hello everyone my name is steve emerson and i'm an advisory solution architect with servicenow's i2 transformation team and today i'm going to show you how you can drive great service experiences by gaining visibility across your entire estate with ease by using servicenow's itom visibility solutions now before i talk about itom visibility i wanted to take a step back and talk about how servicenow can help you deliver digital change with a single platform for it now we do this by creating great experiences for it whether it's any discipline of it that you see there in the top row employees and customers by connecting everyone with your technology ecosystem and that technology ecosystem could be a combination of on-premise solutions that are managed in a more waterfall methodology such as your erp systems your electronic medical record system or your claims management system or it could be more modern cloud-based you know systems that are managed in a more agile approach things like online shopping student registration or customer service now every organization needs to be able to manage the software that supports all those systems and so today effectively everyone is is really a software factory and you need to be able to plan build operate and then eventually put those things into service and make sure that they're operating correctly now we do this by using a one platform for all it workflows which has one architecture which means that all of the servicenow solutions that sit on top of servicenow leverage a set of underlying capabilities that are common things like workflow integrations machine learning a great web and mobile ui experience as well as developer tools and one data model which is the service graph or seem to be right it's that sensor repository of configuration data that's going to drive value across all the solutions now talking about the cmdb right it's your organization's digital foundation it's also servicenow's foundation right it's the central repository of configuration data that's going to drive value for all the solutions you see around this wheel here and much more so i'll talk about a few different scenarios here before we get into the actual feature set of item visibility so when you think about um a cmdb its value really increases when it becomes service aware which means that you're applying business context to all of the configuration items that exist in your environment right so you understand how an operational event impacts the business right how does an event that happen on this specific server align with a business application that people are using right how do i prioritize my response when everything is coming in as critical from iq service management perspective we talk about when you're planning changes right you can easily more easily understand the downstream um you know dependencies of that change but also how does it impact the business so that you could you could ultimately increase efficiency and reduce risk when planning changes from a devops perspective right we need to be able to ensure governance and traceability of the ci cd process right and if you're tracking every deployment that happens against configuration items you're able to more easily see the full life cycle which is going to add a lot of value cloud right we talked about cloud on the last slide how do you gain visibility of those cloud resources so so that you can line all that spend to a business initiative and then asset management as well right how do we gain visibility of all that software that's sitting out in your environment so that you can more easily compare what you own versus what's in use right now itom visibility includes a set of solutions beyond just discovery and service mapping it includes discovery which is your you know think of it as what goes out there and scans your network finds everything and populates it into the it'll not only populate the configuration items in there but it'll also populate attributes it'll pull in software information running processes tcp connections and it'll ultimately build a dependency map to show you who you know which systems rely upon each other and that's done in an agentless fashion right service mapping is what applies business context to your cmdb um when you think about the importance of that it's it's really power mount and we'll talk about how we get in you know how we all the different ways that we do that firewall audits and reporting solves a major problem that exists today right how do we make sure that we don't have orphan firewall policies sitting out there and how do we also make sure that we don't have policies that are misconfigured right if we're not you know doing attestations on a regular basis so we help streamline gain visibility into all your entire firewall estate but also streamline the auditing process certificate and inventory management major problem exists across a customer base with expiring certificates when a certificate expires it could cause an outage it can cause a security breach right so servicenow we go out there and scan your entire network to find all the certificates we pull in the expiration dates and we automate the creation of tasks so that they can be renewed well up front of their expiration service graph connectors right how do we complete the visibility picture right so servicenow discovery does that on a you know it's really geared toward infrastructure operations right the cloud right when you think about your endpoints how do we get the data from the endpoints into the cmdb so that you could see things like what software is on there right how do i enrich my cmdb from data sources that i that i've already invested in right these service graph connectors are a set of certified integrations for the cmdb that servicenow and our technology partners have decided on as a path forward to make sure that the data gets into the cmdb accurately and then when you have all those different data sources between discovery service graph connectors right you need a multi-source engine in the cmdb that can decipher all that data to make sure that you're not getting duplicate data and to make sure that only authoritative sources can write the data to the