Patch orchestration with Vulnerability Response

Release version: Xanadu

Updated August 1, 2024

6 minutes to read

Summarize

Summarized using AI

Summary of Patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response enables ServiceNow customers to manage patches and deploy updates for critical vulnerabilities across large asset groups efficiently. It integrates third-party patch vendors, vulnerability scanners, and solution data within the ServiceNow AI Platform instance, supporting both the classic environment and Vulnerability Response workspaces. This capability streamlines the vulnerability remediation cycle by helping teams identify vulnerabilities, apply patches, and close vulnerable items using automated and scheduled processes.

Show full answer Show less

Key Features

Integrated Data Correlation: Uses scheduled imports from third-party patch vendors and vulnerability scanners, correlating data in Vulnerability Response for comprehensive vulnerability management.
Patch Deployment: Supports deployment of patches from vendors for Windows, CentOS, macOS, Oracle, and other assets, with scheduling options to avoid business-hour conflicts.
Vulnerability Identification: Detects unpatched or unsuccessfully updated assets via imported scanner data, enabling targeted patch initiation from within Vulnerability Response records.
Patch Scheduling and Monitoring: Allows remediation specialists to schedule patches directly from Patch Update, remediation task, and discovered item records, with optional approval workflows to control deployment timing.
Bulk Editing: Supports bulk editing of vulnerable items with preferred patches, simplifying patch management when multiple vulnerabilities share the same fixes.
Role-Based Access: Requires specific roles tailored to patch orchestration integrations for viewing data, configuring connections, and scheduling patches, ensuring secure and controlled patch management.
Patch Orchestration Data Model: Introduces a standalone Patch Management Data Model plugin that decouples patch data structures from Vulnerability Response, enhancing reusability and maintainability across ServiceNow applications with automated data migration.

Key Outcomes

Efficient remediation of vulnerabilities by automating patch deployment and monitoring within a unified platform.
Improved visibility into patch status, vulnerability counts, and remediation progress through dashboards in both classic and workspace environments.
Reduced operational risk by scheduling patches during off-hours and enforcing approval processes to avoid business disruption.
Scalable patch management for diverse operating systems and third-party applications using supported integrations like HCL BigFix and Microsoft SCCM.
Enhanced data consistency and integration flexibility via the new Patch Management Data Model, supporting future extensibility.

You can manage patches and patch deployments for critical vulnerabilities for large groups of your assets with Patch orchestration with Vulnerability Response. Vulnerability Response Patch Orchestration and the patch orchestration integrations are available on the ServiceNow® Store.

Understanding patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response uses data from scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. This data is correlated in the Vulnerability Response application. This organization of data permits you to complete the steps of the vulnerability remediation cycle. Start with identifying vulnerabilities, then apply patches and updates, and finally close vulnerable items using third-party scanner data all from within your ServiceNow AI Platform® instance.

Patch orchestration overview image that shows the following stages: install, configure, import data, view, and use.

Patch orchestration with Vulnerability Response is supported in both the classic environment and the Vulnerability Response workspaces.

For information about patch orchestration in the workspaces, see Patch orchestration with the Vulnerability Response Workspaces.

With patch orchestration in Vulnerability Response, vulnerability managers and analysts and IT remediation specialists can perform the following remediation tasks:

See more context and information about the types of patches and vendors that make up their solutions (patches).
View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces or in the classic environment.
Deploy patches supported by third-party solution vendors for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals. You can schedule patches during off-hours to avoid conflicts with those at work.
Using imported detection data provided by third-party scanners, identify assets that have vulnerabilities and are not patched or are not successfully updated by scheduled patches.
Initiate and schedule available patches for assets that require updates from Patch Update, remediation task, and discovered item records in the Vulnerability Response application.
Monitor patch deployments with an optional approval process for patch requests submitted by your remediation specialists.

Key terms

Configuration item (CI): CIs are the existing assets that are listed in your Configuration Management Database (CMDB).
Vulnerable item (VI): An imported vulnerability that matches an existing asset in your CMDB. Vulnerable items (VITs) are grouped into remediation tasks, or lists, according to certain criteria that specify remediation actions for VIs.
Instance: Refers to a distinct account of a solution vendor application. For example, each user account can be an instance in the HCL BigFix application. This term also refers to a unique, secure web address for a ServiceNow AI Platform® instance.
Solution: There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
Patch: Software updates that fix vulnerabilities. Patch vendors use their own names for patches, for example, In the HCL BigFix application, patches are called, Fixlets.
Preferred patch: Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
Deployment: Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine.
Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of a third-party scanner or a solution vendor integration in your environment.

