Skip to content

Creating ServiceNow tickets using Tenable data

You can’t fix what you can’t see.

Quick Links Within This Blog

The Challenge.

In today’s threat landscape, unpatched vulnerabilities pose a significant threat to an organisation. So, promptly addressing security vulnerabilities by enacting a remediation process is crucial to maintaining a secure IT environment.

One thing that has not changed is the growth in the number and velocity of threats, often amplified by a workforce that continues to work remotely after the COVID pandemic, creating a much larger surface area to protect.

No organisation, not even the best, ever manages to completely get rid of every security issue. The most effective organisations are those that focus their efforts on fixing those issues that they consider critical, addressing them in order of priority.

Team collaboration

In a larger organisation, the Security team typically have the responsibility of finding and prioritising security issues. The responsibilities of the broader IT Team, although distinct, will be interconnected, working with the security team to protect and manage the network infrastructure, i.e. fixing security and other issues. This IT Team generally use a ticketing system (ITSM) to define and prioritise regular maintenance, user support, troubleshooting issues, etc.

In summary, the IT Team focuses on the day-to-day management and functionality of the organisation’s tech infrastructure, while the security team concentrates on safeguarding that infrastructure from potential threats and ensuring compliance with security policies and regulations.

The collaboration between these two teams is essential for maintaining a strong and resilient cybersecurity posture within the organisation. In most organisations, the most effective way for the security team to communicate what needs to be done by the IT Team, is to create tickets.

Recommended reading: Brinqa Risk Based Vulnerability Management for Enterprise Organisations.

First, let’s understand the problem.

It is tempting to jump from vulnerability discovery to ticket creation, but in working with our customers, we have identified that there are 6 stages, as listed below, to fulfil the ticket creation process.

These 6 steps are critical regardless of the tools used to create tickets or find the vulnerabilities.

Step 1 – Prioritise
Prioritise the vulnerabilities using some form of “business risk” (something better than CVSS).

Step 2 – Filter to focus on top priorities
Creating tickets for all security issues isn’t viable or politically sensible, so you are going to want to apply a filter based on the priority you have from Step 1.

You also want to filter for issues for which you know a fix is available. As a security team, you care about all issues, but the remediation teams (on the other end of the ticket) only care about things that they can action.

Step 3 – Aggregate vulnerabilities together based on how the remediation teams want them
If you have worked out the top 1,000 vulnerabilities that you want remediated, you could create 1,000 tickets, one per vulnerability. This doesn’t represent the work needed by the remediation team.

If, within those 1,000 vulnerabilities, there were a number of patch Tuesday issues with Windows, then it may only be 250 patches that need to be applied.

It is also common to have different teams doing different things that want tickets differently. Windows workstations may want to be aggregated one way, Windows servers another, Linux another and Java another.

Step – 4 Allocate the ticket to the right person
Who to allocate a ticket to is often more complex than it initially seems. It is very common for different technology teams (Windows, Linux, Cisco, etc.) to be organised in different ways and have different work allocation rules.

You will probably want to reference a CMDB and several other internal data sources to determine the correct owner.

Step – 5 Agree a fix SLA
An SLA needs to be agreed upon between the security team, who create the tickets, and the teams who will fix them. Something like “Anything above a priority 9.5 needs to be fixed within 5 working days, 8.0-9.5 is 10 days …”.

Step – 6. Verify remediation
Verify that remediation has actually occurred. When the team remediates the issue, they flag the ticket as “remediated not validated”. This would cause a rescan of the asset. If the problem has gone away, then the ticket is moved to “remediated”. If the problem still exists (say the server has not been rebooted), then the ticket is moved back a step for further work.

This is actually very complex where you have a single ticket that represents several vulnerabilities and or several patches. Imagine the situation where 1 ticket represents 100 vulnerabilities within a Windows Patch Tuesday event. If only part of that update is applied, then some vulnerabilities are remediated, and others are not.

Now that everything is automated, you can focus on ensuring that people are doing what they should i.e. remediating things within the given SLA.

Recommended reading: 8 best practice steps for effective Vulnerability Lifecycle Management.

The Solutions

There are 4 broad ways of building a system that delivers some or all of the 6 features discussed above:

  • Build something in-house.
  • Use ServiceNow’s Security Operations or Vulnerability Response modules.
  • Use Tenable’s “Service Graph Connector for Tenable for Assets”
  • Use a 3rd party solution.

Each one has its own positives and negatives.

In-House build

  • You can build any functionality that you want.
  • Has a very high TCO and a long delay before it delivers value.

ServiceNow’s module

  • Needs to be purchased
  • Flexible
  • It doesn’t do many of the 6 items out of the box, but with configuration, it can.
  • Most ServiceNow development teams have a lot on already and, therefore, a long lead time for new requirements.

Tenable’s Module

  • Just syncs “findings” data into ServiceNow and creates tickets on a 1 for 1 basis.
  • Misses many of the other 6 points.
  • Does automatic ticket closure. This is easy because 1 finding = 1 ticket, as there is no aggregation.
  • Checkout our Tenable products

Use a 3rd Party Tool

  • We would recommend Brinqa for this.
  • It delivers on all 6 points
  • It is very configurable without writing code
  • It integrates with 150+ other security tools that you may have: https://www.brinqa.com/connectors/
  • It delivers reporting across all of your cybersecurity tools

Recommended reading: Assess your security Posture with our Security Maturity Model.

Next steps

In order to remain one step ahead of these cyber-attackers, it’s important to audit your security posture regularly, especially if you have seen a surge in attacks in your industry.

It’s better that you know your weak spots before a hacker does. If you want help to understand how to address your vulnerabilities book a free consultation.

World Map
World Map