correct attributes right but also right what would it be great if we had all that data stored somewhere in a staging table that we could reference at any time and go ahead and make you know instead of one data source being the um you know the golden source i want this other data source to be the source and instead of waiting till the next discovery service now will automatically make that change for you once you go ahead and you know and say that that's valid so that in a nutshell is the are the i-time visibility features so at this point we're going to go ahead and dive into servicenow into the instance and we'll get into a demo the first feature we're going to cover is discovery now discovery enables you to gain visibility of your entire operational estate regardless of where the components are they could be on-prem they could be in a hybrid cloud hyper-converged infrastructure public cloud or serverless computing discovery is an agent-less technology that scans your networks to find devices and adds them to the cmdb now when it comes to cloud you need visibility into all resources so that you can have complete traceability and governance of those resources visibility will also help you more easily control cloud spend servicenow natively supports aws azure google cloud ibm cloud and vmware from a discovery perspective now here we see our new cloud resources dashboard that shows us trends and resources across all clouds you can download this dashboard from our servicenow store with the cloud resources are constantly being spun up changed or spun down and it's critical to have visibility into all those changes right so servicenow cloud discovery supports real-time updates as cloud resources change with support for aws config azure alert gcp stackdriver and vmware events if we look at our our azure tab we can see the counts of the different types of azure resources being discovered from virtual machines to disks to load balancers to availability zones etc if we look at our aws tab we see the same thing but it's really in the aws nomenclature we see the number of ec2 instances storage volumes load balancers and so forth and clicking on any of these dashboard widgets here will take us down into specific list of resources so for example if we see this pie chart down here this shows us our ec2 instances by state the ones that are on the ones that are off pause scheduled and terminated now let's say i only want to look at the resources that are on i click that piece of the pie and i see a list of all cloud resources that are currently running we're going to look at an instance here that happens to be my instance that's running as a vm instance in aws so here we see that this is a virtual machine instance and it's got some metadata aligned to it it's got the name of the instance the state number of cpus disks and so forth if we also scroll down to the bottom and we look at tags right so servicenow also discovers the tags that are applied to those resources in the clouds themselves right so this specific resource here has five different tags assigned to it it's important because tags are really the de facto standard for aligning your cloud resources with applications environments ownership and so on so that you can more easily map these resources back to an initiative now a ci's value is enhanced by its relationships now what do we mean by that if we take a look at the relationships for this virtual machine instance we see on the cloud discovery portion we see all of the cloud metadata right we see the storage volume we see what image it was built from which data center it's in which storage it uses which network it's on as well as all of the other information down below we also see the virtual server that sits on top of it right this is the actual windows server virtual machine right which we're going to be doing a deep dive discovery on secondarily here and then we see the relationships up the chain so let's run the layout from the virtual server now this is your traditional windows server right so servicenow discovery builds relationships between the host and its components such as the server and the disks right application to host so for example here we see that we have an agent client collector application a tomcat application and a prtg application installed on top of this windows server and also application to application right we also are able to understand if there is a related service that has been mapped we'll come back to service mapping in in just a few moments so far we've seen the information we collect for the virtual machine instance we've seen the relationships have automatically been built let's take a look at the details we collect for deep dive discovery so here is a windows server this has been discovered with the agentless technology we gave it credentials and it's gone out and interrogated this server and it's populated the cmdb with the server and its attributes so we see for example the serial number we see the model we see who it's assigned to we see the os domain it's a part of the operating system and so forth the amount of ram cpu if we go down to the bottom we see that it has pulled in software installations which are useful for software asset management and application portfolio management use cases we see that it has discovered running processes right which are useful for creating application cis but also for building those relationships we just showed you we see that it has also pulled in uh tcp connections which are also useful for building those relationships and lastly we see that it's pulled in configuration files so servicenow can store the content of configuration files in the cmdb which can be used to run a comparison between versions for for troubleshooting purposes let's go back to the dependency map again and take a look at the additional information that we have available to us so if we look at the details here this details tab gives us additional information about what is happening across all of the different components in this dependency map so we see things like i t operational alerts changes incidents problems vulnerable items and so forth if we look at this related services tab we see that there are two services