good afternoon thank you for joining us today kerasoft technology would like to welcome you to our service now Federal Tech talk best defense is a great offense integrating vulnerability response and continuous authorization monitoring with service now before we get started I would like to quickly go over a few housekeeping items please note that all lines have been muted to reduce any kind of background noise during the presentation if you have any questions throughout the webinar please use the Q&A feature on the bottom of your screen we will do our best to answer by the end of the presentation or follow up with you offline this webinar is being recorded and a copy will be emailed to you just to tell you a little bit about caresoft we are a trusted government IT solutions providers supporting public sector organizations across federal state and local government agencies including education and Healthcare markets at this time I'd like to hand the floor over to our speakers Scott the floor is all yours thank you hello everyone my name is Scott havac and I'm an advisory solution consultant for security operations for service now joining me today is my colleague Huber who's also an advisory solution consultant for our risk management solution portfolio the topic of today's webinar is automating the RMF process with continuous authorization and monitoring and vulnerability response and the goal of this webinar is to show you how you can do so to achieve and defend your atto with service now before we get started um it is possible that we may uh discuss some capabilities today that are not uh immediately available in the product so we want to uh put up a disclaimer here at Safe Harbor notice and just say that uh if we do happen to get into capabilities that don't currently exist in the products today that you know you shouldn't make any buying decisions based off of this um and we have no obligation to deliver on anything that we may cover today that's that's not in the product so so the the use case that we're going to cover today is a important use case for federal agencies um and it's one of our better better together use cases that we have across our our platform of solutions for us better together means you know we have multiple solutions that work together that achieve uh uh you know better outcomes than than than going with Point products and uh trying to do it through manual process and we'll talk about how we do that today um the three solutions that we'll cover today are our iom solution which is that kind of the heart of everything that we do here at service now it feeds our cmdb and and provides all the information about you know people process and Technologies within your organization um then we're going to talk specifically about the irm uh portfolio in our continuous authorization and monitoring solution specifically and we'll talk about how you can automate your RMF process from end to end and Todd will go through the details of that and walk you through the steps there and then I will show you how you can do automated testing um and tie that into um continuous authorization and monitoring with the vulnerability response solution as well as our configuration compliance capability that's a part of vulnerability response um and with that said I'll go ahead and turn it over to my colleague Todd who's going to do a quick overview on continuous authorization and monitoring great thank you very much Scott appreciate the introduction looking forward to our discussion here this afternoon could you progress to the next slide please thank you so today we'll be talking about continuous authorization and monitoring or Cam moving forward as the as the abbreviation and in the graphic we're looking at now that can be found in the purple column in the middle of the screen cam is technically an accelerator so it leverages data and capabilities from all of the irm solutions that you see in the screen now as well as other service now Solutions in any data such such a Ops and and any data that's in the service now CN DB when it comes to the risk management framework uh RMF is risk management itself so when we're going to leverage capabilities from the initial three GRC Solutions policy and compliance management risk management and audit management cam is going to lean heavily on policy and compliance and audit for implementing the controls documenting the controls and then using audit management for testing the controls when irm was initially released uh give or take 10 years ago at this point it was initially called GRC included those three solutions in the green columns but since then GRC has expanded into integrated risk management when we added in additional capabilities such as business continuity management and the capabilities there line up directly with the requirements in the CP or contingency planning control family and RMF in addition to that we also offer thirdparty risk management and the capabilities within that solution line up directly with the new supply chain risk management control family uh requirements and lastly privacy which lines up directly with the requirements in the in the PT control family in addition to these irm capabilities we like I said earlier we're also able to leverage additional data in the cmdb from Solutions like SE Ops and uh and access all of that through that modern employee experience through interfaces such as the service portal employee Center and the new modern UI uh next slide please so the last slide we identified the irm capabilities and the different solutions that we offer this slide we tie those the actual use cases in the federal environment across the top of the screen we see the the individual solutions that are offered and Below those the different use cases that we address such as omba A123 internal and external audits today we'll be talking about what's on the bottom half of the screen in the lower left box continuous authorization and monitoring we're not going to get into the other Solutions although we did mention they are integrated with Cam so whenever data is needed from those tables to help document controls monitor for control compliance that is all available on the same platform cam itself is a full endtoend RMF solution from all the way from boundary creation and maintenance to package creation taking an authorization package through all seven RMF steps accomplishing all 56 RMF tasks along the way stopping off at step four for the assessment which we leverage the capabilities in audit management and then get the atto and