Handle VIs not meeting Remediation Target Date Product Success Playbook Handle VIs not meeting Remediation Target Date A step-by-step guide to analyze and remediate Vulnerability Response data issues Table of Contents Summary Goal of this Playbook Audience Problem Overview Executive Summary How this playbook can help you achieve business goals How this playbook is structured Problem Analysis Upstream Causes Downstream Consequences Impact on Your Business Engagement Questions Remediation Plays Summary Play 1: Review your data Play 2: Fix Play Play 3: Fix Play Data Governance Summary Goal of this Playbook Reacting too slowly to a critical vulnerability item can have drastic consequences. This playbook helps in finding active Vulnerable Items which are overdue (passed remediation target date) and take steps for prevention Details about this playbook Author Bibu Elias Punnachalil Reviewer Siva Reddy Mallu Date 01/09/2023 Addresses HSD # HSD0011743 Applicable ServiceNow Releases All Releases Prerequisites Time Required Approximately 1 to 8 hours (depending on your environment) Audience Vulnerability AdministratorVulnerability AnalystsRemediation teamsServiceNow AdminCMDB team Problem Overview As organizations continue to be exposed to fast growing volumes of vulnerabilities, it is critical for their vulnerability profile that vulnerabilities be remedied quickly and efficiently. Missing remediation targets means delay in addressing vulnerabilities which puts the organization at risk. Executive Summary How this playbook can help you achieve business goals This playbook supports the requirement to rectify vulnerable item records with in established service level agreed durations. It will help you identify the remediation tasks such that resolution has been delayed and will help you ensure that remediation teams target them for action within the target durations. It will also help you determine a long-term solution to avoid future delayed remediation task resolutions. This will in turn contribute to improving the vulnerability profile of your organization. How this playbook is structured This Playbook will guide you through 4 plays. Play 1 (a review data play) helps you review remediation tasks which missed remediation target datePlay 2 (a remediation play) provides information on automations & alerts for handling of remediation tasks on timePlay 3 (a remediation play) provides remediation steps required to fix issues which might result in creation of VI without remediation targetPlay 4 (a data governance play) lists the guidelines and processes for ongoing monitoring of remediation tasks being handled on time. Problem Analysis Upstream Causes Vulnerability Manager Workspace and IT Remediation Workspace are not effectively utilizedRemediation target rules are modified but rules were not reappliedWatch topics & remediation efforts are not created or used ineffectivelyRemediation task SLAs are not definedVulnerability assignment rules not setup optimallyRules remediation target rules, CI Matching rules, Assignment rules, Risk Rating rules or Auto exception rules are not well defined Downstream Consequences Data Consequence Vulnerable item records with missed target dates Operation Consequence Users loose trust in the effectiveness of vulnerability response teamCritical vulnerabilities may be addressed late exposing the organization to risks App Consequence Dashboards & reports using the remediation target & status information for vulnerability response analysis will be of limited use Impact on Your Business VIs with missed remediation target date will leave your organization exposed Security MTTR Slower response to vulnerability remediation. Engagement Questions: Consider the answers to these questions: Is there a process in place to review and reconcile VIs with missed remediation target date?Are the remediation target rules reviewed regularly?Is there an established relationship between the VR team and the CMDB team? Remediation Plays SummaryThe table below lists and summarizes each of the remediation plays in the playbook. Details are included later. Play Name Review your data What this play is about Find the VIs with missed remediation target date Required tasks List the Vis with the filter on remediation target Fix Play What this play is about Update remediation target with a default value Required tasks Create a default remediation target rule and run the job to update target Fix Play What this play is about Review existing remediation target rules Required tasks Check the scheduled job, review existing remediation target rules Data Governance What this play is about Monitor and maintain vulnerable items without remediation target Required tasks Follow the instructions provided in this playbook Play 1 - Review your data What this Play is about Shows how to view Vulnerability Items with no remediation target Required tasks Display the list of VIs Option1: In the navigator, search for "Vulnerable Items", Navigate to Vulnerability Response > Vulnerable Items > All Option 2 (workaround when navigation menu items are not available,): Navigate to 'sn_vul_vulnerable_item.list' Fill in the condition builder as below.( state=3^ttr_status=past_due^closed_atONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months() ) Run the Filter. This will list all the VIs where target was missed. Group by the Assignment group Play 2 – Fix Play – Reapply remediation target rules What this Play is about Reapply remediation target rules. This may be done in below cases Target (days) is changed Notify is changedCondition is changed'Active' flag is modifiedRule is deletedNew rules are added to the list Required tasks Navigate to Vulnerability Response à Remediation target rules Click on "Apply Changes" button at the top of the list view Play 3 - Fix Play – Utilize VR workspaces What this Play is about Use Vulnerability Manager Workspace & IT Remediation Workspace Required tasks Use the Vulnerability Manager Workspace to monitor vulnerabilities, plan remediation efforts, create new remediation tasks, and share remediation progress with senior leadership. The Vulnerability Analyst may use the Vulnerability Manager Workspace to monitor vulnerabilities and make decisions about when to initiate remediation processes. To access Vulnerability Manager navigate to Vulnerability Response à Vulnerability Manager Workspace Remediation Owner can use the IT Remediation workspace to view prioritized remediation work, and also take action on remediation tasks to fix vulnerabilities. To access IT Remediation Workspace navigate to Vulnerability Response à IT Remediation Workspace Play 3 - Fix Play – Create watch topics and remediation efforts What this Play is about A Watch Topic (WT) allows a Vulnerability Analyst or Manager to monitor a subset of Vulnerabilities in your organization that match certain criteria. Watch Topics can be created at any time and are also used to create Remediation Effort. Below steps provide the instructions to create a watch topic Required tasks Navigate to Vulnerability Response à Vulnerability Manager WorkspaceClick the Create Watch Topic button at the bottom to display the Create watch topic form Form to create Watch Topic is displayed. For more detail refer to docs Starting with v16.1, you have the option to filter VIs using a Common Vulnerability Exposures (CVE). Click Preview to see all the vulnerable items that match your conditions. Prior to V16.1 Fill the required details and submit the form A Remediation Effort (RE) is a collection of Remediation Tasks and Vulnerable Items to be resolved over a certain time. Remediation Efforts are created when the Vulnerable Items in a Watch Topic are ready to be fixed. Creating a Remediation Effort gives you a task-management layer across Remediation Tasks for all owners, so that you can assign work, track progress, and manage remediation activities. Required tasks Navigate to Vulnerability Response à Vulnerability Manager WorkspaceButton to create remediation effort is available at the top right corner. Click on the button Fill in the details, in each page and then click on submit to create the remediation effort. For more details, refer to docs Data Governance What this Play is about Monitor and maintain the VI remediation target data Required tasks Regularly execute play 1 to review if any VI records without remediation target exist after the run of "Evaluate remediation targets" scheduled jobsSetup a process to regularly review and update the rules to ensure they are still relevant and effective. Congratulations You have completed this Product Success Playbook.