The Now Platform® Washington DC release is live. Watch now!
As ransomware continues to be a persistent threat to all industry verticals, ServiceNow® has the capabilities to help customers minimize their attack surface to avoid exploitation and quickly respond to a ransomware breach if needed.
In many organizations, manual processes slow vulnerability management teams down because there are just too many vulnerabilities to deal with and not enough business context to know which systems to patch first. There’s no need to wait for the dreaded zero-day. In a ransomware attack successfully executed by the DarkSide RaaS group in May 2021 that targeted national infrastructure, DarkSide exploited two existing vulnerabilities; CVE-2021-20016 was used in the initial attack to gain access, and CVE-2020-1472 was used to elevate to privileged access. These vulnerabilities were published as “Critical” by the National Vulnerability Database (NVD) in February 2021 and August 2020 respectively.
By making vulnerability management more automated and risk-driven, ServiceNow can help create efficiency and focus to reduce the presence of vulnerabilities. ServiceNow Vulnerability Response helps customers streamline vulnerability remediation tasks through automated prioritization, assignment, grouping, and advanced analytics. It connects to existing tools and structured data ingested via out-of-the-box (OOB), pre-built integrations with many of the major vulnerability scan vendors, including Tenable, Qualys, Rapid7, and others (See store.servicenow.com to download). Having this structured data from your scanner gives organizations the ability to automate remediation processes using risk multipliers beyond basic CVSS score, such as exploitability, date published, attack vector, and more. Combining these risk multipliers with information about the system in the ServiceNow CMDB, including business criticality, whether or not the system processes regulated PCI or PII data, external accessibility (Internet-facing hosts), and more allows Vulnerability Response to score risk in a flexible way that matches your organizational environment, context, and posture. The product’s workflows transform each vulnerability into a task for remediation, auto-prioritizes them based on these scores, automatically assigns the vulnerabilities for more efficient remediation, and when possible, provides the solution based on the vendor’s recommendations.
With ServiceNow’s ability to use data from the vulnerability scanner alongside native CMDB data, the remediation tasks for each of the vulnerabilities used by DarkSide could have hit a critical priority status well before a breach. Pre-defined, no-code automation could have automatically prioritized, assigned, and grouped all vulnerabilities with the following criteria:
Both of the vulnerabilities used by DarkSide met these criteria. These vulnerabilities, and vulnerabilities like them, can be expedited and correctly assigned to authorized IT owners for immediate remediation using ServiceNow when customer-defined risk criteria are clearly defined and acted upon.
Furthermore, standard ServiceNow functionality can allow the vulnerability management team to automate other functionality as well. Remediation targets (also called SLAs, or “service level agreements”) can be automatically linked to each vulnerability, and the vulnerability manager can track the remediation success along the way. Notifications can also go out when vulnerabilities are not remediated on time. Finally, out-of-the-box reporting and dashboarding allows for visibility and insight into the health of the vulnerability management program and is critical in reducing the attack surface, from an enterprise perspective all the way down to a single vulnerability on a single host.
Vulnerabilities aren’t the only area where ServiceNow can help. Using the recent national infrastructure breach as an example, the attackers implemented multiple types of attacks to infiltrate the system, including brute force password attacks, phishing emails, and once the initial malware payload was deployed, hosts beaconing out to command-and-control infrastructure prior to the hard drives being encrypted. ServiceNow® Security Incident Response allows customers quickly respond to these types of security events in a few steps:
For example, a high maturity customer implemented a multilevel ransomware runbook with orchestration using ServiceNow Security Incident Response with the following:
All of these activities and security incidents are tracked as structured data within the ServiceNow platform. This allows for advanced trending and analytics, providing visibility into the health of the customer’s SOC program.
Finally, it is also important to note that each step of a ransomware attack from initial reconnaissance all the way through to data encryption and exfiltration can be mapped to the MITRE ATT&CK Enterprise Framework. Threat hunters can use the integration between MITRE ATT&CK and ServiceNow Security Incident Response to detect if their organization is under attack, where a bad actor is in the network, and what the appropriate response should be in order to break the attack chain. In addition, a heat map shows where there are coverage gaps that are most relevant and most high impact to address.
Ransomware has been around for a while. Its public success as disruptor, not just cash source, means it will get more dangerous: a recent Sophos survey found that the number of ransomware incidents had fallen slightly, but the cost and impact had risen dramatically. What’s more, organizations are realizing that no one is beneath the bad actors’ notice. When CISOs and other executives take a good, hard look at the state of their cybersecurity response, they may realize there are far more gaps than they imagined. Manual processes, swivel-chair incident management, and the inability to see and prioritize the truly critical vulnerabilities and security incidents slow response to a crawl. They provide plenty of time for exploitation and exfiltration. And they make it next to impossible to proactively manage the organization’s attack surface.
When organizations use automated tools and processes to enhance their security and vulnerability response, they gain visibility into how they can efficiently reduce their risk and the ability to execute the tasks quickly and comprehensively.
Learn more at servicenow.com/securityoperations
You can also view the ServiceNow infographic "What is Your Exposure to Ransomware" here
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.