uh and eventually progress to the point of continuous monitoring where our focus is today next slide please Scott when service now first took a look at the risk management framework we saw a lot of workflows which is beneficial with service now being a workflow platform software solution provider and we're able to leverage workflows and automation within the platform to accomplish the the entire RMF process and leverage all of the capabilities within the platforms such as the cmdb performance analytics for reporting be the the ability to tailor reports to the individual audiences that the different uh agencies have to report up to and we also provide all of the controls for both rev 4 and rev five out of the box as well as the assessment procedures for rare five all of the control mapping is is is performed out of the box and we also provide full control inheritance including full inheritance Hybrid inheritance and uh offering up control providers uh as as well as monitoring poams for continuous monitoring and all the artifact generation that needs to take place to put together the atto package the uh there are enhancements uh on the road map especially in the next release which is coming up in August there and this is one of the forward looking statements Scott mentioned earlier there are additional reports that are on the road map to be released for the security assessment report and the poam report and eventually the capability to generate these not only the templates but also the report themselves in uh in Word files as opposed to PDFs in the HTML template Builder that is also on the road map uh next slide please Scott so this here here's how we identify how we're able to pull all of that information into one single platform traditionally when organizations take uh take on the RMF use case they're using Point Solutions which are designed specifically to create boundaries and packages but don't necessarily have the ability to integrate with third party tools pull in that additional information have configurable workflows to help Drive these complex processes through through to uh to fruition and that's where service now excels being that cam is installed on the service now platform and has access to all that data especially in terms of continuous monitoring that's uh that that's that's very powerful not having to go to uh separate teams or different tools request different reports having all that data in in one specific place has been very beneficial for our customers next slide please here we have some anonymized sanitized data from some business value analysises that we have performed with customers that have uh implemented cam the the the Federal customer base is is left off of this but these are some of the metrics that we have captured I'm not going to go through each and every one of those but needless to say the the uh the workflows and the automation that we leverage in Camp have helped our customers get to the atto much faster and Ena them perform continuous monitoring capabilities they would not have been able to perform otherwise with that I'm going to pass it back to Scott thank you okay so as Todd mentioned um you know uh there's a tremendous amount of efficiency gains that one can can achieve when you automate the control testing and the vulnerability management process and along with The Continuous authorization and monitoring activities uh when we initially uh encounter customers for the first time we typically find them in a state as you see on the screen here they've they've pretty much done a decent job of automating the scanner running and generating the output the output is then typically going to be a CSV that's put into a spreadsheet and that's where the the manual effort really starts and that's where that you know most folks experience a quite a bit of inefficiency with the process because everything from here on out is manual um and that starts with you know adding context to your uh vulnerabilities from your assets um and then managing the process once you do that around um assigning a risk value uh assigning it to individuals to remediate uh giving them mechanisms to manage the remediation process whichever direction that takes them in and ultimately closing out the tickets and and what we typically find is through these inefficiency that the meantime to respond or meantime to remediate vulnerabilities is is measured in weeks or even months in many cases um and so what we've built in service now is a endtoend automated uh solution that allowed you to to manage the entire process and it starts with uh integrating your vulnerability scanner which if you're in the federal government is most like going to be acast which is based off ATT tenable but it could be qualus could be rapid 7 could be other types of scanning Solutions we'll talk about here in just a few minutes then you're going to basically Leverage The Automation in the platform starting with the cmdb to assign risk um and that risk can be based on things like it's part of a phisma boundary that you're tracking it could be a critical function within your you know the mission in the organization um it could have um an exploit available versus not that can obviously raise the priority um and then we also give you and I'll show you this some out of thebox content um from nvd and cwe and cves and such to manage this once you do that automatic assignment then you're going to want or automatic uh prioritization and enrichment you're going to want to assign those vulnerabilities that's step four um and we offer uh Ai and predictive intelligence to help you with that uh step three is actually you're going to group The vulnerabilities and then assign them and then you're going to begin the workflow process and this is where you transition to the remediation effort um and the remediation effort is ultimately either going to address the vulnerability or the configuration issue that may involve uh creating a change request um it could involve pushing out a patch if a patch is available and you've set up the integration with big fix tum or secm um or it could require an exception and ultimately a poam and that's what we're going to show today um all three of those steps there and that would cover five six and then seven um and then ultimately the scanner can come back and you can launch a rescan from uh service now and verify that the vulnerability is resolved and then give you a mechanism to then report on that and again all doing this automated in an endend process so that after you implement service now