI types? Organizations are encouraged to automatically assign remediation tasks to the functional group managing it using specific condition or values in the Vulnerable Item record. The assignment rules will set the Assignment group on the vulnerable item record it is first created in ServiceNow. Baseline, assignments could be done using one of 3 options provided: Assignment group – select a user group from the lookup table Assignment group field – select a user group filed from the drop-down menu Script- create or edit a script Assignment rules: Where you can configure how you want to configure your assignment based on multiple criteria that you can choose from to assign your vulnerable item or your remediation task. You can choose how you want to remediated based on the assignment group, support group, and approval group. Configuration Steps: Make sure all plugins are activated: Vulnerability response – version 12.1 or higher Predictive intelligence Vulnerability assignment recommendation Update the predictive intelligence classification record for Vulnerability Response: Navigate to Predictive intelligence > Classification > Solution definitions and open the record Vulnerable Item assignment. Update the conditions to identify the good data to “train” the system For more information on Predictive intelligence, check out Now learning One updated, click the activate and train button Update the vulnerability assignment recommendation record. Navigate to Vulnerability response > Administration > Assignment recommendation. Check the enable assignment recommendations box and save the form To automate or not to automate: Automated VIT assignment should be handles with care due to the nature of VIT generation This requires extensive testing before moving from DEV or Test to Prod. o Recommended to automate to make sure that your assignment is being made in almost real time for you to save a lot of time. Obviously, al this automatic assignment requires some extensive testing before you deploy this into production Testing Notes: Setup and test assignment and notifications rules, no matter what the environment (dev, test, etc.) Work with the teams that will be assigned work before that work is assigned, ensuring they are aware of their responsibilities. Best practices dictates that assignment should always be managed at the RT level and the assignment group and Assign to fields be removed from the VIT record or at the very least made read only. Vulnerability prioritization – Severity Method Vendors typically set severity based on the CVSS score CVSS-based prioritization is flawed. What are Threat actors targeting? Threat actors frequently pay attention to the scoring of a vulnerability and regularly exploit lower-ranked vulnerabilities CVSS score: What is included What is not included? Using the CVSS score for prioritization of vulnerable items in your environment is a good start but may not consider the bigger picture. Remember, the CVSS score does not take into consideration the company’s business priority, and thus mis prioritize vulnerabilities. Vulnerability response severity mapping transforms third-party severity fields to recognizable fields in Vulnerability Response. Since each third-party scanner has their own terms to describe severity. ServiceNow normalizes these different terms using the Normalized Severity Maps module Customer could adjust these values as needed buy its not necessary/recommended Risk score calculation is dynamic. Using the default risk rule calculator, the risk score and risk ating takes into account many of the variables mentioned on the previous slide. Each organization could then adjust the default risk rule weights. Vulnerability severity considers the normalized CVSS score The next 3 parametes are around the exploit – has it occurred, what skill level is required and what is the vector Business ciritically ties the rating back into your organization’s service ratings CI expousre considers whether the device is a stand alone or has internet access. Vulnerability calculators can be built to prioritize and rate the impact of vulnerable items based on any criteria by using condition filters. Whether it is the business impact of the vulnerabilty, the class of the configuration item (CI), or the age of the vulnerable item, you can create additional vulnerability calculators to set other fields on vulnerable items. Each calculator contains a list of calculator rules, with a condition determining when to apply it. When the calculator is run, the condition for each calculator rule is evaluated in order, and the first matching calculator is used. Notifications: Baseline, there are serveral notifications for vulnerabilities and vulnerable items As with all use of noticiations, discretion is the better part of valor Recommend to use the notification via the platfomr rather than using the emails. Be aware of overburdening approvers with emails to the point they ignore them. You can create your own notificaitons rule based on a lot of things that can happen inside the instance, such as getting a new vulnerable item which is created, a new remediation target rule which will be soon arriving to a time when you need to remidiate. Remediation Target Rules. Set for Vulnerable Items Remediation target rules define the expected timeframe for remediating a vulnerable item, mcuh like SLAs provide a timeframe for remediating the vulnerability itself. EX, if an asset contains PCI data (credit card data) then the vulnerability on that item needs to be fixed within 30 days according to PCI DSS. Vulnerability managers can create remediatin target rules by defining: The remediation target The reminder target A reminder and notifications recipietns – Who should be notified when the vulnerable items (VI) are past the reminder of remediation target date and have not been remediated. Very useful when you have to remediate your vulnerable