Triage vulnerabilities automatically

Release version: Xanadu

Updated August 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Triage vulnerabilities automatically

Efficiently reviewing and triaging new vulnerabilities is critical for effective remediation. This process automates the transformation of imported vulnerabilities into actionable remediation tasks, incorporating automated vulnerable item (VI) assignment, risk calculation, remediation targets, and grouping of VIs. It facilitates prioritization, orchestration, and validation of remediation activities, helping ServiceNow customers streamline vulnerability management and improve security posture.

Show full answer Show less

Key Features

Automated Vulnerable Item Assignment: Assign VIs automatically based on configured rules, reducing manual effort and ensuring appropriate ownership.
Risk Calculation and Prioritization: Use risk scores to prioritize vulnerabilities, guiding remediation efforts effectively.
Remediation Target Rules: Define and validate remediation targets, enabling focused and relevant remediation activities.
Vulnerable Item Grouping: Group VIs into remediation tasks automatically based on rules; manual grouping is supported for unmatched items.
Integration with CMDB: Reconcile assets not found in the CMDB, ensuring accurate vulnerability context.
Validation with Scans: Confirm remediation completion through validation scans, ensuring vulnerabilities are resolved.
Support for Security Incident Response: When enabled, create security incident records directly from remediation tasks for vulnerabilities that constitute security incidents.

Practical Steps for ServiceNow Customers

Log in to your Vulnerability Response instance and validate that CI Lookup and Assignment rules function correctly.
Review and adjust remediation target rules as needed to align with organizational remediation goals.
Address ungrouped vulnerable items by revising grouping rules, rescanning, or manually creating remediation tasks.
Modify risk scores on vulnerable items using the provided calculators to reflect current threat assessments.
Close outdated vulnerable items that are no longer detected to maintain a clean and accurate vulnerability inventory.
Research and determine remediation priorities based on risk, affected systems, and patch availability.
Initiate Change Requests and assign remediation tasks to the appropriate teams, typically IT Operations, to execute remediation.
Move remediation groups to the “Under Investigation” state after submitting change requests to track progress.

Why This Matters

By automating the triage of vulnerabilities, ServiceNow customers can reduce manual overhead, enhance accuracy in vulnerability prioritization, and accelerate remediation workflows. This leads to faster mitigation of security risks, improved alignment between vulnerability management and operational teams, and better overall security hygiene.

Reviewing and triaging new vulnerabilities is necessary to ensure successful remediation. Transform vulnerability imports into remediation tasks with automated vulnerable item (VI) assignment, risk calculation, remediation targets, and VI grouping.

Starting with imported vulnerabilities, reconcile the assets not found in the CMDB, prioritize the results, translate that to remediation activities that are automatically assigned, orchestrate the remediation process, and confirm completion with a validation scan.

New vulnerable items are usually sorted into remediation tasks upon import, based on remediation tasks rules. Sometimes, vulnerable items cannot be grouped or do not contain a recognized configuration item.

An overview of the vulnerability triage process:

Log in to your Vulnerability Response instance.
Validate that your rules (CI Lookup, Assignment) for vulnerable item are working as expected. For information on revising CI Lookup Rules, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations. For information on Assignment rules, see Vulnerability Response assignment rules overview.
Note:
Due to the large volume in data imports, care should be taken with automated vulnerable item assignment.
Validate that your remediation targets are correct. See Vulnerability Response remediation target rules for information on how remediation target rules work and how to revise them.
View ungrouped vulnerable items.
- Looking at the ungrouped vulnerable items, consider revising your group rules and performing a rescan. See Create or edit Vulnerability Response remediation task rules for more information.
- Manually group the vulnerable items. Manually create a remediation task in Vulnerability Response for more information.
- Revise risk scores for the vulnerable items in your remediation tasks. See Vulnerability Response calculators and vulnerability calculator rules for more information.
- Close older vulnerable items not recently detected by your third-party integrations. See Automatic closing of vulnerable items and detections for more information.
View and reclassify unmatched configuration items.
Research what needs to be done for remediation.
This step can include:
- Determine what to deal with now and what you can defer. This determination is often based on risk score, affected systems, and patches with change windows.
  Note:
  Remediation target rules belong to vulnerable items. These rules are run when the vulnerable item is imported. These rules were created previously in the Setup Assistant.
- Refresh vulnerable items, if necessary, and View the remediation target status of a Vulnerability Response vulnerable item.
- Create a Change Request and assign the remediation task to an assignment group (IT Operations) for remediation.
  Note:
  If the vulnerability constitutes a security incident and the Security Incident Response plugin (com.snc.security_incident) is activated, you can create security incident records from the remediation tasks instead.
- After submitting one or more change requests, move the group state to Under Investigation.