you now have a a fully automated endtoend State and now you're measuring your mean time to respond in a matter of hours or days as opposed to weeks or months so with that that said I will go ahead oh actually one more slide um on the configuration compliance so in our world vulnerability scanning looks for issues within the system config configuration compliance is looking for configuration issues within the system so in this case we would use authentication Andor agents and do that through integration third party scanners to be able to essentially audit systems for things like on the right open ports Services weak passwords other configuration items uh and then map those to the various compliant standards that you care about which is often going to be 853 8171 in the dis of stigs um so we have the ability to map to that so with that said I'm going to go ahead now and turn it over to my colleague Todd who's going to demonstrate continuous authorization and monitor thank you Scott so the flow our conversation is going to follow here today is we will start out at an authorization boundary see how we can create the boundary which is essential for continuous monitoring here in Cam and then jump into an authorization package that is in Step six in the monitor State and and look at how we can perform continuous monitoring with different data throughout the cmdb then we will get into continuous monitoring indicators and see how we can monitor those controls for compliance autonomously and uh look at some reports at the end for how we can quantify all this data so starting out here in the authorization boundary we uh we Define boundaries three ways here in cam with attributes diagrams and system elements the attributes can be found the top third of the screen here the diagrams are uploaded into the middle part of the screen and then the system elements can be found at the bottom like all service now Solutions the the cam is uh is is data that's in the in the cmdb so it's it's uh Records that are data that's in the tables and if we want to pull in additional Fields into these forms to support tracking for metrics data calls and Reporting we can definitely do that it's as easy as adding columns into the table that the form is being pulled from capturing that data and then you can use that data for uh for that reporting purposes the bottom third of the screen here where the system elements are this can be populated out two ways and we understand that customers are in various stages of their cmdb maturity uh some some are are are getting up and running others have are more of a mature state with their cmdb cam can support either either way regardless of cmdb maturity the more data that's in the cmdb the more powerful cam is but if you're still getting up and running and populating out tables you can do an initial upload manually of what the boundary looks like and then when you get to the part where get to the point where the cmdb is mature enough to automate the process with boundary filters that can be done but it can definitely support the manual upload of data if needed in addition to the uh the manual way to populate out the system element list we also use boundary filters we have one example here and I'm going to open that up to show the show the show the process here and the boundary filters are basically scheduled jobs out of the box they run every 24 hours and they will look for data in the cmdb based on a certain filter condition and and pull those system elements into the into the authorization boundary or remove them if uh if necessary this boundary filter right here is uh it's pointed back to our Windows Server boundary that we just came from we want to pull in Windows servers from from a specific table here so we have identified the table as the cmdb CI wind server table where the data resides that we want to filter on and for the filter condition we have selected here when we when we select the table this filter condition dropdown contains uh all of the columns that are in the table that we selected so we can get very granular with how we filter down on the information in this case we've selected name for the operator we've selected does not contain and load is the uh is the value here so every 24 hours when this boundary filter runs it's going to look through the the Windows Server table for any system elements that do not have a name that contains load and it will dynamically bring those system elements into the boundary the there are other options that you can perform here if you want to pull in uh data that's in a subnet you can select IP address use between as your operator put the bottom and top ranges of that Subnet in the uh in the criteria fields and then pull in that type of information so you're only limited by the data that you have in the tables is to how you can filter down and pull in those specific system elements so the inverse of that process of bringing the system elements in is to remove them when the filter job when when the schedule job runs if there are system elements that were brought into the boundary from a filter that were not identified the subsequent time the filter ran then that system element would be removed from the boundary so excuse me the uh we see that as beneficial for two reasons one is compliance because your documentation will always be up to date within a 24-hour period of time you'll have an accurate boundary list so your your Hardware inventory for your uh for your CM controls will be accurate within 24 hours and security is the other benefit that we see because when we get to the point of running continuous monitoring indicators against the boundary they're going to be run against an accurate boundary list again as long as you have the mature cmdb and you're able to leverage this automation based on the data that's in in your specific environment then you'll be able to automate this process and and leverage that to the full capability once we have the boundary defined then we'll be able to create an authorization package and uh take that through the RMF process get the atto and get to the point of continuous monitoring which is where we are in this package right here the Chevron across the top of the screen indicate that we are in the monitor step and we are continuously monitoring these controls to maintain our compliance the middle of the screen here the risk summary tab this contains a lot of information that could have an impact on your atto again granted on the data that's in your specific cmdb out of the box we provide fields