item when you basically are tied to an external regulatory such as a PCI DSS where you have to scan every 3 months and make sure that you are compliant. Closing Vulnerable items: Vulnerable items can be resolved manually. They will be closed by the scanner Treat closing vulnerability items the same way incidents are closed – report remediated vulnerabilities but ultimately the scanner confirms/denies the final result Compare subsequent scans to verify closure Set up Auto-close parameters to hangle stale detections When the rules are created from the modules in the Application Vulnerability Response section, then they will automatically be set to work for AVIT records. Rules that are created from the modules in the Vulnerability Response section will be automatically set to work with the VIT records. To ensure that vulnerable items are processed correctly, you can define a Service Level Agreement (SLA) for Vulnerability Response remediation tasks. The SLA definitions in this list are a subset of the platform SLA list, specific to Vulnerability Response. By default. There are no pre-configured SLAs for vulnerability. To configure SLAs, navigate to Service Level management > SLA > SLA Definitions 3.2 Vulnerability Grouping using Remediation Tasks Grouping Strategies – Manual and automated?? Different manual methods: Grouping manually Grouping by Condition Using Filter Groups Consider: Grouping is dependent on customer response(S) Keep responses/processes and reporting in mind when determining grouping strategies Groupings are malleable Grouping vulnerable items has many advantages. You can remediate vulnerable items in bulk by using tasks. You create tasks containing specific vulnerabilities (the default rule), or you can organize by department or assignment group, or even create monitoring tasks comprised of other tasks. Vulnerable items can belong to more than one remediation task giving you the flexibility to actively collaborate with one tasks and monitor another. It all depends on your organization needs. It is recommended that an organization takes advantage of Remediation Task Rule before using manual methods. You can remediate your vulnerable item in a bulk using task, using those remediation tasks. You can create a tasks that is containing a specific vulnerability, and that will be the default rule. Or you can organize it by department or assignment groups Vulnerability Grouping Strategy: Remediation Task Rules Step 1: o Identify which vulnerable items to include in the task o Using condition builder Step 2: o Determine how to group them – based on what fields – select key value Step 3: o Determine the assignment group for the remediation task When considering Remediation Tasks, you first option should always be Remediation Task Rules. The output of workshops should include a set of grouping strategies that can be used to configure the automated process. Before Remediation Task Rules are deployed in a production environment, implementers should: Check the design of the groupings Determine if the workshop captured and defined appropriate groupings Allows implementers to verify the effectiveness of these groupings to meet the customer’s requirements Grouping options The default options are the fields on the Vulnerable Item Table However, grouping can be done base on the fields of the CI identified on the Vulnerable Item or fields on the vulnerability (aka, CVE, QID, etc.) Assignment options: Options available in the assignment area depend upon choices in the Group by section. o If no group is identified in the group by section, then the option “group by field” is not available o If “-none” is select, then the remediation task will be created without an assignment group. o The third option is to assign the Remediation Task to a specific user group Creating a remediation task manually is done when you want to group vulnerable items by something other than the Remediation Task Rules Criteria. This approach is likely the way to go for a customer with relatively low maturity level Role Required: sn_vul.admin The condition builder constructs a condition statement with a series of contextually generated fields. If you decide to group your vulnerable item in a remediation task, you can also use here the condition builder that is using the three things that exist in a condition builder, which is the field, the operator, and the a value to work with this operation (short description, etc.) Field: a choice list based on the table and user access rights. Use dot-walking to access fields on related tables Operator: a choice list based on the field type. For example, in the incident table, the greater than operator does not apply to the active field, but it does apply to the priority field Value: a text entry field or a choice list, depending on field type. For example, in the incident table, the Active Field offers a choice list with the values true, false, and empty, while the short description field offers a text entry field. Vulnerability Group Strategy: by Filter Group Filter Groups can also contain previously-define filter groups themselves. Shown here is a example of how a filter group is selected to define the Remediation Task. Are an easy way to set up filters to be reused across various Security Operations functionalities including remediation tasks Security operation > Groups > Filter groups Filter must be based on VIT Table 3.3 Solution Management: Resolving vulnerabilities within an organization requires participation from two distinct team, the security team which identifies the problem and research possible solutions, and the IT team which maintains CIs. In many organizations these teams work independently of each other possibly adding time to the remediation window The vulnerability Solution Management give companies access to Microsoft Security Response Center solution data which investigates reports of security