Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Tenable for ServiceNow

HOW-TO GUIDE

Introduction This document describes how to deploy Tenable SecurityCenter ™ for integration with ServiceNow Security Operations.

Please email any comments and suggestions to support@tenable.com.

As the leader in IT Service Support Management (ITSSM), ServiceNow’s cloud platform and form-based workflow engine

enables its customers to overcome the increasing challenges faced within IT service delivery. ServiceNow’s ability to

automate the service management process through the use of a single system of record and automated workflow helps IT,

operations, and business users increase efficiency and productivity, while lowering costs.

Tenable Network Security has partnered with ServiceNow to allow ServiceNow customers and partners the ability to

leverage Tenable™ vulnerability data. Through the use of a custom Java application residing on a ServiceNow MID server,

calls are made to SecurityCenter APIs to retrieve specific vulnerability data. The Tenable vulnerability data is then

automatically imported into ServiceNow Security Operations allowing for enhanced visibility and context of the

vulnerabilities within your organization. The result is a stronger security posture through improved workflows, reporting,

and automated action.

Integration Requirements The following are required in order to integrate SecurityCenter with ServiceNow Security Operations:

ServiceNow subscription to Security Operations (Premium Option)

http://www.servicenow.com/products/security-operations.html

ServiceNow MID server installed and registered within your ServiceNow instance

http://wiki.servicenow.com/index.php?title=MID_Server_Configuration#gsc.tab=0

Tenable for Security Operations application

https://store.servicenow.com

SecurityCenter version 5.x or higher

SecurityCenter “Security Manager” account dedicated to ServiceNow integration

To confirm your ServiceNow account has access to the ServiceNow Security Operations functions and that you

have a valid subscription, log in to the ServiceNow console and verify that there is a “Vulnerability” menu option in

the left-hand pane (see screenshot below). If there is no “Vulnerability” menu option, please contact your

ServiceNow representative.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 2

Integration Configuration

SecurityCenter Configuration

To create the dedicated “Security Manager” account, log in to SecurityCenter using a previously created administrator

account, navigate to “Users”, and select “Users” from the drop-down menu.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 3

Click “+Add” to create a new user.

Enter an account “Username”and “Password” (confirm password). Next, click the “Role” drop-down under the “Membership”

section and select “Security Manager”. Click the “Organization” and select the organization the account is a member of. Click

“Submit”.

ServiceNow Security Operations Configuration

To begin the ServiceNow configuration, browse to https://store.servicenow.com and search for and install the “Tenable for

Security Operations” application.

A Tenable JAR file is installed on your ServiceNow MID server during the installation of the “Tenable for Security

Operations” application. To verify the JAR file has been installed, navigate to “MID Server > JAR Files” in your

ServiceNow console.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 4

Once the “Tenable for Security Operations” application and Tenable JAR file are installed, navigate to “Tenable” in the left-

hand pane of the ServiceNow console to expand the menu options.

Navigate to “Connection Settings” in the left-hand menu and click “New” to add a connection to your SecurityCenter.

Enter the information for each field on the “Connection Settings” screen (see screenshot below). Refer to “Table 1 –

Connection Settings Configuration” below for details of each field.

Click the “MID Server” drop-down and select the MID server used to connect to SecurityCenter. The “MID Server Record

Size” is set to “500” by default. Depending on your Internet connection, this value may need to be lowered to allow the

SecurityCenter data to be transferred to ServiceNow in smaller record sets.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 5

To verify the connection settings to SecurityCenter are correct, click the “Test Connection” button. A notification

stating “MID Server contacted Tenable SecurityCenter at (Tenable Address)” will be displayed if the connection is

established. If the connection cannot be established it will display a “MID Server Failed to connect host at

(Tenable Address)” message.

If the connection is successful, click the “Submit” button (highlighted below).

Table 1 – Connection Settings Configuration

Connection Settings Options Description

Name Enter a descriptive name for the SecurityCenter connection

Host IP address or DNS name of the SecurityCenter instance

Port TCP port used to communicate from the MID server to your SecurityCenter instance.

The default is port 443 (HTTPS).

Username Username of the administrator account created in Security Center

Password Password of the administrator account created in Security Center

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 6

If the connection fails, please refer to the following troubleshooting tips:

Confirm you have a working MID server with access to SecurityCenter. MID server configuration is located in the “MID Server > Servers” menu within the ServiceNow console. For additional information on MID server configuration please visit http://wiki.servicenow.com/index.php?title=MID_Server_Configuration#gsc.tab=0.

Confirm the Tenable user account and password are correct.

