Full Report
Wiz is excited to announce its new integration with ServiceNow Vulnerability Response (VR), creating a combined vulnerability management workflow that eliminates blind spots and prioritizes risks.
Analysis Summary
# Best Practices: Cloud Vulnerability Management and Remediation Workflow
## Overview
These practices focus on establishing an efficient, end-to-end vulnerability management workflow, particularly for cloud environments, by ensuring full visibility, implementing risk-based prioritization, and seamlessly integrating detection tools with existing remediation systems (like ServiceNow Vulnerability Response).
## Key Recommendations
### Immediate Actions
1. **Deploy Agentless Asset Discovery:** Immediately deploy an agentless scanning solution (like Wiz) to gain comprehensive visibility across all cloud resources (VMs, containers, serverless functions) without impacting business operations.
2. **Establish Core Integration:** Integrate the vulnerability detection tool (Wiz) with the primary ticketing and workflow system (ServiceNow VR) to begin centralizing findings.
3. **Verify CMDB Synchronization:** Ensure that asset data discovered by the scanner is correctly matched and synced with the existing Configuration Management Database (CMDB) records within the remediation platform.
### Short-term Improvements (1-3 months)
1. **Implement Toxic Combination Prioritization:** Configure the prioritization engine to surface vulnerabilities that represent "toxic combinations" of risk factors (e.g., a high-severity vulnerability on an internet-exposed host that also possesses high permissions or exposed secrets).
2. **Automate Data Ingestion:** Fully automate the ingestion of vulnerability data, remediation recommendations, severity scores (CVE/Exploitability), and asset context directly from the scanner into the remediation platform's Vulnerability Items (VI).
3. **Define Initial Remediation Workflows:** Establish initial automated workflows within the remediation platform to assign VIs based on asset ownership or risk score, routing them to appropriate IT/Security teams.
### Long-term Strategy (3+ months)
1. **Mature Risk-Based Triage:** Shift from relying solely on CVE severity to a context-aware prioritization model that incorporates all known risk factors (exposure, permissions, secrets) to ensure security resources focus on exploitable risks first.
2. **Achieve End-to-End Automation:** Optimize the end-to-end workflow, maximizing automation capabilities within the workflow platform (Now Platform) to streamline ticket creation, status updates, verification, and closure, minimizing manual handoffs.
3. **Conduct Regular Coverage Audits:** Periodically review asset coverage reports to ensure the agentless scanning solution maintains visibility across all new and existing cloud resources to eliminate security holes arising from shadow IT or new deployments.
## Implementation Guidance
### For Small Organizations
- Focus initially on integrating the scanner with the ticketing system for *visibility* and basic assignment.
- Prioritize patching based on known internet exposure immediately, as resources are limited.
- Leverage the built-in remediation advice provided by the scanner directly within the ticket.
### For Medium Organizations
- Dedicate resources to ensure accurate CMDB matching for accurate assignment and SLA tracking.
- Implement defined workflows for the top 10 most common "toxic combinations" discovered.
- Establish baseline performance metrics for Mean Time to Remediate (MTTR) based on prioritized data.
### For Large Enterprises
- Implement comprehensive role-based access controls (RBAC) within the workflow platform for vulnerability assignment and ticket management.
- Build custom dashboards and reporting focused on showing executive leadership visibility into prioritized risk reduction over time.
- Integrate vulnerability data findings with broader security analytics or threat intelligence systems for advanced context.
## Configuration Examples
*None explicitly detailed, but the principle revolves around:*
Establish a data synchronization workflow where:
**Source (Wiz):** Exports/Pushes data fields including `Vulnerability_ID`, `CVE_Score`, `Exploitability_Score`, `Cloud_Asset_ID`, `Internet_Exposure_Flag`, `Secret_Exposure_Flag`, `Remediation_Steps`.
**Destination (ServiceNow VR):** Maps these fields to create/update `Vulnerability Item` records and uses `Cloud_Asset_ID` to link to the correct entry in the `CMDB`.
## Compliance Alignment
- **NIST CSF:** Identify (ID.RA Risk Assessment), Protect (PR.IP Vulnerability Management), Detect (DE.CM Content Monitoring), Respond (RS.RP Incident Response Planning).
- **ISO 27001/27002:** A.12.6.1 (Management of technical vulnerabilities).
## Common Pitfalls to Avoid
- **Ignoring Context:** Prioritizing solely on raw CVE scores without factoring in asset context (e.g., internet exposure, sensitive data involvement).
- **Siloed Remediation:** Failing to integrate detection findings seamlessly with IT operations means vulnerabilities remain in a security tool backlog instead of entering IT repair pipelines.
- **Agent Dependency:** Relying exclusively on security agents, as they can suffer from coverage gaps in dynamic cloud/container environments.
## Resources
- **Vulnerability Detection Platform:** Wiz (for agentless cloud scanning and context gathering).
- **Workflow/Remediation Platform:** ServiceNow Vulnerability Response (VR).
- **Integration Component:** Wiz Integration for Security Operations app (available on the ServiceNow store).