hello my name is Tommy Lamont I'm a senior technical consultant with Serna solutions today we're going to be taking a look at ServiceNow is vulnerability response application and walk through a feature called vulnerability groups on average companies lose about 12 days coordinating patching her vulnerability service now is vulnerability grouping functionality can drastically reduce that time by automating the grouping assignment and prioritization of vulnerabilities the foundation of the vulnerability response application in ServiceNow are vulnerable items a vulnerable item is a combination of a vulnerability definition and a configuration item this represents the actual occurrence of a vulnerability in your environment it's common for companies to have hundreds of thousands if not millions of vulnerable items this is too much data to process in an effective and quick manner this is where vulnerability groups come into play using data from the vulnerability scanner vulnerability definitions and the ServiceNow platform we can automatically group prioritize and assign these vulnerable items into manageable chunks of work that are called vulnerability groups I will now show you a brief demo of what Molnar ability groups look like and how we can quickly and easily configure them in ServiceNow demo will be shown in Orlando instance of ServiceNow with owner ability response version 10.2 installed well the topic does apply to older releases as well what we're looking at now is the list of vulnerability groups that are in this instance as you can see we have a number of these but we also have a lot of useful information we can use from this list for example we have the number of vulnerable items as I mentioned before in each group we also have a risk score now this is very useful to going back to the point of prioritization we can customize these calculations based on a variety of data we have available to us to score these vulnerability groups and that really helps us figure out which ones we should be working first I'm gonna go ahead and open up this one here now this is a critical vulnerability with known exploits this was created automatically using a vulnerability group rule I will show you how those can be created in just a minute here to first go through the vulnerability group form we have a unique number for it a risk rating a risk score number of vulnerable items they also have a remediation target what that does this allows us to create rules that tell us when the vulnerability should be resolved in this case you can see the target was missed so that gives us the ability to easily report on what vulnerabilities were resolved resolving within our target range and which ones we have missed we also have a state field so we can work this vulnerable group through the various states of the lifecycle the next one being under investigation we have our assignment group this was automatically assigned to the Windows Server patch team and then we have an assigned to field to assign it to an individual down below here in these tabs we can see a little bit more information about the progress of the vulnerability group we can see the number of vulnerable items in the group and the percent we have remediated the reason for the excludes deferred and includes deferred fields here is that there it is possible to defer the resolution of some vulnerabilities this could be due for a number of reasons like backwards compatibility or just as simple as waiting for a change window this allows us to see that breakdown though of how we're doing resolving this group moving over to the next tab we see our group configuration this just gives you a quick preview of how this group was configured so in this case we can see we used a group rule you can also create groups manually if you have identified anything that you need to group together yourself that you did not previously have a rule set up for continuing on we have our notes section here and we can add either customer visible notes or internal work notes as we are working through the vulnerability here scrolling down the page we can see a list of all the vulnerable items that were included in this vulnerability group so we can see the vulnerable item number the configuration item that's associated and the CBE ID you have a couple other actions we can take on the vulnerability group well we're in the process of investigating or resolving it we can create a security incident so if you determine the vulnerability has been executed in your environment you can easily create a incident directly in your ServiceNow security incident response application we can initiate a crisis workflow which that allows you to if you have a high-priority vulnerability group maybe a new vulnerability that was just out there in the wild that's being exploited we can set up a crisis workflow to quickly notify teens and stakeholders that need to be involved in the process to to result it we can move through the investigation process we can easily create a change request from the vulnerability group directly we can also split the group out if for some reason we determine half of these need to be resolved by one group and the other half by a different group or maybe we want to defer some and remediate others immediately we have that capability using the split group feature now that we've taken a look at the vulnerability group form I'm going to move over to show you what it takes to build one of these vulnerability groups and how we can automate that process to quickly get these grouped prioritized and assigned out to the teams we need to resolve the vulnerabilities this is an example I created in a couple minutes to show how easily you can create a vulnerability group rule to automatically group you're vulnerable items the condition I set here is based on the configuration item class that's associated with the vulnerable item so we have the Windows Server class this will look at all the vulnerable items that are for Windows servers we're then going to look at the vulnerability associated with that vulnerable item and group by that so all windows servers that have the same vulnerability will be grouped into one group and we for each vulnerability that exists we will have an additional group now that's going to cut down a vulnerable item or vulnerability that your scanner may pull in for every Windows server and greatly reduce that and group those into more easily workable and resolvable vulnerability groups we then automatically assign this using our assigned by vulnerability groups field here and we'll assign that directly to our Windows Server patch team so as soon as these come in they will be created and grouped and assigned out to the correct team to resolve them as quickly as possible over here we'll take a look at a vulnerability group that results from that rule as we can see we have all the data we showed earlier in the other vulnerability group we have our short description automatically populated telling us these are Windows Server ulnar abilities and what vulnerability it is associated with and we then have our group automatically assigned to our Windows Server patch team as I have shown here today vulnerability group rules are a huge benefit to your organization by taking the overload of data from a vulnerability scanner automatically grouping prioritizing and assigning out the groups this greatly reduces the average of 12 days to coordinate patching by getting the work immediately assigned to the correct team and allowing them to easily and quickly remediated ease thank you for listening and please don't hesitate to comment below or reach out to us with any questions or for assistance improving your company's security and getting maximum value of service [Music]