for these four data points change requests it incidents security incidents and vulnerable items all of which could have an impact on your ATO in addition to a hard count we're also pulling in the average risk score of the different record that are that are identified in that in that uh in this tab and in addition to the high level data we also have access based on lease privilege and role-based access in the in the individual environments but the out of the box capability is to be able to show these individual records as well so the isso or whoever is working the package they don't have to email another team contact another team through uh through messaging chat or or request a report because cam is part of the service now platform it's accessing this data that's on the platform all of the all of those in between steps and the manual workflows are eliminated and you can have quick and easy access to the records again if uh if the uh if permissions uh permit including what we're talking about here today which are these vulnerable items you can click into these different records and see all the work that's being done on the seop side keep track of the workflows and make sure that the uh vulnerabilities will be patched prior to uh prior to slipping on whatever the patching policy is requiring a pamp to be opened up so this is a top level look at the different data points that could have an impact on the ATO but this doesn't delve in specifically into continuous control monitoring of controls for that we use indicators we have two examples of indicators that we're going to look through today one is a manual indicator and that's for anytime somebody actually has to put their eyes on the screen and put their hands on the keyboard and the other indicator is a basic indicator which looks at data in the in the service now cmdb and and automates that monitoring process for a a manual indicator we've selected the au6 control right here or the au6 control objective this is the control objective template that controls are generated from when authorization packages are created and I like to call that out specifically here because this is an area where you can have transparency between all of your different uh ATO components so all the data that's contained in your policy plans and procedures which normally issos and assessors would have to go look in those documents to get that information if they didn't know it by heart you have an opportunity in cam here to customize your your uh control language here so all of those organizationally defined parameters anything that you find in the brackets so here we're talking about the frequency or the organizationally defined inappropriate unusual activity potential impact all of those organizationally defined parameters can be included here at your objective template level which will propagate down to all the controls when they're generated so that alleviates your keam from having to go hunt and search for that information we have two indicator templates configured here to monitor this control for both a or a6a as well as a6e or c for a we need to review and analyze system audit records and then for C we have to adjust the uh audit review based on the findings and the work that's being one we'll take a look at the template for a6a and see how this uh see how this is configured so in our organizationally defined parameter here we have defined that this review needs to take place every quarter so we have captured that in the indicator template text right here so every time the indicator is generated it's going to include this text and we can also schedule out when this indicator is going to run here we've SE selected quarterly we also have daily weekly monthly other different collection frequency thresholds and then we can Define when the next run is going to take place so this takes the the guess work or the Outlook calendar events out of uh out of the equation when it comes to tracking these controls the system is doing the job of of generating the record kicking off the workflow sending out the notifications to the appropriate control owners or their technical poc's that come in and perform the review the business end of this whoever is the uh whoever's logged in Susan Orwell is the is the uh control owner that's that's being monitored for this controller right here they would be able to access the record upload a screenshot upload a file uh Mark the record as as complete and use that actual hard or soft copy as a as a record that you can use to substantiate that the work is being performed during the next assessment the next example of an indicator that we'll look at is uh is a basic indicator and this is going to look at data that's in the service now cmdb and for this we've selected indicator that's going to scan for active vulnerable uh or critical items older than 15 days or mediums that are older than five days or mediums that are rer than 15 days we have scoped this indicator back to the RMF application 6 which is the RMF package that we were at earlier so this is monitoring the ra5 control or the vulnerability and monitoring scanning control of that package in the middle of the screen the configuration area this is a basic indicator so it's going to it's it's an automated process that's going to look at data in the service now cmdb we have pointed this to the vulnerable item table where the vulnerability data resides that is being worked in the in the Secom solution that Scott's going to talk about here shortly and these are the supporting data fields that the indicator will look through when it parses the data in this table the basic criteria here we have a we have a couple different conditions that need to be met for the first one we need to have is the state is the state of vulnerability in some state of being open is it older than 5 days and does it have a risk rating of critical or does the is is the vulnerability in some state of being open is it greater than 15 days and is it medium indicators are very flexible you can have multiple indicators per controls so you can for ra5 for example an indicator can be set up for lows that's only going to look at findings that are older than low findings older than 365 days moderates older than 180 uh High findings over 30 days and and critical over 15 so you can have multiple indicators monitoring the same control performing separate actions you can roll those into a single indicator if that works better for your organization and uh schedule out when this indicator is going to run so for for vulnerability