Could Your Team Achieve Ideal State Vulnerability Management?


For several years now, Information Security visionaries have been recommending Vulnerability Management (VM) as a key component of a modern security practice. There are a number of great VM tools out there to automate scanning, compare results against the National Vulnerability Database (NVD), and identify which devices (servers, networking devices, user laptops, etc.) need to be reconfigured or patched to reduce their attack surface.

However, organizations still struggle to get traction remediating vulnerabilities, namely due to the sheer volume (think hundreds of thousands of items). Security personnel have to categorize and prioritize these, then identify the support team to manage the most critical systems, who then conduct a back-and-forth conversation about what’s needed and when it will get done. It’s an overwhelming task, often resulting in frustration for everyone and unnecessary exposure for the company. Luckily, there is a better way.


The First Step is Defining What “Good” Looks Like 

Ideal state Vulnerability Management looks like this:

  • Your chosen vulnerability scanner (Rapid7, Qualys, Tenable, etc) scans and finds a vulnerable item in your environment. The vulnerability is linked to an NVD record for information and a severity rating.
  • The vulnerability scanner automatically links the discovered item to a device in your CMDB–so you know what application or service this vulnerable device is part of and who supports it.
  • A work ticket is opened and automatically assigned to the CORRECT support team.
  • The support team investigates and selects one of three paths:
    1. Accept the item, and schedule a change to patch or repair the configuration
    2. Report the item as a “false positive”
    3. Apply for an exception if for some reason they can not repair the vulnerability
  • Exceptions and false positives go through the appropriate review and approval processes.
  • The vulnerability is closed–in as little time as possible.


What Makes This Ideal?
  • Vulnerable items are automatically assigned to the right team eliminating any back-and-forth
  • Priorities become clear (critical systems, production, non-prod, etc)
  • IT Management has access to the full state of vulnerabilities: where they are, who’s responsible, and how long they’ve been pending
  • The Vulnerability Administrator can focus on optimizing their tool, rather than trying to find the right people to fix “that server that is 6 patches behind!”


The Move into Vulnerability Response

Rather than adding another security tool that the CIO and executive leadership can’t understand, you’ve elevated the conversation to how InfoSec is delivering real value—answering questions like “Why do our developers spend so much time patching?”, “Can we harden server images / avoid common software flaws?”, “Isn’t it time to migrate that old legacy system?” and so on.

This moves us beyond “Vulnerability Management” into “Vulnerability RESPONSE”.  This is true visibility into your security operations, and makes the InfoSec team truly a part of IT!

ServiceNow allows you to achieve this ideal state of Vulnerability Response. The integration with ServiceNow leverages your investment in CMDB and Service Mapping, allowing fast closure of security weaknesses with full transparency and audit-ability.

Better security, with more clarity and less wasted time? Now that’s ideal.




Greg Handrick

Security Capability Leader, AERITAE