that this ci is a part of customer service and windows server if we look at the vulnerable items tab we see that we have a vulnerable item that requires a patch installation and typically what happens when you need a patch right we need to change so we can see here that there is a change created to deploy the patch let's take a look at that change shall we now change planners cab members or anyone involved in the process for a change can all benefit from discovery by having the dependency map at their fingertips and the list of impacted ci's is automatically included in the change based on crci relationships right so here's that dependency map that they that they could click on and here's a list of the impacted services and ci's that are part of that look familiar so this level of visibility really enables everyone involved with the change management process to increase efficiency with planning reducing risk by making data-driven approval decisions and more easily determine who needs to be notified of the change but of course in addition to change management discovery drives value across just about any it workflow customer workflow or employee workflow we just saw the power of servicenow discovery and how it helps you gain visibility across your entire estate now we're going to talk about service mapping and we're going to do this from the perspective of an it operations use case so service mapping enables business context for your operational components in the example we just saw we determined that making a change to a specific windows server impacted the customer service application now this was made possible by service mapping now what you're looking at here this is the operator workspace for itom health which is a single pane of glass for visualizing the health of your operational estate in order to get to this single pane of glass servicenow has ingested events metrics and logs from your existing sources and servicenow monitoring agents servicenow then binds events metric anomalies and log anomalies to a ci in the cmdb after binding servicenow uses multiple methods to correlate all this operational noise down to the most actionable set of alerts to work on so when you have your services mapped servicenow is then able to leverage relationship data in the cmdb to align operational alerts with the business so instead of having a health dashboard filled with a bunch of devices you now have a health dashboard where you can visualize the health of your services from a business perspective so this enables you to prioritize response based on the business criticality of the impacted services now so here we see the order status service is showing a critical severity state so let's dive in and take a look the first thing we're going to do is go into the service map this was mapped automatically using service mapping we point servicenow at a url and it builds the map by reading configuration files for each of the components in looking at this map from an operator workspace we immediately see which one of the components is showing a critical severity which is this oracle database on this windows server so if we highlight the oracle database on the windows server we see a group you know we see some alerts over here let's go into this group of alerts this alert contains everything an it operator needs to troubleshoot and remediate the outage at their fingertips we see this is a group of alerts where five alerts have been correlated down to just this one and we see that the primary issue is a low disk space issue we see there are five ci's in the group and we see there are two impacted services order status and windows server and while there are five ci's related to this group of alerts we see that this alert is bound specifically to v dash wind x 42-2 which is a windows server looking at the impacted services tab a little bit deeper we see that order status is a mapped application service and windows server is a dynamic ci group now we already saw the order status service map earlier which is an application service mapped with service mapping a dynamic ci group is a collection of cis created from a filter so in this example we have created a dynamic ci group containing all of the windows servers here we see that there are two probable root causes for this alert so servicenow automatically calculates the probable root cause which can be a change or another alert so one of the changes happens to be an unauthorized configuration change that was detected so earlier we talked about how servicenow discovery can track configuration files when servicenow detects a change in an application service that did not have an associated change request it will automatically create an emergency change that captures what was changed so this is exactly what occurred in this example here we see that the value that was changed so going back to the service map the operator can actually compare two points in time to understand exactly what was changed and perform a comparison so if we look at the advanced uh map the operator can click on the specific change to see the details so here we did a comparison between these two points in time one and two we look at the comparison view we see what exactly was changed there was a change to this oracle database on this windows server and if we click on here which is a track configuration file we can look at the two configuration files and see exactly what was changed right we got we saw it documented in the change request but here is a proof on the left hand side we see the old configuration file and the new one and we see that somebody turned on sql tracing which would definitely lead to the disk space filling up now let's go back and take a look at the second probable root cause for the for the change which is a devops change we see there was an automated change to deploy code to production for the order status service right so in looking further this deployment was successful but the operator determines that the the unauthorized change was the leading culprit for the outage so by incorporating change management and the cmdb into the ci cd pipeline it's going to enable complete traceability for your devops changes so here's that successful