Manage Vulnerable Items with no Assignment Group - Product Knowledge

Manage Vulnerable Items with no Assignment Group  Product Success Playbook

Manage Vulnerability Items with no Assignment Group

A step-by-step guide to analyze and remediate Vulnerability Response data issues

Table of Contents

Summary

Goal of this Playbook

Audience

Problem Overview

Executive Summary

How this playbook can help you achieve business goals

How this playbook is structured

Problem Analysis

Upstream Causes

Downstream Consequences

Impact on Your Business

Engagement Questions

Remediation Plays

Summary

Play 1: Review your data

Play 2: Analyze your CI records

Play 3: Fix Play

Data Governance

Summary

Goal of this Playbook

Understand and remedy the issue of Vulnerable Items (VIs) with missing Assignment Group (AG), that causes vulnerabilities to remain unaddressed and impacts the effectiveness of vulnerability remediation.

Details about this playbook

Author Eric Féron Date 12/16/2021 Addresses HSD # HSD00010226 Applicable ServiceNow Releases All releases Time Required Approximately 1 to 2 hours (contingent to environment) Audience

Vulnerability Administrator, Vulnerability Analysts, Remediation teams. ServiceNow Admin, CMDB team.

Problem Overview

As organizations continue to be exposed to fast growing volumes of vulnerabilities, it is critical for their risk profile that Vulnerable Items be assigned to Remediation teams so they can be addressed. Vulnerable Items (VIs) with no Assignment Group remain untreated, leaving the organization exposed.

Executive Summary

How this playbook can help you achieve business goals

This playbook recognizes the need to rectify VIs records that are not qualified with an AG. It will help you fix these incomplete records and find a long-term solution to avoid the issue. It will ensure that Vulnerabilities are forwarded to remediation teams for action; this is turn will contribute to improving the vulnerability profile of you organization.

How this playbook is structured

This playbook contains four plays to help you rectify VIs with no AG. The 1st play is to show you how to locate the VIs table and visualize those not qualified with an AG. The 2nd and 3rd plays provides guidance to remedy the issue depending on its upstream cause. Lastly, a governance play offers peace of mind with an automatically scheduled replay.

Problem Analysis

Upstream Causes

There are three reasons why a VI could be unmatched to an AG

Assignment Rules were configured with no default rule: if the VI is not matched with any rule, it remains unmatched. A Scripted Assignment Rule does not have a default value: VIs are associated to a rule, but one (or more) scripted rule(s) is missing the default value. Assignment was successful, but AG was deleted afterwards: VIs are associated to rules but one (or more) Remediation Team field has become empty. Note: Two or more of these causes can coexist. It is recommended to investigate and fix them in the order they are displayed here.

Downstream Consequences

Data Consequence

Missing relationships, Presence of non actionable VIs. Operation Consequence

Remediation teams are unaware of actions to be taken to deal with vulnerabilities. Lack of remediation: deterioration of the vulnerability profile of the organization. Remediation teams will be assigned large volumes of work when the problem is fixed. App Consequence

Dashboards & reports using the assignment group information for vulnerability response analysis will be of limited use

Impact on Your Business

VIs with no AG will leave your organization exposed and will negatively impact the effectiveness and efficiency of your Vulnerability Remediation teams, Vulnerability teams and audits.

Security MTTR

Slower response to vulnerability remediation.

Audit/Compliance

Incomplete VI data.

Engagement Questions:

Consider the answers to these questions:

Is there a process in place to review and reconcile VIs with no AG? Is there an established relationship between the VR team and the CMDB team? Is the CI lifecycle management KB article widely used? Are there automated or manual processes that could delete or modify AG records? When the CMDB is updated, is the VR team informed?

Remediation Plays

Summary

The table below lists and summarizes each of the remediation plays in the playbook. Details are included later.

Play Name

Analyze Play 1

What this play is about

Finding the VIs with no Assignment Group Required tasks

Obtain the table showing the VIs with no assignments Analyze Play 2

What this play is about

Narrow the root cause Required tasks

Filter list Fix Play 1

What this play is about

Remedy the lack of a default assignment rule Required tasks

Create a default rule and rerun the system

Fix Play 2

What this play is about

Diagnose and remedy a scripted assignment rule missing a default value Required tasks

Filter VIs and add default value to script where needed Fix Play 3

What this play is about

Remedy the deletion of a remediation team Required tasks

Engage with the Platform team, create a new rule, rerun the system. Data Governance

What this play is about

Finding a long term solution to prevent the issue from reoccurring Required tasks

Engage with the Platform team to establish a process

Play 1 - Analyze your records - Show the VIs with no assignment group

What this Play is about

Shows you how to view your Vulnerability Items with no assignments.

