• Poornachander Kola

The three musketeers: Vulnerability management, Patch management & ServiceNow

Companies will never be 100% immune to cyberattacks. But by having a realistic view of the basics, start with endpoint vulnerabilities, to build a safer future.

The nature of attacks is persistent and rapidly changing, preparing an adequate defense is like chasing smoke in water. Organizations struggle to take care of their most vulnerable area, the endpoint. Regular software updates and maintaining current versions, compliant security configurations across all systems require significant resources and diligence, and security hygiene sometimes gets sacrificed on the long list of IT priorities with teams.

To help organizations shore up their endpoints, a number of vendors have created software to automatically detect system vulnerabilities. These offerings typically fall under the "vulnerability management" category and provide a necessary first step. Proactively scanning endpoints and pinpointing vulnerabilities for teams alleviates a lot of the resource drain associated with endpoint management. But this is only a step, not a complete solution.

According to recent research that tracked more than 316 million security incidents, it takes companies an average of 38 days to patch a vulnerability. More than a month to fix a problem after it has been identified. This is unacceptable given the potential impact and the amount of money pouring into security today.

Vulnerability Databases

National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.The NVD is a good source for open source vulnerability data which has an average 27-day reporting gap. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

CVE (Common Vulnerabilities and Exposures)

The CVE (Common Vulnerabilities and Exposures) list was designed by MITRE in 1999. The CVE reference system reserves each publicly disclosed security vulnerability a CVE identification number. Those IDs are then provided to researchers, vulnerability disclosers, and information technology vendors.

The NVD is built on and synchronized with the CVE list, so any updates to CVE should eventually appear in the NVD.


For decades, the VulDB specialists have coordinated with large and independent information security communities to compile a searchable database of over 124,000 CVEs. Scores of new entries are added on a regular basis and scored (e.g., low, medium, high) based on the severity of the disclosed exploit.


MITRE is a US government-sponsored organization that manages federally funded research and development centers (FFRDC). Its website emphasizes commercial publications and information related to their FFRDCs such as the National Cybersecurity program. It also maintains one of the biggest and widely referenced CVE databases currently available, searchable by the public.

Patching vs Vulnerability Management

Vulnerability scanning identifies and forms an inventory of all systems connected to a network. This includes printers, switches, firewalls, containers, virtual machines, laptops, desktops, and servers. For each identified device, it also attempts to recognize the software installed on it and the operating system it runs. This also includes other aspects such as user accounts and open ports.

Furthermore, it is a security method used to detect and identify weaknesses in the IT systems. A scan may be done by a business’ IT team or a security service provider as a condition instructed by an authority.Patch management is the process of managing a business’ network of computers by installing and applying, in a timely manner, all missing patches to ensure that these computers are up to date.

Vulnerability scanning is performed to identify threats and vulnerabilities. When identification is done, the remediation path should be pursued and that’s where patching vulnerabilities come in. An organization gets updates and advisory on the patches from the vendors of the vulnerable software or hardware. All vulnerabilities or the affected areas of the network should be patched to remain up-to-date and safe from risks and attacks.

Keeping up with the Challenges

The biggest vulnerability management challenges facing the organizations are,

1. Tracking vulnerability and patch management over time. Organizations find it difficult to manage processes from vulnerability scanning, to trouble ticketing, to change management, to patching, to incident closure. These processes require co-operation between security and IT operations teams.

2. Patching vulnerabilities on time every time. Large enterprises have thousands or even tens of thousands of unpatched vulnerabilities at any point in time.

3. Tracking the cost and effectiveness of their vulnerability management program. With every increasing security budgets and CFOs looking to reduce budgets, they want some reasonable metrics around what they are getting for their money.

4. Keeping up with the volume of vulnerabilities.

ServiceNow for rescue

The ServiceNow Vulnerability Response application imports and automatically groups vulnerable items according to group rules allowing you to remediate vulnerabilities quickly. Vulnerability data is pulled from internal and external sources, such as the National Vulnerability Database (NVD) or third-party integrations.

For example, create conditions to spontaneously group all items with specific vulnerabilities, departments, locations, and any other data related to the vulnerability. Vulnerable items can belong to more than one vulnerability group giving you the elasticity to actively work with one group and monitor another depending organizational requirements

The ServiceNow® Vulnerability Response application helps organization in,

  • Comparing vulnerability data pulled from internal and external sources.

  • Create change requests and security incidents using vulnerability groups to remediate issues and mitigate risk.

We all know that precarious conditions are ahead, which is why it is now time for companies to sustain and even increase their spending on cybersecurity, where the return is seen by that expenditure. Effective control and collaboration within your value chain, while improving business continuity and resilience, reduces risk and overall costs. Those who now make considered financial decisions will be heading through the skid and staying ahead of the curve as they emerge into the new reality and well beyond.

7 views0 comments