scanning most agencies are scanning every 72 hours for CDM anyway so we can set this one for daily and then the results tab is going to contain the the record of the most recent time that the indicator ran and the time prior to that every time the indicator runs there will be a record of it a historical record here in the related list at the bottom of the screen and that's also uh data that you can use for reports so if you want to track your indicator performance for continuous monitoring over a certain period of time those are data points that are in the cmdb that reports can be created for so for this particular indicator that we're scanning for that we're looking at vulnerability scanning data on we uh we see that it failed the most recent time and to see the impact that that failed indicator had we have to go to the actual control that's being monitored here we can see that the status of this control is non-compliant and the reason for that when we scroll down to the bottom of the screen we see the connective tissue back to the indicator that we just came from so our active vulnerable critical or or medium findings we see the far right column here last result passed is false that was the driver for making the control non-compliant as well as opening up a poam or an issue and assigning that back to the control owner to get the control back into a compliance state we'll open up one of those issues right now and this one is currently in the respond step of the workflow workflow across the top of the screen in the Chevrons more connective tissue back to the indicator here we're looking at the poam but this is showing the indicator source is indicator failure and we definitely do not want our customers to work for the Department of redundancy department so there are enough smarts behind the automation en Camp to where we're not going to open up multiple poams per control if there is an existing poam for a control will update the issue Source if there's a control test or an indicator failure or or an attestation self-reported non-compliance so the system will know will know enough not to open up redundant poams for for individual control the issue record in in cam is where the corrective action plan will be captured and the response will also be uh selected here the response will determine which type of tasks will be generated for the poam closure whether they're remediation task or acceptance tasks they can be tracked down at the uh at the bottom of the screen and related lists and we still have the concept of Milestones which are separate from tasks so tasks they track the actual work that needs to be done and Milestones can track those dates that we need to that we need to close and and pass through so if implementing service now is going to close a poam finding then you can still have your your uh your procurement contract award kickoff meeting for implementation wrap up meeting for Implement you can still have those those Milestones but we're to drive the poam the poam through the closer through the uh through the tasks so we'll do a quick uh recap now on the on that process just to just to show how we drove that process home so back at the indicator that we were just looking at again that's monitoring that vulnerability data that resides in this vulnerable item table so all of the work that's done on the seop side of of getting those vulnerabilities in normalizing them getting them in a in a state that they could be remediated that all that work is being done on the that the business ended within SE Ops and we're monitoring the data that's in that table for compliance whenever that data exceeds the thresholds that we put in for our basic criteria that indicator will fail the automation will kick in Mark the controls non-compliant open up a poam and assign that back to the control owner we're able to track all these poams and uh and different remediation actions through the dashboards and reports that we provide in the current interface this is what the reports look like and again this is a this is a forward looking statement these are the well these are the the the report page looks like we got logged out I apologize the uh the the the the release versions of our instances they uh they log out pretty quick so it looks like I lost my login but we are transitioning over to the new UI workspaces in uh in in the in the upcoming release in August and that will enable cam to take advantage of of all the new reporting capabilities uh fewer clicks cleaner interface and we're uh we're looking forward to that so that is the uh the poam process quick recap for everything that we discussed we started out with the authorization boundary showed how we create the boundary and are able to monitor the boundary with boundary filters to keep the the boundary up to date and keep the system element list accurate so when we do get to the point of monitor in an RMF package then we're able to pull in all the data related to those system elements including change request it incident security incidents and of course vulnerable items get those risk scores have access to the individual records themselves and then how we can monitor the different controls with continuous monitoring indicators to ensure that they remain in a compliant state with that I'm going to stop my screen share and pass it back to Scott for the remainder of the seop's presentation thank you thank you Todd okay now we will show you how vulnerability response in configuration compliant supports configuration continuous monitoring activities that Todd covered by leveraging automation we'll quickly start out with step one which is how you tie your uh scanning technology into service now and do the initial configuration and to facilitate that we give you a setup assistant so allows you to quickly install the application Define your users and groups it is a scoped application so you do have the ability to women who has access to this data outside of everybody else in the platform um The Next Step would be then to to do the configuration of the scanner and we provide you an easy wizard to kind of walk through entering your configuration and we do support scanning both that's done in the cloud and when the scanning is deployed on site uh we do that via mid server um and then lastly the the setup that we talked about and starting in step two so uh really the first thing is it's going to do the risk calculation so we'll take a look at that really fast so we have the ability to Leverage The cmdb and other textual information in the platform