vulnerabilities affecting Microsoft products and services and provides information to help manage security risks. Vulnerability Solution Management correlates your vulnerability exposure with solutions to show the most impactful remediation activities for your organization and monitor their completion. Provides automated correlation of Microsoft solutions with vulnerabilities. It identified the top solutions by their risk reduction and solution supersede (which one to use). It tracks deployment progress against due dates and are tied to vulnerability remediation targets (SLAs). IT also provides reporting metrics to VR dashboards to easily view progress. Comprehensive deployment metrics for remediation tasks and vulnerability entries are included in Vulnerability Solution management under remediation status in vulnerabilities, vulnerable items Easily idneitfy which remediation tasks or vulnerability is slowing remediation progress Drill down into how the vulnerability is identified, or what aspects assets may be causing the remediation issue. Automatically correlates the vulnerabilities in your environment with the Microsoft Security Response center and Red hat solutions that could remediate them. Identify the remediation actions that apply to your vulnerabilities and prioritize them by the greatest reduction in vulnerability risk There is no charge for either of these solution sets. Vulnerability solution management is available within the Vulnerability response application by separate subscriptions Knowledge Check: What ate the options available on Assignment group filed on an assignment rule Configuration item: Approval Group Configuration item: assignment group Configuration item: Support group What is not a vulnerability grouping strategy? What all plugins need to be installed for assignment recommendations? 4.1 Handling Vulnerability Exceptions Questions to ask: Why would VITs be exempt from remediation? o What criteria, cost, risk factors, etc. What does the current exception process look like? o Who decides, authorizes, etc. o What are the Risk Accepted and/or Remediation Exception processes? o Are there considerations for “False Positives” in this process? Who/what needs to know about exceptions? o Appraisal/ notification methods What SLAs related to Vulnerabilities currently exist? o What targets are sets, and why? o If none currently exist, consider discussing them during an early workshop. What qualifies as a False/positive Does the customer have the ServiceNow GRC Application installed. A false positive is a condition wherein the scanner reports that a vulnerability exists in the systems but in reality, there is no vulnerability. There can be multiple reasons like incorrect classification improver logic algorithm in the scanner. The remediation owner can mark vulnerable items (Vis) or Remediation Tasks (RTs) as false positives. One a VI or RT is marked as a false positive, the states is updated to close and substrate is change to false positive. The substance is the in the filed labeled reason, then technical name of the field is substate The following actions can be performed: Reopen Delete Update the date in the Until field. This date is then used as the expiry date for the false positive. Bulk edit can be performed with the bulk Edit UI action button at the top of the vulnerable items list view. Exception Processing Alternatives: Vulnerability Response only Two-level approval workflow This is the default process Existing vulnerable item state approval workflow has been updated Exception Rules VR + GRC (governance, risk, and compliance) Requires the implementation of GRC: policy and Compliance Integrates wit the GRC policy to the vulnerable item exception Leverage the compliance approval process flow Use the GRC policy exception management capability within the Vulnerability Response application to eliminate manual reporting. When your organization cannot comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a vulnerable item (VI) or remediation task (RT) that cannot be remediated according to the policy. Risk acceptance is when you acknowledge and agree to the consequences of not remediating vulnerability. Remediation is when you resolve a vulnerability and mitigate its risk. So Vulnerabilities might not have an existing patch, fix, or solution. Request exceptions using the policy exception integration with Policy and Compliance management provides the following benefits: Perform assessments to gather additional information about the requests Request exceptions based on a specific policy or control objective. This action shows the effects on compliance when an exception is approved Configure approvals to be triggered automatically based on the risk rating, policy, or control objective associated with the policy exception. By default, Vulnerability response is set to process exceptions using only the Vulnerability response two level process. This can be changed in the vulnerability response application from the Vulnerability response > administration > exception management module. IF the GRC policy and compliance application is installed, then the option manages exceptions using GRC will be available. This record also allows the customer to set the default duration for an exception Exception Rules: Configure o Set Dates o Set conditions o Set Approval groups Approval – Workflow driver New remediation task is created Notifications are sent Exception rules are only valid with non-GRC Vulnerability response 4.2 Vulnerability Response and Change management Since fixing vulnerabilities before they could be exploited is one of the main objectives in vulnerability response, timely change management is essential. Create a change request As an IT remediation owner, create a change request (CHG) directly from a remediation task (RT) for all the vulnerable items in the task. Create a change request with pre-populated information