let's go back to our alert the final thing the operator checks are knowledge results and servicenow surfaces the most relevant knowledge based articles uh using natural language processing so the op the operator sees that the recommended action for low disk space is to extend the disk partition so instead of manually extending the partition right the operator can choose an option to expand the disk space and that is an automated remediation which will execute the process on the server itself and log a change request against the ci right so this ensures the governance of the change and traceability for future reference now there are two automated ways to map services using service mapping top-down surgical method and tag-based method what you just saw was an example of a top-down surgical map and now we're going to look at a tag-based approach i'm going to bring up a service map that was created from tags as organizations move to the cloud they are using tags to align resources with applications environment ownership etc and now as i mentioned earlier discovery discovers tags across cloud and virtualized environments now tag-based service mapping enables you to establish business context very quickly and these maps can be leveraged by servicenow solutions to make data-driven decisions for example change management operations management security operations and so on now to build these maps we create a set of tag categories which is essentially one-to-many things that represent the same thing an example would be environment or application we then create these tag-based service families that contain a set of tag categories essentially servicenow will automatically create service candidates for you to select for mapping so once the services are mapped they will be available for use across the platform just like the top down maps i showed you earlier so in this example this is a service that was created with tag-based mapping and the application name was recommendation and the environment was prod so here we have all of the resources right so for example we have a tomcat we have a linux server and we have a vm instance that sits underneath that so when you have all these resources in the cloud sharing the same tag information we can tie all that together very easily into a tag based service map now we just saw how service mapping enables business context for your operational components in two automated ways so having that service aware seem to be enables you to increase efficiency and reduce risk when planning changes and it helps you prioritize response to operational issues and it really drives value for just about every servicenow solution okay moving on to certificate inventory and management this feature was introduced in our orlando release and has seen tremendous excitement from our customers one of our okay moving on to certificate inventory and management this feature was introduced in our orlando release and has seen tremendous excitement from our customers one of the biggest challenges that exists today is keeping track of certificate expirations on average expired certificates occur at least four times per year within an organization oftentimes causing outages and security breaches the equifax breach that resulted in hefty financial penalties was the result of an expired certificate that went unnoticed for 76 days servicenow's certificate inventory and management solution enables you to prevent outages from expired certificates by enabling visibility into certificates across the entire estate and automating creation of renewal tasks for upcoming expirations during your discovery scans servicenow will discover your certificates along with their expiration dates and add them to the cmdb certificates can be discovered directly from servers and customer owned certificate authorities as of december 2020 servicenow can discover your digicert entrust sectigo and godaddy certificate authorities as part of discovery servicenow automatically builds dependency relationships and if service mapping is used you will be able to see business contacts for your certificates in addition to discovering certificates on your network you can also discover urls which is helpful for your public facing websites so let's look at our certificate management dashboard this is a is a single pane of glass for tracking certificate renewal tasks and your certificate inventory so for example here i see i have 57 tasks due for expired certificates i've got 20 i've got a lot of certificates expiring in january for example lots expire in december but i could see my how many are expiring over time by using this graph below on the inventory side of the house we can see all of the unique certificates that exist in the environment how many we're tracking with priority one tasks which i'll explain in a moment as well as again seeing our upcoming expirations so going back to our open certificate tasks let's take a look at one of those tasks now a priority one task is essentially if you think about incident management it's a priority one it needs to be it's one of the most important certificates we have so we need to create tasks that have a more important with more urgency if you will so let's take a look at this one so we see which certificate it's aligned with we see who this is assigned to we see the state of that this that this approval has been requested and let's take a look at the certificate itself we see who the issuer was we see when it was valid from and when it's valid to and we talked earlier about the tasks here's where you can say all right for this certificate i want to create priority one tasks or do i want to create priority three tasks which are not as critical or do i want to not renew you know do i not want to create any renewal tasks maybe you bought this certificate for a one-time use we also have the ability to view the dependency map to see the relationships that were automatically created so by clicking here i can go to the dependency map screen and i see that this certificate is installed on this ha proxy server and when i look up the chain i see there is a mapped application service called rewards processing so now we understand that if we don't renew the