to be able to set up the risk calculator and if my environment will cooperate here we'll take a look at this um and you can see here that um it's as simple as having your different fields that you're monitoring so whether your CI is exposed to the internet your epss score the criticality really any metadata in the risk or cmdb process could be leveraged here in the criteria Builder to Define this and then weights and it's on a scale of 0 to 100 it's a very simple way to set up your risk score um you can also do this uh fairly sophisticated uh using scripting as well um after you do that then you might want to then immediately assign all those vulnerabilities so as vulnerabilities come in you have a individual record in a table that's going to be one vulnerability on one system but that's not a easy way to remediate vulnerabilities um but you do need to individually assign all those vulnerabilities and that's step one here step two is then to then group those vulnerabilities in into uh like uh categories so that they can be managed in bulk and not have to be managed individually and that's what the remediation task rules do and then lastly the remediation Target rules are going to Define you know based on criteria in in business context when do these vulnerabilities need to be remediated um and that would basically take you through the uh integration the prioritization the assignment and then the grouping um and then we're going to now pivot to go through the workflow and as we go through the workflow we're going to demonstrate this from two different personas the first Persona we're going to use is the vulnerability manager and the person that's managing the entire effort working with the risk team on making sure things are getting accomplished and then we'll also pivot and show you what it looks like from those that are responsible for doing the actual remediation before we do that though we'll quickly touch on the fact that out of the box to support the enrichment and the prioritization and and the risk scoring and assignment we give you the nvd database uh feed uh and and we have an example of here where I've taken that feed and I filtered it for CB which is another feed that we take in so that we have the ability to say okay show me all the vulnerabilities with a vulnerability score of 10 which is the most critical and have a ccab has sent out an announcement saying that an export exists so that's what you see here and this might be a good example of either vulnerabilities that you want to track uh using a watch topic which I'll cover here in a minute or uh a higher priority in terms of a risk score that you might want to assign because of you know it having such a critical issue that has a working exploit so again we we provide this out of the box and we'll also touch on some additional content that we give you along the way here okay now we're going to Pivot into What's called the vulnerability manager workspace this is where the person performing the management of vulnerability process uh is going to live and work um and you can see here you get an initial dashboard um one of the first things I want to call out is the fact that there are different types of vulnerabilities that we can track and manage in vulnerability response we talked about two of them the first is uh host vulnerabilities which are infrastructure vulnerabilities coming from typically a scanner like tenable acast um also it may involve configuration test scan results coming from uh acas and that's what you have over here um but there's other types of vulnerabilities that we can bring in we can bring application vulnerabilities and they may come from Das scanners SAS scanners is scanners it could come from penetration testing results or SCA scanning and then lastly container or cloudbased vulnerabilities um in your assets that are specific to the cloud there are specific scanners out there that focus on that and we have the ability to bring those in um now we'll pivot to watch topics so watch topics in our vacular are a way for you to have a focused effort on your vulnerability Management program so you know vulnerabilities come in you know they can be run-of-the-mill day-to-day things that are fixed through an easy patch from Microsoft maybe not a critical issue those are things you just want to automate get out get remediated as much as you can and get out of the way but then you have those critical vulnerabilities and a great example of this are your critical vulnerabilities in your fsma boundary um and that might be something that you might want to track here and you can see we've created a watch topic for that um creating a watch topic generally is very simple uh for example here's a watch topic we created for log 4J that focused on that and and you can simply do that here you can either say I want to do this on an ongoing effort so as new vulnerabilities come in they get put into the watch topic get automatically added to the remediation effort or doing it as of a point in time and it's as simple as just kind of clicking through the screen um deci deciding whether you want to transfer these from another remediation effort and then saying create um and then that will go ahead and create that while that's happening we'll take a look at a few other things here let's go ahead and pivot to the uh the critical overdue vul so as as Todd mentioned you know you create your fsma boundary you create your indicators um you start your vulnerability scanning now you want to kind of connect that back to the indicators and this allows you to then track and manage in this case vulnerabilities that are overdue that are going to result in indicator failures and poam um and it set set up based off of the criteria that you defined as we kind of drill into that you can see that you know you have o overview details here's the remediation task that go as part of that but as we kind of go back and look at the watch topic itself you can see that you know it's very powerful you can see the distinct CIS that are part of this watch topic that are overdue how many are internet facing versus not what different class in the cmdb they are how many unique vulnerabilities they have which ones have exploits U and then a list of the vulnerable items here okay and as we further drill into the remediation effort here you can see that this gets into if you're managing the process you may possibly be involved in the workflow to do remediation and we give you that ability within the manager so notice up here you have some buttons with some