View findings for Security Posture Control

  • Release version: Washingtondc
  • Updated September 9, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of View Findings for Security Posture Control

    The Security Posture Control allows users to view findings generated from the evaluation of policies within the Security Posture Control Workspace. These findings can be configured for assignment to teams for remediation or for reporting purposes. Findings are published as ‘Test Results’ in the Configuration Compliance module, where various administrative controls apply.

    Show full answer Show less

    Key Features

    • Finding Types:
      • Tool coverage: Identifies security tool coverage gaps.
      • Internet exposure: Indicates cloud assets exposed to the internet.
      • High-risk combination: Highlights issues with multiple risk factors.
      • IRM exception: Notes assets with approved exceptions from GRC.
      • Has vulnerability: Marks assets with known vulnerabilities.
    • Assignment Rules: Security posture labels allow for the creation of assignment rules in Configuration Compliance for targeted remediation.
    • Finding Viewing Options: Findings can be viewed through the Security Posture Control Workspace or by filtering test results in the Configuration Compliance application.

    Key Outcomes

    • Enhanced visibility into security posture through categorized findings.
    • Ability to track remediation efforts through the assignment of findings to specific teams.
    • Comprehensive dashboards provide insights into asset management, vulnerability coverage, and critical findings.
    • Improved decision-making by identifying key policies based on findings.

    You can view the findings generated by the evaluation of policies in Security Posture Control in the Security Posture Control Workspace.

    Findings

    You can configure findings to be generated from the execution of policies so that they can be assigned to various teams for remediation or used for reporting. See Activate a policy included with the Security Posture Control application for more information about generating findings directly from your policies.

    Security Posture Control publishes these findings as ‘Test Results’ in the Configuration Compliance module. All administrative controls in the Configuration Compliance application that are related to the assignment, grouping (remediation task generation), remediation targets, and exceptions are supported for findings that are generated by Security Posture Control.

    The labels used for findings:

    Tool coverage
    This type represents a security tool coverage gap. This finding type is applicable for policies using ‘Reported by’ and ‘Not reported' connector relationships.
    Internet exposure
    This type represents internet exposure of a cloud asset. This finding type is applicable for policies using the ‘Has port exposed to internet’ relationship or connection.
    High-risk combination
    This type represents an issue having more than one associated risk factor, for example, assets with critical vulnerabilities and a missing endpoint protection agent.
    Integrated Risk Management (IRM) exception
    This type represents an asset with an approved exception from the Governance, Risk, and Compliance (GRC) product. If indicated, these exceptions are not included in your findings counts.
    Has vulnerability
    This type represents assets with associated vulnerable items (VITs) that have known vulnerabilities.

    Security posture labels are generated and attached to test results. A label of an appropriate type, 'Tool coverage', for example, is automatically assigned to test results based on the type of policy. Multiple labels are displayed on records for assets that have more than one label.

    By using security posture labels associated with the findings, you can write assignment rules in Configuration Compliance to route these issues to teams for remediation. For example, you can send ‘Tool coverage’ findings to an IT ops team, and ‘Internet exposure’ to an application team.

    Where to view findings

    You have these options to view the findings generated by the evaluation of policies.

    Roles required: SPC Admin Group or SPC Analyst Group

    • Navigate to Security Posture Control Workspace > Policies and findings > Findings > All.
    • On a policy record, select View findings. The list displays groups of findings that organize them into general categories such as 'High-risk combination', 'Internet exposure', and so on, but these groups are not formal groupings that can be used for remediation. You need to set up remediation and assignment rules in Configuration Compliance for findings.
    • In the Configuration Compliance application, select Test Results and filter the records by Source is ServiceNow SPC.

    The dashboard

    In the Security Posture Control Workspace, the Home (landing page) displays these visualizations:

    Overview
    • Assets: Number of assets monitored on-premise and in the Cloud.
    • Findings by criticality: Number of critical findings out of your total assets.
    • Assets monitored by top 5 sources: Top five Service Graph Connectors reporting on assets.
    • Cloud accounts: Number of Cloud accounts monitored by AWS and Azure.
    • Open vs closed findings: Comparison of records still in process or awaiting resolution and those that are resolved.
    Key insights
    • Endpoint protection agent installed: Total number of assets have or do not have endpoint protection.
    • Managed device coverage: Number of managed assets compared to those that are unmanaged.
    • Vulnerability scan coverage: Total number of scanned assets compared to the number that are not scanned for known vulnerabilities by a third-party vulnerability scanner.
    • Assets with critical vulnerabilities: Number of assets out of the total number of assets that have critical vulnerabilities.
    • Vulnerable items by criticality: Total number of vulnerable items broken down by their severity. A known vulnerability that matches an asset in your CMDB results in a vulnerable item.
    • Top 3 policies by findings: Policies that return the most findings (matches) on your assets.

    Key use case coverage

    Select a use case and select Help activate or Help improve to view which service graph connectors and policies should be activated for the key use cases.