Available versions of applications and dependencies required for the patch orchestration integration

The Vulnerability Response application and the dependency plugins, Security Support Common and Security Support Orchestration.
Vulnerability Solution Management.
Vulnerability Response Patch Orchestration application available in the ServiceNow® Store.
A supported third-party patch vendor application, such as The Vulnerability Response patch orchestration integration with HCL BigFix or the The Vulnerability Response patch orchestration integration with Microsoft SCCM.
Supported third-party scanner integrations with Vulnerability Response.

Roles required

Users need roles that are specific to the patch orchestration integration you are using to view data and schedule patches from the Vulnerability Response application. See the configuration information for the supported integrations you are using listed below for more information.

Understanding the HCL BigFix patch orchestration integration with Vulnerability Response and The Vulnerability Response patch orchestration integration with Microsoft SCCM.
In the Vulnerability Response workspaces and the classic environment, the sn_vul_patch_orch.read_patch role, which permits users to view but not edit data, is inherited with the sn_vul.remediation_owner and sn_vuln.vulnerability_analyst roles.
The roles you need to assign that are required to configure the connections to the patch vendors and schedule patches are integration-specific. See Configure the Vulnerability Response patch orchestration integration with HCL BigFix and Configure the Vulnerability Response Patch Orchestration with MS SCCM for more information.

There is a submission and approval process for patch requests included with the applications. By default, a system property is activated [sn_vul_patch_orch.patch_approval_required] in the Vulnerability Response Patch Orchestration application in your ServiceNow AI Platform instance.

This system property is activated so that when patch deployments are scheduled, they are submitted for review and approval to users assigned to the Level 1 - Patch update approval group. If you want users with the sn_vul_patch_orch.configure_patch role to schedule patches without approval, you can deactivate the [sn_vul_patch_orch.patch_approval_required] property. You might prefer to leave approvals activated so that scheduled patches do not conflict with normal working hours. If you deactivate the approval system property, any user with the sn_vul_patch_orch.configure_patch role can schedule and deploy patches without review and approval.

For more information, and how to deactivate this system property, see the configuration topic for your supported integration.

Schedule patches from Vulnerability Response records

Remediation specialists can schedule patch updates to resolve vulnerable items and monitor remediation progress all from records in the Vulnerability Response application.

You can schedule patches from the following records:

Patch Update
Remediation task
Discovered item

Records that roll up active VI counts in Vulnerability Response

To avoid potential performance issues with rolling up all the patches to all the vulnerabilities, the scheduled job that picks up changes only modifies the active VI count. These count changes and related data are rolled up to the following records in the Vulnerability Response application:

VIT (vulnerable item)
RT (remediation task)
Vulnerability solution
Patch Update

For more information about viewing patch data and patch data roll up to records, and viewing patches without solutions, see the following topics.

Bulk edit vulnerable items with patches

You can bulk edit vulnerable items in the classic environment that have patches from the classic environment. For more information about how bulk editing works, see Edit vulnerable items in bulk in Vulnerability Response. The preferred patches for all the VIs selected for bulk edit. This option for edit only works if there are preferred patches mapped to all the VIs selected.

Patch Orchestration Data Model Enhancements

The Patch Management Data Model plugin — a standalone, free plugin that encapsulates the data model currently used in the VR Patch Orchestration application. This includes key tables such as Collection, Patch Update, Patch Deployment, and others.

This plugin decouples the patch-related data model from the VR module, making it independent and reusable across other ServiceNow applications. This plugin is now a dependent plugin for VR Patch Orchestration.

Key Enhancements:

Tables such as, collection device, patch update, patch deployment tables in the existing patch orchestration plugin will be moved to the new data model plugin.
New tables will be created for these elements in the new plugin.The data from the old tables will be migrated to the new tables. Migration scripts and scheduled jobs will handle this process automatically. The old tables and references will be deprecated.