blog-main.jpg

Inside the Barrel

Bye-Bye Breaches: 5 Keys to a Successful Vulnerability Response Program with ServiceNow and Cask

Bye-Bye Breaches: 5 Keys to a Successful Vulnerability Response Program with ServiceNow and Cask

Many of the recent data breaches and hacks (Equifax, Sony, Broadcom Wi-Fi Chip) occurred because a vulnerability was exploited. These weren’t zero days or recently discovered vulnerabilities, but ones that were months – and sometimes years - old. Of course, once the data breach occurs, we hear that it could have been prevented had the company patched the vulnerability. But by then it’s too late and millions of lives have been affected.

Sometimes, it isn’t quite as simple as applying a patch. There can be many factors at play: the vulnerability doesn’t seem to be a major threat, IT was too busy, the device couldn’t be located, or the issue was overlooked by everyone involved.

Attackers know that companies simply can’t mitigate or remediate every vulnerability, so they continue to search out and exploit them. When they’re successful, they gain access to highly sensitive information and can have devastating effects on a company.

So, what can a company do to avoid becoming the next big data breach? Here’s where the keys to vulnerability response success come into play.

Key 1: Asset Discovery with ServiceNow

One option for asset discovery is to use a vulnerability or network scanner. But even though this may work in the beginning, it doesn’t provide all the necessary information needed in establishing a full asset discovery program. The ServiceNow Configuration Management Database (CMDB) can fill in these gaps. It’s a series of tables containing all the assets and business services controlled by the company and their configurations. Configuration items like computers and other network devices, software licenses, and business services are represented. Even better - the CMDB automatically integrates with all applications and features built on the ServiceNow platform, making it rich in functionality and value.

Now you can get all the assets on your network in one manageable place, making it easier to prioritize and assess if any have fallen through the cracks.

Figure 1 below shows an example of a Configuration Item (CI) in ServiceNow. ServiceNow gathers some very important information about an asset such as: name, tag, location, model, who the asset is assigned to, asset specs, the status of the asset and which group supports it.

fig1

Figure 1: Demo information of a Configuration Item from the CMDB

Because the CMDB information is automatically integrated with the vulnerability application, the group assigned to a vulnerability can now see exactly what asset and asset details need the patch. This can result in a faster solve because the remediation group no longer needs to research what asset is affected and where it’s located.

Key 2: Centralized Vulnerability Database with ServiceNow

The next key to a successful vulnerability response program is the centralized database where all the vulnerabilities are stored. When the vulnerability scanner (Qualys, Nexpose, Nessus, etc.) initiates a new scan, the scan data is imported into the ServiceNow vulnerable items module. Because vulnerable data both old and new is stored here, you don’t have to go to each scan to assess what was found in it.

Figure 2 below shows a demo of vulnerable items in ServiceNow. The list view can be customized to show valuable information for each vulnerability. Below, the view has been customized to show the short description, the configuration item, the priority, the group that has been assigned to the vulnerability, the state of the vulnerability, the Common Vulnerability and Exposure (CVE) for the vulnerability, and when the vulnerability was first and last found. Right away we can monitor the vulnerabilities and the remediation progress.

fig2

Figure 2: Demo information of vulnerabilities found in the vulnerable items module

When the vulnerability is imported into ServiceNow, it can be automatically assigned to an assignment group based on the configuration item. Once this happens, the group can be notified automatically or upon login by ServiceNow. No longer does Security need to email IT the long list of vulnerabilities that need to be remediated.

They don’t even need to email the assignment group to get updates anymore either. With ServiceNow, Security can monitor the progress of the vulnerabilities. They can see if the assignment group has applied the patch, if an exception has been requested, or if nothing has been done with the vulnerability. If the patch hasn’t been applied within a given number of days, ServiceNow can send automatic notifications directly to the assignment group.

Key 3: Prioritization within ServiceNow

When the vulnerability is imported into ServiceNow, the prioritization can automatically be calculated based upon the CVE score, the number of assets affected, the asset owner, and asset department. When a vulnerability is on two servers - one that holds customer information and another intranet server - the vulnerability on the server with costumer data is given higher priority. The remediator no longer needs to look at each server to determine its importance. Priority can be set up automatically in ServiceNow, and the assignment group can easily know what CI vulnerabilities to remediate first.

In Image 3 below, you’ll find demo data showing all assets that have a specific vulnerability. This information can be useful in determining which to remediate first.

fig3

Figure 3: Demo information of all configuration items that have a specific vulnerability

Key 4: Active Notifications and Due Dates with ServiceNow

One of the hardest things about email-assigned vulnerabilities is keeping track of due dates and notifications. ServiceNow takes care of this by auto-assigning SLAs or due dates to a vulnerability based on: vulnerability score, severity, criticality, or any other measurable item. If the assignment group does not remediate the vulnerability before the due date, notifications can be sent to the appropriate parties. Accountability then becomes easier because the SLA measures how long it takes to remediate a vulnerability. In addition, active dashboards and reports can show the number of SLAs that are overdue. Now the company can see what teams are having a challenging time remediating a vulnerability and make the necessary changes to ensure their success.

Key 5: Active Threat Intelligence with ServiceNow

The last key to discuss is active threat intelligence. Without ServiceNow, threat intelligence is gathered via email or a website. This is a good place to start, but correlating that information to current vulnerabilities and configuration items can be challenging. With the Threat Intelligence application, all those emails and feeds can be integrated within ServiceNow. Teams can see what active threats are targeting which vulnerabilities. This allows the setup of emergency patching assignments - instead of waiting for the vulnerability scanner to alert them to a flaw, they can now take a proactive approach to remediating more efficiently.

How Cask Can Help

Because we’re a certified partner of ServiceNow, the members of our Security team are experts at implementing ServiceNow Vulnerability Response, Threat Intelligence, and properly configuring the CMDB. By creating workflows and reports, we make sure you get a product that’s tailored to your environment and processes.

ServiceNow is great right out of the box, but having us customize it to your company’s specific needs can be the difference between having a reactive security approach and a proactive one.

Whether you need help with ServiceNow or just want to improve your current vulnerability response program, the security experts at Cask can help. Contact us at http://www.caskllc.com/contact/

Written byBrett DeHoag, Security and Risk Advisor

Brett DeHoag is a Security and Risk Advisor for Cask