Manage Vulnerable Items with no Configuration Item - Product Knowledge

Manage Vulnerable Items with no Configuration Item  Product Success Playbook

Manage Vulnerable Items with no Configuration Item

A step-by-step guide to analyze and remediate Vulnerability Response data issues

Table of Contents

Summary

Goal of this Playbook

Audience

Problem Overview

Executive Summary

How this playbook can help you achieve business goals

How this playbook is structured

Problem Analysis

Upstream Causes

Downstream Consequences

Impact on Your Business

Engagement Questions

Remediation Plays

Summary

Play 1: Review your data

Play 2: Analyze your CI records

Play 3: Fix Play

Data Governance

Summary

Goal of this Playbook

Understand and remedy the issue of Vulnerable Items (VIs) with missing CI, that causes unproductive work and impacts the effectiveness of vulnerability remediation.

Details about this playbook.

Author Eric Féron Date 12/15/2021 Addresses HSD # HSD00010224 Applicable ServiceNow Releases All releases Time Required Approximately 1 to 2 hours (contingent to environment) Audience

Vulnerability Administrator, Vulnerability Analysts, Remediation teams. ServiceNow Admin, CMDB team.

Problem Overview

As organizations continue to be exposed to fast growing volumes of vulnerabilities, it is critical for their risk profile that they do not waste resources on unnecessary tasks. Vulnerable Items with no Configuration Item (CI) serve no purpose, they are noise with no value, clutter the data landscape and distract teams from effective remediation work.

Executive Summary

How this playbook can help you achieve business goals

This playbook recognizes the need to rectify VIs records that loose their CI. It will help you fix these incomplete records and find a long-term solution to avoid the issue. It will ensure that your remediation team are provided with actionable information; this is turn will contribute to improving the vulnerability profile of you organization.

How this playbook is structured

This playbook contains three plays to help you rectify VIs with no CI. The 1st play is to show you how to locate the VIs table and visualize those with no CI. The 2nd play provides guidance to remedy the issue when it is found. Lastly, a governance play offers peace of mind with an automatically scheduled replay.

Problem Analysis

Upstream Causes

CIs mistakenly removed (manual or script, integration...) after the VIs were created during ingestion and matching.

Notes:

Health Scans are usually run in non-production instances that could contain demo data. The age of the CMDB data used to match Discovered Items to CIs to create Vulnerable Items is critical.

Downstream Consequences

Data Consequence

Missing relationships Presence of non actionable VIs. Operation Consequence

Non-actionable tasks are forwarded to remediation teams, Remediation is not possible since there is no CI linked to VIs, Incomplete information (no CI) leads to inefficient and expensive work-arounds while remediating Vulnerabilities, Frustration, lack of confidence in the VR implementation. App Consequence

Dashboards & reports using CI information for vulnerability response analysis will be of limited use

Impact on Your Business

VIs with no CI will negatively impact the effectiveness and efficiency of your Vulnerability Remediation teams, vulnerability teams and audits.

Security MTTR

• Delay in vulnerability identification.

• Slower response to vulnerability remediation.

Audit/Compliance

• Incomplete VI data.

Engagement Questions:

Consider the answers to these questions:

Is there a process in place to review and reconcile VIs with no CI? Is there an established relationship between the VR team and the CMDB team? Is the CI lifecycle management KB article widely used? Are there automated or manual processes that could delete or modify CI records? When the CMDB is updated, is the VR team informed?

Remediation Plays

Summary

The table below lists and summarizes each of the remediation plays in the playbook. Details are included later.

Play Name

Analyze Play

What this play is about

Shows you how to navigate to list view and see the orphan records Required tasks

Create a filter in the Vulnerability Items list to find the VIs with no CI Fix Play 1

What this play is about

Close all orphan VIs (with status = Cancel) Required tasks

Schedule a "Close cancel" job Fix play 2

What this play is about

Remove the orphan Vulnerable Items Required tasks

Run Table Cleaner and schedule future runs to execute automatically Data Governance

What this play is about

Repeat the fix regularly Required tasks

Establish process to avoid VIs with no CI.

Play 1 - Analyze your Vulnerable Items Records

What this Play is about

Shows you how to view your Vulnerability Items with no CI records in List View.

Required tasks

In the navigator search for Vulnerable Items - Navigate to Vulnerability Response > Vulnerable Items > All .

(Optional: navigate to 'sn_vul_vulnerable_item.list' if navigation menu items are not available).

Fill in the Condition Builder as shown below: Example: Run this condition to get a list of VIs that lack a CI or have a CI reference that is no longer valid.

(Pro tip: Create a favorite so you can find it easily later).

Play 2 - Fix Play (option 1)

What this Play is about

Close cancel VIs that do not have a CI associated

Required tasks

Navigate to System Definition> Scheduled Jobs ,

Search for "Close cancel VIs that do not have a CI associated",

Activate the Job,

Execute.

Play 3 - Fix Play (option 2)

What this Play is about

To keep the VI records clean, we recommend implementing a Table Cleaner entry.

This will permanently remove the orphan Vulnerable Items.

Note: When removing records from your system, care should be taken to adhere to your company's data management and retention policies.

Required tasks

Navigate to sys_auto_flush.list Click NEW and complete the form as shown (note: make that you are in the Vulnerability response scope). Example When you are satisficed that the fields are completed correctly, Save or Click Submit this record.

Remember that Table cleaner is an hourly process which you can monitor in the system logs. For more information see Table Cleaner documentation .

(Optional: Instead of manually creating this record, you are welcome to import the xml file attached to this playbook. Remember to set the active flag when you have imported this record).

In the filter navigator, type Integration, navigate to Vulnerability Response > Administration > Integrations

Select your integration(s) and re/run

Data Governance

What this Play is about

Now that you have canceled or removed the invalid records. Both these plays will help keep the VIs table clean.

Required tasks

Close cancel will ensure that your Vulnerable Items table is kept clean.

The Table Cleanup (auto-flush) entry will ensure that your Vulnerable Items table is cleaned on an hourly basis.

Congratulations You have completed this Product Success Playbook.