Critical elements of implementing Vulnerability Response in ServiceNow
ServiceNow was built as a platform. We can see this heritage in all products running on the platform. All products are highly configurable to adjust to any customer's needs. This sounds amazing, isn't it? In reality, it is a lethal feature of any software.
I have seen many implementations of Vulnerability Response when a customer transforms his XLS approach into £0.5M product with very similar functionality and outcome. The implementation partner just did what was told, and the actual value of the investment disappeared in the wrong implementation.
As a customer, it's crucial to adopt a strategic approach to your vulnerability management process and fully leverage the purchased solution. Let's delve into the critical elements that can make your investment truly worthwhile.
CI lookup rules
Every vulnerability is related to a particular CI (asset). To leverage the knowledge about assets stored in ServiceNow CMDB, you must adequately match them with assets reported by a vulnerable scanner. CI lookup rules help you to do that. Do not expect miracles. The level of success depends on the quality of CMDB, and you will need to work closely with the CMDB team to improve it and help them use your scanner data to do that if the quality is poor. The unmatched CI is an excellent source for the CMDB team to create new CIs or match with existing ones.
Assignment rules
Every vulnerability (Vulnerable Item) needs an owner. The owner is not someone from the vulnerability analyst team but the person/team responsible for fixing it.
领英推荐
Risk Score
Use Risk Score!!! Yes, you have a nice score from your scanner, but the ServiceNow risk score gives you another layer of flexibility. It can include knowledge about the asset or information from vulnerability intelligence systems. Or anything that you believe is important for the prioritization exclusively in your organization
Remediation Task (Grouping rules)
You should never address vulnerabilities one by one. I assume that you have millions of vulnerabilities loaded into the ServiceNow module. You have to take them in batches. How the vulnerabilities need to be grouped depends mostly on how patch management and patch deployment work. Ask your IT Operation team how they need to receive the response tasks. You create these tasks for them!
Do I need all vulnerabilities in ServiceNow?
This is a good question. I say Yes, but I would avoid the information level. Even if you do not want to take any action regarding low-priority vulnerabilities, you still want to see how they are fixed because the regular patch deployment process will fix them. Never defer vulnerabilities indefinitely. I hope nobody in cybersecurity can advise such an idea. Suppose a vulnerability has zero effect, or it is even a false positive. In that case, you can customize your risk scoring to suppress such vulnerability or make it a false positive in your vulnerability scanner. You should never ignore any vulnerability. Yes, there can be reasons why you need to postpone the fix.
Finally, a recently created workspace gives you many insights into your vulnerabilities. New dashboards can be created based on your organisation's needs.
If you need to know more, let me know.