certificate in time the rewards processing service will have an outage and could be at risk of a security breach in addition to providing you with visibility into expirations and tracking renewal tasks servicenow also provides standard catalog items for your service catalog to to renew or request new certificates let's take a look at a renewal request now this form contains standard fields for requesting a certificate renewal however you can configure it to meet the needs of your organization so essentially the the recipient of this request will will then process the certificate renewal right so here we have what is the unique certificate right and here's where you would put your signing request right the half that you would get from the website right or or the web server and then once you fill this whole thing out you'd submit we also have the ability to tie in with the incident management process so essentially when a certificate expires the urgency becomes great to renew it right because now it becomes an incident rather than a request to renew it right so we can tie in automatically to the incident process so you can have incidents created so here we see a bunch of incidents created for expired certificates and if if you're running event management um we can also tie this into to event management to create alerts so that the noc uh or the network operations team can start to address those as well so we just saw how servicenow's certificate inventory and management solution enables you to prevent outages from expired certificates by enabling visibility into certificates across the entire state and automating the creation of renewal tasks for upcoming expirations the second and last feature that we're going to be discussing is firewall audits and reporting this feature was introduced in our paris release and solves a major challenge being faced by organizations today due to the huge number of orphan and misconfigured firewall policies sitting out there for example the capital one data breach that resulted in hefty financial penalties was the result of a misconfigured firewall that enabled a hacker to steal the information of millions of users servicenow's firewall audits and reporting solution enables you to improve your security posture by enabling visibility into firewall security policies across the entire estate identifying orphan policies automating the audit process and automating firewall policy change request creation during your discovery scans servicenow will discover your firewall managers firewall devices and firewall policies and add them to the cmdb as of december 2020 servicenow firewall audits and reporting supports palo alto as part of discovery servicenow automatically builds dependency relationships and the service mapping is used you can see the business context of your firewall state so let's start with our firewall dashboard this dashboard is a single pane of glass for tracking firewall rule requests firewall audits and your firewall estate inventory let's start with the the request and audits tab so here we see the number of open rule request tasks so servicenow enables you to manage the firewall rule request process on a single platform with governance and we also see the number of outstanding audit responses that need to be responded to the service now enables you to initiate automate and manage the firewall auditing process and here we see the rule request history as well as audit response history let's go to our firewall insights tab now this tab here we see our total security policies that exist on the firewall manager here we see the number of unassigned policies right these are the policies that need to be assigned because if all unassigned policies are not able to be attested to and we see any new policies we've discovered in the last 30 days as well as we see visibility to our firewall devices so let's talk about the firewall rule request process so like certificate inventory management we provide out of the box a service catalog item that can be added to your service catalog which is a standard form that can also be tailored to your you know to your organization right so essentially once you fill this out uh it's a standard form right it's got source address destination address what protocol right we have a different options here we have you know traffic you know directions you can tag if this is a compliance thing where if you if this rule is to support hipaa or p or pci data or if it's in the dmz so once you submit this a a new firewall rule request gets created let's look in it and at one of the previously opened and enclosed ones so the top section of the form is what we just completed right and we see that it was sent to this assignment group to file while rockstars and it was approved and we see also that it has automatically created a change request so let's take a look at that change request so again it carries over the information from the firewall rule request that was submitted and once this change request gets to the implement phase somebody would go off and implement the firewall rule and on the firewall manager you can tag it with this change number and then essentially once you know that is for so that we can have on on this on the firewall policy side we can have that what change it was implemented under and then when when you know when discovery runs again it will pick up the new policy so that is the firewall rule request process and how we ensure governance with the change request next let's take a look at how we help you identify unassigned policies and assign them so it's critical to have security policies assigned so that they can be attested to whenever policies aren't assigned they're not attested to on a regular basis and they can become a security risk so back on our firewall insights dashboard we see we have 89 unassigned policies and we can click on here to show the records and let's say i'm in the americas and i only want to see firewall policies that are in the americas so here we see that there are four unassigned policies in the americas location right so you could easily double click here and enter a name and servicenow also provides you with the ability to do multi-select and you