hi folks my name is jose fizzo and i'm a security and risk solutions consultant on the servicenow it transformation team today we're going to talk about configuration compliance and what configuration compliance is how we got here and then go through what the actual product looks like so what is configuration compliance well configuration compliance is part of our security operations offering that works with secure configuration tools that apply policies to systems and gather that information and check those policies against those systems to make sure that certain configurations are in place to further secure these systems first let's go into a little bit of history when i first started out in security some of the things that i was responsible for were figuring out how to configure a system to be more secure and i would go on to yahoo and i would search for individual security configurations on windows systems whether they be nt or maybe windows 2000 or maybe windows 95 and that had progressed over the years to include things like unix and linux and having configurations in place where i i knew i could go and have a more secure environment so i would look for things like password parameters required software default account settings firewalls directory configurations and so many other areas to make sure that my systems were secure fast forward to today and what we're looking at is we're looking at multiple tools that do a great job of managing policies for secure configurations a lot of these tools are pulling in cis benchmark policies scanning systems to make sure that those system configurations meet those benchmarks and returning any failures that they would identify we can take that information from those those products and manage what's going on very well understanding how we're failing or how we're successful but a lot of times what we end up with is this spreadsheet that has a list of all the failures that we have to approach and what we're typically required to do is to email the spreadsheet out to those individuals who are responsible to take this information and go and fix these values sometimes we're using text messages to follow up we're even making phone calls and hopefully we're getting these spreadsheets back with some type of information that's telling us that this configuration that had failed in the past is now fixed and we can move on and we'll see in the next scan that we can identify where we we're now successful where we are today is we're able to go and build in a workflow to consume information from the third party vendors places like qualis rapid seven tennable and other areas that will have that information available to us so that we can integrate those policies integrate those test results integrate any test result failures or any controls that are in place collect that configuration test data move this in to monitor what's going on and identify where our weaknesses are automatically generate issues that can be applied and assigned to people who are responsible for fixing those issues and then analyze that information and close those policies or create the necessary exceptions and then continue to to monitor that information using dashboards and additional scans to pull that data in typically what we're seeing is this information is coming to me in bulk and i need a better way to manage this and this is where service now comes in from here we're able to pull in the policies and start evaluating what's going on with each of these policies and as we click through we can go and see what's what information is required of these policies so we have some information that's delivered to us from our sources where we can go and take this data and and access information about this and see what type of controls are in place for us to go and manage and identify either the criticality or the policy that's associated with this so we'll have this information available in front of us at our fingertips when we pull in this information we'll have our test results that come back and give us information about these tests that have been run and we can see that we have a lot of configuration tests that have run in all some organizations we would see that these could fall into the tens of thousands even up into the hundreds of thousands depending on the number of systems across their network from here we can go through and identify the status of certain functions and gather information about the technologies where these test results apply and what type of information that's available about these so we can go and see these test results and see what's going on here and gather this information so that we can move forward sometimes we need to identify where we've actually failed and what we're looking at here is we're looking at a view that's telling me that something is not deferred something is not closed but the result is failed so that we can go through and see exactly what's being affected by the specific status of this so this is giving me information who this is assigned to what type of information we have available to us and then the test result groups that are being that are out there that are enforcing this information to give me a better view of what's going on when we start grouping these test results together we have a simpler way to go and manage this information so i can go through and take this from cradle to grave and go through each of these areas to make sure that i'm appropriately going and handling this now as an individual i might go and say i have all of this data in front of me and i need to go and assign this to a specific group so i know which systems are out here these are all window systems that are affected by this group where i can go and group all of these test results together and identify what's happening and which groups need to be affected from this point i can go and take that information that's typically delivered to me in a spreadsheet and i can start doing things like maybe building out a deferral because if i patch this system or i fix this configuration i may put my system in a state where it's no longer going to be able to work i can also go through and create a change and with this change i can make an assignment to a specific group to be able to enable them to go out and work on fixing this so that they can remediate this once this is done i can go and move the status of this from under investigation to awaiting implementation and now this assignment can go and be assigned to the appropriate users i can make those changes here as necessary and i can go and select maybe um my hardware group or maybe i'll go and identify my ci manager that's going to go and manage this group and pass this off to that group that's going to handle this specific system or route this to the correct individual and at the end of the day what i want is i want to be able to identify where i failed where i have errors and where i've passed my configurations to make sure that my systems have the appropriate password parameters have their firewalls turned on maybe they have specific settings that need to be acquired based on cis benchmarks in order to make us to bring us closer to compliance so that we can go and transition a little bit better to a more secure and operating environment i'd like to thank you for joining me today um and as a challenge i would like to ask that you find out what your organization is doing to manage the resolution of any failed configurations in your environment and then on top of that reach out to your account executive to learn how to adopt action on your configuration compliant requirements thanks for joining and have a great day