that includes the preferred solution to expedite your investigation for vulnerabilities that require manual intervention. You can create a change request as a remediation owner directly from a remediation task for all or part of the vulnerable item that are in that task. Change scope o All active vulnerable items o All active vulnerable items based on conditions Type of change o Emergency o Normal o Standard Add CIs to change o Also control state change Editable preview If a decisions is made to create a change request from a subset of the vulnerable items in a remediation task, then those items will be moved to a new remediation task The new task will have the same name as the original Remediation task. A note is made in the activity log of both remediation tasks that vulnerable items have been moved. Hyperlinks to the tasks are included in the activity log. You can split your remediation tasks that has multiple vulnerable items in there. Once again, when you split your remediation task , you will be presented with the condition builder, to specify the criteria on which you want to split these remediation task. Sets RT state based on the collective state of all change requests that are related to Remediation Task When multiple change requests are associated to a remediation task, the logic will use the change request in the earliest state to determine the Remediation Task state. Flow design lets process owners use natural language to automate approvals, tasks, notifications, and record operations without coding. Goes from top to bottom, using one end trigger and one or multiple action. You can also create sub flows. And you can connect to existing workflow if its also necessary here. Section 4 Knowledge Check: When multiple change requests are associated with a Remediation task, the logic will use the change request in the earliest change to determine the remediation Task State. True What are the best practices when designing flows? Connect to existing workflows if necessary Discuss with customers internal processes primed for automation Select all that apply for false-positive processing. 5.0 Vulnerability Response Data Visualization: 5.1 Data Visualization Requirements Questions to consider: What reports are currently used? o Who uses them, and for what reasons? o How do they obtain these reports? o Can a sample set be provided? What new reports will people want ot see? o What does this information tell them? 5.2 Baseline Components: Vulnerability response overview dashboard (vulnerability Management) Provides an executive view into vulnerabilities and vulnerable items, helping the vulnerability admin pinpoint area of concern quicky. When the Performance Analytics – Content Pack – Vulnerability Response plugin is activated, users with certain roles can view data of interest to the chief information Security officer (CISO), Vulnerability managers and analysts. Monitoring vulnerability remediation involved viewing trends, managing risk, and monitoring assignment groups. You can review high risk issues, assignment group workloads, deferrals and, reoccurring vulnerabilities. This is a partial list of baseline reports that come out of the system. If you want a complete list of the reports in your instance that are in the vulnerability Response scope, then take the following steps: In the app Nav enter sys_metadata.list Then filter the results by o Application I is I Vulnerability Response o Class I is I Report 5.3 Supplemental Options Performance Analytics Can provide analysis to enable timely decision making. IT also provides insight into leading indictors that influence the health of a process. Adds trending information to processes. This allows you to act on performance degradation, resulting in improved performance across all processes. Performance analytics provide insights into the performance of your process, you can take action on any change in performance throughout the month, rather than reporting on missed objectives at the end of the month. Reporting: Provides an analysis of what has happened o EX) how many vulnerable items were closed last week. o Operational reporting measures lagging indicators. (output from a process) Service Now Performance Analytics supports performance management to ensure Service Objectives are consistently met by providing actionable insight in the performance of the organization. Performance management is a process by which organizations align their resources, systems, and employees to strategic objectives and priorities. Indicators, also known as metrics, business metrics, or KPIs are statistics that businesses track to measure current conditions and to forecast business trends. In general, not just performance analytics, there are also two types of indicators, There are the leading indicators, that are focusing on the input that is required to achieve an objective, and the lagging indicator, which measure the output of the activities Leading indicators are harder to measure than lagging indicators, which is why most reports only show lagging information. The strength of leading indicators is that they are easier to influence than lagging indicators. This is how the standard PA plugin uses roles and what the application looks like. Note that Vulnerability Analytics, not the full PA suite, comes with the license, so they will not be getting the full depth and breadth of PA. Performance Analytics fills the gap between operational, real time information and month SLA type reporting. Key to performance Analytics is the fact that it will tell you in advance, so you can adjust your actions to accomplish a desired outcome. Section 5 Knowledge Check : One is wrong What are the baseline dashboards in Vulnerability Response? Vulnerablitiy Remediation Vulnerability Management (PA) Analysts do not need reports that displays clear priorities False Managers need aggregations for priority and workload False
