What’s new for SecOps in the ServiceNow Utah release?

Vulnerability Response Edition

As the number of vulnerabilities in our systems increases every day, fixing them as efficiently as possible is a must for everyone. The new changes in the ServiceNow Utah release will help remediation owners and, this time around, mainly managers to navigate around their respective workspaces where they get more visibility and more data than ever before. So, if you use the Vulnerability Response workspace, then the latest release of Vulnerability Response v. 18.0 is made just for you!

Vulnerability workspaces

As of the latest version 18.0, IT Remediation Workspace and Vulnerability Manager Workspace now support the entire spectrum of Vulnerability Response applications in addition to the Infrastructure Vulnerability Response. Now you can remediate the Application VR, Container VR, and Configuration Compliance directly from your workspaces as well.

Vulnerability Manager Workspace allows you to create and view Watch Topics, Remediation Efforts, and Remediation Tasks for application and container vulnerabilities and configuration test results. Additionally, you also have the Remediation Tasks for:

• Vulnerability Response,
• Application Vulnerability Response,
• Container Vulnerability Response,
• Configuration Compliance

in a single list. Transferring them to a new Remediation Effort for a watched topic is easier than ever without losing your history.

Vulnerability Manager Workspace has now access to all the Libraries:

• Common Vulnerability and Exposures (CVEs)
• Third-Party Entries (TPEs)
• Common Weakness Enumeration (CWEs)
• App Vulnerabilities, Policies, and Tests

They are all available for you from the comfort of your Vulnerability Manager Workspace.

You can provide additional information for your False Positives and Exceptions by answering a questionnaire in the Mark as False Positive and Request Exception forms for VITs, AVITs, CVITs, and Remediation Tasks in the Vulnerability Manager Workspace. Even if you have switched to GRC Policy Exception or plan to do so, you can still do it for VITs and AVITs.

So if you are tired of opening the backend to manage your AVITs, CVITs, and Configuration issues, do not stand idly by and upgrade your Vulnerability Response application and manage them all much faster, easier, and all in one place!

News in vulnerability exception process

There are a couple of updates outside of the workspaces but the most interesting one is that the deferral date remains saved. So an actual scenario would be if a Deferred VIT is closed and reopened by a scanner before the Until day is reached. Now, instead of having the VIT in the Open state, it is reverted to the Deferred state, as the Exception is still in place. If you get a lot of such cases in your environment, your remediation teams will no longer have to re-defer vulnerable items that were supposed to be deferred in the first place and your reports will be more accurate. To enable this functionality, set the value of the System Property sn_vul.auto_defer_vit_in_active_exception_window to true.

Improve your integrations

The last update is not a part of the release per se but downloadable from a KB article KB1271280 already available on the NowSupport portal. Committing the update sets gives you the ability to use a well-known Setup Assistant user interface to configure any custom integration for your ServiceNow instance with detailed step-by-step instructions, descriptions, and screenshots. Now, building a custom integration is easier and faster than ever. Go ahead and get yourself the Integration Assistant now. 

Security Incident Response

There are not many new features in the SIR, but they are quite big if you are a SIR user. Especially the first one, where ServiceNow introduces the new workspace for Security Incidents. It brings more options to operate and handle the incidents than the current settings as it combines the look and functions of the new workspaces and the old UI created directly for Security Incidents. This should create a more convenient place for all SIR users, no matter if you are used to the new workspace from a different module, the old view or just the classic security incident form. Another feature could be really helpful for you if you use the Microsoft ecosystem and want to use MS tools for DLP integration with ServiceNow. So, let’s dive into it in more detail!

Security Incident Response Workspace

As mentioned before, the main feature of the SIR Utah release is the new Workspace. It brings an alternative not only for the classic view form but also for the ‘New UI’ view designed for security incidents and it aligns the view with the other already presented workspaces.

The workspace contains 5 features:

1. Overview (landing page)
2. Upcoming section
3. Quick Links
4. List view
5. Multi-tab interface

The Overview shows you a quick view of security incidents presented by graphs, lists (list view) or even previews of the incidents (grid view). It allows you to do some of the basic actions with the incidents like assigning, exporting, creating new Incidents or even deleting if needed. The Upcoming shows upcoming tasks, e.g. tasks that are due on the same day or the next day, Quick links can be used to add custom easy references.

The List view represents the menu in a way the navigation bar does, showing only those categories that are important for the SIR. After selection, it shows their list view. As you are probably used to, the list view can be used to manipulate the records and can be personalised with the option to create custom quick filters. The form of the record itself shows similar items as in the ‘New UI’ view but in a modern coat with more tabs to switch on. An important part of the record that is of course not missing is the support of Runbooks.

Data Loss Prevention Incident Response with Microsoft

The second big feature comes with DLP IR with Microsoft which will most likely become very useful for companies that have the Data Loss Prevention module (or are thinking about using it) and use Microsoft tools. With this framework, you can import DLP incidents from multiple sources, w.g. from the Microsoft Purview apps (like MS Teams, Exchange Online, etc.). You can have multiple profiles for different accounts and set the automatic creation of the incidents. Of course, there is, as with almost every integration to ServiceNow, an option for how you want to map the data from the Microsoft DLP IR events to DLP IR incident fields. It also brings an option to integrate with cloud storage, so you can store the matching content of the Microsoft DLP events there or delete them when they are removed from ServiceNow.

—-

Do you have any additional questions? Do not hesitate and reach out to our team!