Insights | Thirdera

Security Operations Release Notes | August 2022

Written by Tommy LaMonte | Sep 8, 2022 3:57:27 PM

The Security Operations (SecOps) suite of applications manages releases through the ServiceNow Store rather than through platform family upgrades. This allows more frequent releases - typically, on a quarterly basis - of both enhancements and big fixes. With more frequent updates, it can be hard to determine what is and is not important and if you should upgrade all of your SecOps applications every time. To simplify the decision making, we've paired ServiceNow’s most noteworthy SecOps release notes with in-depth insight ("What it Means for You"). 

Vulnerability Response and related applications:


Security Incident Response and related applications:

 

Vulnerability Response Updates (v16.5.4) 

New Update | Duplicate Vulnerable Item Handling

What it Means for You

The concept of using multiple vulnerability scanners is becoming more and more common. Duplicate vulnerable items are a big risk here as scanners frequently have overlapping results. Having an out-of-the-box method for de-duplicating vulnerable items will remove the need for custom solutions here and increase the efficiency that vulnerable items can be resolved. Duplicate Vulnerable Items can be shown on a Remediation Task’s Duplicate VIs related list and are stored in a Potential Duplicate Vulnerable Items table. This could be used to prevent assigning a vulnerable item that is potentially a duplicate so only one of the items gets assigned for remediation.

New Update | Vulnerability Manual Bulk Import Feature

What it Means for You

Monitoring for and resolving zero-day exploits is an important part of vulnerability management. Previously ServiceNow was very scanner integration focused, meaning all your vulnerable items typically came from a scanner integration. This new functionality will allow analysts to easily create vulnerable items in bulk for vulnerabilities that may not have been picked up by a scanner yet. This means these manually created records will automatically be prioritized, assigned, and grouped based on your already created logic. Additionally, companies that have additional scanners that may not yet be integrated to ServiceNow or are not able to be integrated can easily extract data from those scanners and manually import vulnerable items to be managed in ServiceNow.  This feature also included the ability to close stale vulnerable items if importing the same data set each time and a vulnerability hasn’t been found for a set number of days, the same way that the scanner integrations support this. 

New Update | Unassigned Vulnerable Item Handling

What it Means for You

Using an un-assign button for vulnerabilities that a team is not responsible for may be a new concept for some organizations. Rather than emailing to find who correct team is, this will drive the process through ServiceNow to the vulnerability management team to find the correct group. This will ensure that the vulnerability team is aware of these incorrect assignments, rather than manual reassignments happening between teams.

Grouping together unassigned vulnerabilities makes it easy for vulnerability analysts or the correct responsible team to review unassigned vulnerabilities and quickly get them assigned to the correct team.

There is a daily digest of unassigned vulnerabilities that serves 2 key purposes:

  1. It will quickly expose what vulnerabilities do not have a team responsible for them.
  2. The feature of grouping these by assignment rule will also allow analysts to improve on assignment rules that are not assigning correctly. This will drive analysts to improve assignment rules that they are seeing frequently incorrectly assigning vulnerabilities. 

New Update | Multiple Deferral/Exception Request Tracking 

What it Means for You

Many customers have asked for this feature and have frequently captured this in a custom field. Now that this is available out-of-the-box customers will be able to report on how many times an exception has been raised for a vulnerable item or remediation task. This enables vulnerability management teams to see if specific VIs or RTs are getting exception requests raised repeatedly. This will help the vulnerability managers flag when a remediation task or vulnerable item is repeatedly being deferred and may need to be investigated or monitored more closely.

Enhanced Item | Visibility Into Integration Status

What it Means for You

Visibility was added into total chunks generated by Tenable and the total available chunks. Chunks are used to handle imports of paged vulnerability integrations. For example, an integration retrieving 10,000 vulnerability records may be limited to requested 1,000 at a time. This would result in 10 “chunks.” Visibility into the number of chunks being generated and how many are available gives an admin insight into the potential time an import may take to pull down from the source application into ServiceNow by estimating how long each chunk takes to process.

Attachments are now visible as they are downloaded and processed. Seeing the source attachment data returned from a scanner can be helpful when troubleshooting what information is coming from a scanner and what format the data is in prior to being transformed in ServiceNow.

 

 

Configuration Compliance Updates (v14.3.5)

New Update | Unassigned Test Result Group Handling

What it Means for You

This change will function the same as the new unassign functionality for VR and drive the process of improving assignment through ServiceNow, rather than email. 

New Update | Multiple Deferral/Exception Request tracking

What it Means for You

This change will function the same as the deferral counter feature in VR and allows better reporting on repeated deferrals.  