process and I'll show this here from the it remediation uh manager or remediation individual standpoint but note that they are available to the person managing the process um as long as well as the ability to then kind of trap what's going on with those remed remediation efforts so slas preferred Solutions any changes and ultimately solutions that are available to address the issue um similarly we also have the ability to do this for uh configuration issues uh and an example the watch topic here for config configuration issues within the fsma boundary and the what I'll demonstrate with vulnerabilities works exactly the same with configuration issues the same process the only difference is that the configuration results go into a different table um and they have a different you know record start here CTR as opposed to vit but essentially the flow works the same way and the process works the same way um and as we look at these you can see that this is where you can see a visual tie through irm into those control framework citations policy statements and such so for this given test you can see that um these are the citations that it maps to um and then these are the policies internally that it maps to and you can see that it maps to our internal 853 rev 4 for Windows policy these are all the results on individual systems where they failed that particular test uh triggering triggering an indicator failure and then lastly these are the policy statements that it maps to from a GRC perspective that have been defined so um again this is the the vulnerability manager view now let's pivot to somebody doing remediation and take a look at what that looks like so we have a specific workspace called the it remediation workspace and you'll notice here that you have the ability to one see for uh vulnerability tasks that are assigned to you how many have preferred patches and what are those patches here so if you've done the integration with patch management you have the ability to then marry those patches with those vulnerabilities and it manages things like supersedence within a patch when a patch is the best option it replaces another patch we have the ability to kind of manage that hierarchy um within uh vulnerability response um and then also preferred Solutions this is some other content that we give you so out of the box we give you essentially a uh feed of both Microsoft and red hat and we can take feeds from other tools around solutions for different issues so again this helps with the patching and in determining what is the appropriate way to remediate this vulnerability the most efficient way to remediate it and between the patches and the preferred Solutions we give you the ability to do that okay so let's take a look at the workflow real quick um so again this vulnerability has been assigned to an individual it has these particular vits it's a group of vulnerabilities they were grouped for some particular reason and then these are the the different workflow options so the first one you might want to do is well I'm going to go ahead and remediate this manually and it won't take me very long so I'm going to go ahead and create a change request uh to document that I'm going to do that and when you'll notice here this is a a first area where you see some huge efficiency gains this is often a separate system for most folks so the ability to automatically take some of the information from this um vulnerable task and then populate this change request makes it really easy to go ahead and kick off the change request documenting your plan to to fix this issue the uh the next issue or the next thing you might want to do is schedule a patch if it's a infrastructure V and a patch exist and it's the right uh way to solve the issue you can automatically then schedule that patch and push it out and you can see here you can pick pick the patch um and then go ahead and uh anyway the demo environment's acting a little crazy tier today but you'd be able to pick the patch select the computer and go ahead and schedule that um and then the last part of the process and this is where it ties back to irm in the poem is maybe for whatever reason you can't immediately resolve the issue maybe it's because the vulnerability doesn't exist or the patch the the remediation option doesn't exist the vendor is still working on it or you can't apply it for some reason maybe it'll impact the system's you know availability or operations so in that case you know you need to submit an exception or deferral and that's going to trigger a poem and that's where you do that right here so you go request exception um you can document the reason in this case you know maybe the the fix isn't available uh maybe we need to do this for a few months and revisit this um and you know then maybe you know you need to tie in some notes to explain what's going on so again this is where it would tie back into irm into the poem into the indicator PN and note that hey there's a plan for for managing this exception here and here's what the plan is um there's some additional workflow that's also available there's a workflow to split the task there's a workflow to say Hey you know this was incorrectly assigned to me um you know we have the ability to D duplicate vs and you can show those so so as well as marking things out as a false positive so the last thing I want to touch on is then the ability to kind of measure the overall program and again out of the box we give you this overview dashboard here in the vulnerability manager workspace and has some really nice widgets already pre-created to kind of quickly see at a glance how you're doing with your vulnerabilities and your configuration test results we also give you a number of different dashboards um and you can see here we have things like a maybe a compliance dashboard that shows you configuration compliance specifically uh unified vulnerability response ceso one specifically for application vulnerabilities so again a lot of ways to kind of out of the box measure and manage the effectiveness of the vulnerability um response program and and how you're doing with configuration compliance as it relates to managing your um you know your uh indicators and you know measuring that for your fsmo boundaries so with that said that kind of concludes our demo for today and I'll kick it back to the moderator and I think we'll going to open it up for questions thank you we do have quite a few questions uh first one coming from pretty early on in the presentation does this cover ATU as well Todd do you could