could update you know multiple rows that way right so we also provide a way to do it through this unassigned policies widget and essentially you can bulk upload here as well now let's take a look at how you know servicenow can initiate and automate the firewall auditing process i'm gonna go to my firewall managers and i see we have one firewall manager and open up our panorama firewall and we see that some basic information about the panorama you know firewall manager and here we see some basic information you also see that we can click the relationships tab which i will do later on but it is uh let by with the click of one button we can initiate the audit request process so here all we have to do is fill out a couple of fields right the audit request approver firewall administrator what audit period do you want to do this in let's pick on q2 2021 and who this is going to be assigned to firewall rockstars right so we can submit this firewall auditing request and once that request is submitted it must be approved so let's open up that request we just opened and if we scroll down to the bottom we will see that there is an approval requested so i'm going to go ahead and approve this as the firewall administrator and now we see that it is approved what's going to happen next is a set of tasks are going to be created for the policy owners to execute so i'm going to go ahead and reload this form and here we are so we see the tasks that were created but the first thing i wanted to point out is that there are 89 as we saw earlier 89 policies that are excluded these are the unassigned policies so these cannot be attested to right so these are the ones we need to make sure that we have an assigned owner for let's take a look at the firewall audit response tasks so essentially there are three people that are considered policy owners on this firewall manager i'm going to open up this task for best marcel if we scroll down we can see all the security policies that are assigned to best and what best needs to do is make a decision on each policy do we move forward with it do we [Music] you know essentially you know do we retain it without changes do we retain it with changes or do we delete it right and best has access to look at the security policy to make a a more informed decision so here is the actual security policy and best can also look at the dependency map for the policy to see how this might impact the business so here she sees the you know the the dependency map i'm going to go ahead and increase the levels here by a little bit more so we can see this map and all other relationships downstream so it's kind of hard to see but on this map there are several services that are related right and we can see it down here so we could see that this security policy maps back to several services right so this level of visibility is going to enable security policy owners to make better decisions on what the appropriate action should be with you know with the policy so we just saw how servicenow's firewall audits and reporting solution enables you to improve your security posture by enabling visibility into firewall security policies across the entire state how we can help you identify orphan security policies how we can automate the audit process and automate the firewall policy change request creation as part of the rule request and finally we saw how we can see the impact of a security policy on the business the final feature i'm going to cover is service graph connectors now to gain complete visibility into your environment you may want to import from your existing third-party data sources with multiple potential data sources it is critical that you ensure data from these sources is ingested correctly to prevent your cmdb data from becoming corrupt and untrustworthy now servicenow and our technology partners are creating certified integrations called service graph connectors that follow a common method for ingesting data into the cmdb this method ensures that data lands in the correct tables that it prevents duplicates and defines the authoritative data sources for each attribute to prevent overriding of data a common use case for these connectors is software asset management you can leverage these connectors to import your endpoint software installations from your inventory tools into servicenow at the time of this recording in early december 2020 there are 14 connectors available and we'll be rolling out more connectors over time so as you can see here if i type in service graph in my application navigator i see that i have four connectors installed on my instance i have solarwinds intune microsoft sccm and service graph connector for extra help now each of these connectors has a defined setup wizard that walk you through the exact steps to set these up and once you've configured your data sources you can then go back and update the data sources here or change the import schedules here so it's all really relatively simple to configure and maintain going forward now once you configure the connectors and begin importing data you'll be able to visualize the status of your imports on a single dashboard which is what you see here and i can filter this dashboard to look at different import dates or if i want to only look at a certain connector so let's look at the one for sccm for example i can see the data for secm right so once again this data is you're essentially completing the visibility picture with these service graph connectors by either enriching your cmdb with this data or populating your cmdb with with data from things like endpoint devices where you may not be you know already discovering so we just saw how service graph connectors can complete the visibility picture by ensuring that the data from third-party tools is ingested correctly to prevent your cmdb data from becoming corrupt and untrustworthy this brings our itim visibility demo to a close we just saw how all of these features work together to gain visibility across your entire estate by using the itom visibility suite to automate population of your cmdb you will build a solid digital foundation and drive great service experiences for your organization thank you for watching and have a great day