 

Integration Updates

New Update | Vulnerability Response Integration with CISA 1.0.0

What it Means for You

This is the first release of this integration and is a great addition to the available Vulnerability integrations. Many customers rely on data from CISA around Known Exploited Vulnerabilities to help prioritize which vulnerable items should be addressed first.  With this new integration, CVEs and Third-Party Vulnerability Entries can easily be updated with data from CISA’s database to identify if it is a known exploited vulnerability as well as the CISA identified due date. 

Qualys Integration with Security Operations 12.5.3 

Enhanced Item |  Additional Integration Parameters

What it Means for You

“include_only_confirmed” parameter: Qualys may detect vulnerabilities that may be present but cannot be fully verified as ‘potential vulnerabilities’ that they recommend investigating. By default, those are included in the host detections pulled into ServiceNow as Vulnerable Items. This configurable parameter allows customers to limit the host detections to only those that Qualys has definitevely confirmed are present on a device.

Query Parameter field: This feature allows simple updates to the filtering of data pulled from Qualys without having to extensively customize the script includes and REST messages that are used to pull data from Qualys. There is single field on the REST message that can be updated with filters to only pull desired data, such as excluding vulnerabilities detected against disabled QIDs.

Rapid7 Integration with Security Operations - 13.4.2 

Enhanced Item |  Additional Integration Parameters

What it Means for You

Additional integration query filters using JSON: This feature allows simple updates to the filtering of data pulled from Rapid7 InsightVM without having to extensively modify the script includes and REST messages that are used to pull data from Rapid7. There is single field on the REST message that can be updated with filters to only pull desired data.

Vulnerability Response Integration with Tenable 3.3.2

Enhanced Item | Credential-less Rescanning

What it Means for You

Initiate credential-less rescans: Previously if requesting an asset to be rescanned required users to select the credential to apply and could not rescan if they did not know the proper credentials. With this update users can request an uncredentialed rescan. This has some uses but will not return as detailed results as selected thig proper credentials. 

Enhanced Item |  Additional Integration Parameters

What it Means for You

Additional integration query filters using JSON: This feature allows simple updates to the filtering of data pulled from Tenable without having to extensively modify the script includes and REST messages that are used to pull data from Tenable. There is single field on the REST message that can be updated with filters to only pull desired data.

New Update | Patch orchestration 2.0.3 

What it Means for You

Remediation owners can now view preferred patches for configuration items. This is an update to the IT Remediation Workspace that makes it easy for remediation owners to view the appropriate patch for a configuration item.

 

Security Incident Response Updates (v12.9.2) 

Fixed Item | Security Incident Reopening

What it Means for You

An SIR linked to a Problem or Incident would reopen when the related record was closed. This update ensures that security incidents will not be incorrectly re-opened if a related incident or problem is closed.

Fixed Item | Security Incident Tags Toolbar Placement

What it Means for You

Previously if the Security Incident Tags toolbar was moved to a different location on the form the sizing would become distorted. The resolution of this glitch fixes this issue allowing the configuration of the security tags toolbar placement on a form.

 

Major Security Incident Management Updates (v2.1.0)

Enhanced Item | Major Security Incident Task Linkage

What it Means for You

Many improvements were added to MSIM task linking, including updated linking capabilities from workspace, linking to custom task tables and the ability to unlink records. These enhancements will enable better visibility into related records of Major Security Incidents. The expansion to allow all task records to link will ensure even customized use cases can be handled when needed.

 

Quick Start Tests for Security Incident Response Updates

New Update | Additional Quick Start Tests

The newest SIR update brings several new quick start tests mainly focused around Post Incident Reviews and Major Security Incidents. These will make ATF quicker to get going with for SIR as there are now pre-created cases for more of the platform.

  • PIR Assessments OOTB configuration test
  • PIR assessments conditional Configuration tests
  • PIR Run Time Experience
  • SIR: PIR design time setup verification
  • PIR Design Time Experience
  • SIR: Propose Security Incident as Major Security Incident

 

Threat Intelligence Updates (v13.1.0)

Fixed Item | Updates to Payload Parsing 

The Threat Intelligence updates are mainly fixes for known issues. The updated for the MITRE payload will allow ingestion of the newest MITRE ATT&CK format without errors. MITRE ATT&CK is frequently adding new useful information, so updates in ServiceNow to properly ingest this are important to keep the integration functioning.

 

Next Steps

Interested in more details? Concerned about the potential ramifications to your current environment? Curious about prior release notes? Feel prepared and confident before your next upgrade by talking to a certified ServiceNow expert.