we get a that acronym spelled out I'm I'm not familiar with ATU I'm not familiar with it either if you could drop in the chat what ATU stands for we can go ahead and get that answered but I'll go ahead and move on to the next one just while we're waiting um does this accommodate oscal ocal yep I'll get that one so yes uh yeah we do support oscal and we have a uh a road map of expanding into additional models as we go on we can currently export the SSP and as the uh as the different releases progress we're also going to add in the ability to uh Import and Export the uh the SSP the control catalog and the poems and then continue to add in the additional uh models as we go forth we can uh if you'd like to reach out to us we can uh we can schedule a uh road map session if you would like okay and in the chat ATU stands for authority to use for our government customer okay so the uh the options on the the atto verbage that's a a drop down and you can have any of the uh any of the different terminology authority to connect IAT IAT uh at o at with conditions all of those uh all of those options are available and however you want to you can if you need to configure workflows to accommodate different uh review and approvals for the for the ultimate atto approval then that can be configured in flow designer as well so you can you can capture the different the the different atto statuses that that that's configurable and and you can accommodate whatever the different review and approval gates are for okay and next question do servants now have acas API interface agreement with c5isr I I know what that is I don't know the answer to that question I actually personally don't support the Army um but I know that we we do a lot with the Army but we'll have to take that one and and get back to you on that I'm I'm not I don't want to answer incorrectly and I'm for that I'm not specifically certain if we have the agreement in place or not okay um will there be an enhancement to add ACLS to those related tables uh VR incident change security incidents Etc to only display records to a cam stakeholder that is named on a package currently the ootb grants read all access to those tables via the service now irm continuous off reader role but we don't want system owners SL ssos to have access to all vulnerabilities just the one that relate to their just the ones that relate to their system yes the uh the ACLS are configurable we we do have customers that have greatly restricted access to some of the roles to to show very limited amounts of data and enhanced other roles to to accommodate other other capabilities so yes you can you can modify ACLS to uh to to to restrict the access that's granted okay um within a single authorization boundary if multiple if multiple vulnerable items for the same vulnerability exceed the acceptable remediation time frame how is that information tracked in grouped yeah that's one I think that we demonstrated as part of vulnerability response but essentially you know through the criteria Builder you you want to essentially set up a criteria that captures that scenario uh go ahead and groups those you might want to create a watch topic to track those and manage those um and you know assign appropriate time frame um based off of uh of that in and you trigger escalation maybe through notification but um yeah that's that's kind of core functionality within how VR manages through the watch topics the focused effort uh for specific vulnerabilities that meet a specific criteria does the application support assess only so the assess only packages they are on the road map at this point they are uh they're not in the current offering that we have it is configurable to modify the workflow to just end the package after the assess step and forego that that that final ATO authorization for G St 5 but that's that would require configuration and but that is on the road map to be added in in future can we Implement service now on premise or do we have to use the cloud model if we have to use the cloud model what is the difference between commercial and gov Cloud I noticed that one agency uses a commercial Cloud instead of gov cloud so what are the benefits to use the gov Cloud thank you well service now can definitely be deployed on site as opposed to in the cloud that there we have customers that have uh classified environments and more more sensitive areas where they require on Prem deployments we definitely support that as uh as far as the the uh the differences between gov cloud and the commercial Cloud I would uh I I I would refer you to our field security team for that they'll be able to provide a more uh a more detailed answer and response given an indicator template is associated to a control objective is there an approval process before an indicator temp template can be published resulting in the creation of n number of indicators for n number of control records the concern being a significant amount of work Andor resources could be committed by the publishing of one indicator template uh yes the uh I I could see how the indicator explosion could happen there for creating the indicator there is not really a review and approval workflow for creating those that's a workflow that could be put together in flow designer to uh require that review and approval gate prior to U deployment okay and we've got one last one uh you mentioned getting a best remediation feed from Microsoft and red hat we get that currently from scanner is there a way to see them side by side uh yes absolutely um the the Microsoft and red hat feeds go into a common table for Solutions and we can also take um information from the scanners themselves solution information and put it all together so that um you probably didn't see it in the quick demo that I did but in the solution content um you you can have content from a scanner and from other sources that you you may subscribe to or want to kind of feed into that and then see that all kind of side by side um with a given vulnerability um you know when you're going to make remediation decision so it's definitely possible to do that okay do we have any more questions it looks like that may have been our last one so I can go ahead and close us out thank you everyone I'd like to thank all of our participants as well as our speakers for being with us today we hope the information you received this webinar has been helpful if you have any further questions or you would like to request more information please feel free to reach out thank you again and have a great day everyone