Required tasks

Display the list of VIs Option1:

In the navigator, search for "Vulnerable Items", Navigate to Vulnerability Response > Vulnerable Items > All , Option 2 (workaround recommended for organization with large volumes of VIs):

In the navigator, search for "Vulnerable Items", Navigate to Vulnerability Response > Vulnerable Items > Critical and High Risk , Option 3 (workaround when navigation menu items are not available, ):

Navigate to 'sn_vul_vulnerable_item.list'

Fill in the Condition Builder as shown below:

Run the filter The list of VIs with no assignment group will then show.

Play 2 - Analyze your records - Find the cause for the missing assignment group

What this Play is about

To help you find the reason why assignment groups are missing.

Note: More than one reason can exist at any time.

Required tasks

With the filter conditions configured as described in Play 1

Ensure the "Assignment Groups" and "Assignment Rules" are displayed, If the field "Assignment Rules" is empty, the default assignment rule is missing (cause 1), If the field "Assignment Rules" is not empty, the case of the problem is either an incomplete scripted rule (cause 2)or a deleted remediation group (cause 3). The difference between the 2 can only be done after fixing for cause 2 (see Fix plays below).

Play 3 - Fix Play - When the default Assignment Rule is absent

What this Play is about

To assign groups to past and future VIs with no assignment group, when the cause is the lack of a default assignment rule. There are two separate and complementary actions to be taken: One to fix future VIs One to fix existing VIs It is recommended to execute both actions, starting with the fix for future VIs. Required tasks

Create a new Assignment Rule, the "default" rule, to catch all VIs that do not get assigned by other rules . It can be called for example "Fallback", For "Assign using" select "User Group" (CANNOT be "User Group field" or "Script"), Select the "User Group" you need as per your VR strategy, Enter an order number for this rule that ensures it will be the last rule to run. Click "Apply changes"

Note: For more information on how to create an assignment rule, see " Create or edit Vulnerability Response assignment rules ".

The system will then: - Ensure that all future VIs get assigned to an Assignment Group, - Assign all existing VIs with "State" is "Open" as per the default rule you just created (unless other rules changes have been made at the same time; It is recommended to not do other rules changes at the same time). - Note : If the existing VIs that just got newly assigned as per the default rule you just created were already part of a Vulnerability Group, they need to be reprocessed through the Vulnerability Groups. This is an advanced action that requires specialist action. Please contact Support or your Partner.

Play 4 - Fix Play - When scripted rules are missing a default value

What this Play is about

This will help you select and fix only the VIs with no assignment group associated to a scripted rule

Required tasks

With the filter conditions configured as described in Play 2 Complete the conditions as shown below: Run the filter Open the scripted assignment rule Complete the scripted rule with the default value Note: For more information on how to create an assignment rule, see " Create or edit Vulnerability Response assignment rules ".

Play 5 - Fix Play - When a remediation team (a.k.a. assignment group) has been deleted

What this Play is about

To assign groups to past and future VIs with no assignment group, when the cause is the deletion of a Remediation team.

Required tasks

Apply fix plays 4 and 5 to clear all VIs without assignment group as a result of missing default rule or incomplete scripted rule. For the VIs still missing an assignment group: Engage with the Platform team to obtain the name of a new group(s), Update the appropriate assignment rules with the names of the new group(s) where needed, or create a new rule to assign the VIs no assignment group to a new assignment group Run the system again. All VIs will now have an assignment group. Establish a process Note: For more information on how to create an assignment rule, see " Create or edit Vulnerability Response assignment rules ".

Data Governance

What this Play is about

To help you ensure that assignment team changes in the CMDB no longer impact the assignment of VIs.

Required tasks

Engage with the Platform team. Explain the issue created by the deletion of an assignment group and its impact. Establish a process in collaboration with the Platform and CMDB teams to avoid future issues. Congratulations You have completed this Product Success Playbook.