Verify the MID server has access to SecurityCenter by opening a browser on your MID server and attempt to connect to your SecurityCenter instance (https://<SecurityCenter IP>) and log in with the account previously created.

If you have confirmed all of the above and the connection still fails, please refer to the “ServiceNow MID Server Product

Documentation” or contact Tenable Support.

Once you have confirmed a successful connection to SecurityCenter, navigate to “Schedule” under the Tenable menu in the

left-hand pane. Click “New” to create a scheduled import job.

To configure a scheduled import, enter the information on the “Scheduled” screen (see screenshot below) and click “Submit”.

Refer to “Table 2 – Scheduled Import Configuration” below for a description of each field.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 7

Table 2 – Scheduled Import Configuration

Scheduled Options Description

Name Enter a descriptive name for the scheduled import job

Active Enable this option to activate the scheduled import

Run Click the drop-down to select the frequency of the import. The options include: Daily,

Weekly, Monthly, Periodically, Once, or On Demand

Time Enter the hours, minutes, and seconds the import should begin

Imported Hours of

Vulnerability Results

Defines the amount of historical data to import. Typically this would be 24 hours. If you

have two import jobs per day, this could be set to 12 hours

Tenable Security Console Select the drop down to select the SecurityCenter instance configured previously in

“Connection Settings”

After a scheduled or manual import has been initiated, navigate to “Transfer Queue” under the Tenable menu in the left-hand

pane to view the status of any in-progress or completed import job. Note: This screen does not automatically refresh, so a

manual refresh is required to see the up-to-date status of import jobs.

“Properties” under the Tenable menu in the left-hand pane allows the number of days scan queue records are kept before

deletion (default 7 days) and the logging verbosity level (default info) to be configured.

These settings should not be adjusted unless directed to by support for troubleshooting purposes.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 8

To view the vulnerability data imported from SecurityCenter, expand “Vulnerable Items” in the left-hand pane under the

“Vulnerability” menu. From this menu, select the list of vulnerabilities you would like to view. The options include: “Open

Vulnerable Items”, “All Vulnerable Items”, or “Assigned To Me”.

From the vulnerability list, select a “Vulnerable Item” (highlighted below) to view the details of the vulnerability.

Hovering over the information button (highlighted below) will display available information about the vulnerability, including

“Source”, “Summary”, “Threat”, and “Solution”.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 9

Selecting the “Configuration Details” tab (highlighted below) displays the system(s) identified with the vulnerability.

From the “Vulnerable Item” screen, the status of an identified vulnerability can be changed by clicking the “State” drop-down

and marking it as “New”, “Work In Progress”, “Closed”, “Closed - False Positive”, or “Ignored”. If “Ignored” is chosen, click the

“Ignore” tab and enter who the vulnerability was “Ignored by”, the “Ignore expiration” date, and the “Reason to ignore”.

The “Vulnerable Item” can also be assigned to a group and/or user by searching for or entering a name in the “Assignment

group” or “Assigned to” fields.

Click “Update” if changes are made to the status and/or if the item is assigned to an individual or group.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 10

If it is determined that a “Vulnerable Item” causes an incident, clicking “Create Security Incident” (highlighted below) creates

an incident task.

“Security Incidents” can be assigned to the appropriate individuals or groups, escalated, and managed through to resolution

and reporting.

Security incidents can also be automatically generated from pre-established conditions. For more information on

creating security incidents please refer to the ServiceNow Incident Management Support Documentation.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 11

If an incident(s) requires a change and/or fix, clicking “Create Problem” (highlighted below) on the “Vulnerable Items” screen

will create a problem task that can be tracked and assigned to individuals and/or groups.

Multiple incidents can be attached to a problem task, but an incident cannot be attached to multiple problem

tasks.

Once a problem is closed, the status of the attached incidents automatically changes to resolved.

For more information on creating problem tasks, please refer to the ServiceNow Problem Management Support

Documentation.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 12

If a change is required to IT infrastructure or operations to correct an issue uncovered by an incident, clicking “Create

Change” (highlighted below) on the “Vulnerable Item” screen will create a change request task.

The “Change Request” can be assigned to individuals and/or groups, modified for the appropriate level of risk and impact,

and tracked through the approval process. In addition, the “Change plan”, “Backout plan”, “Test plan” can also be entered on

this screen. Clicking on the “Schedule” tab (highlighted below) allows a user to enter the request date, planned start date, and

planned end date. Click “Update” to finalize any changes made on the “Change Request” screen.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 13

Incidents can only be attached to one “Change Request”.

For more information on creating problem tasks, please refer to the ServiceNow Change Management Support

Documentation.

Clicking “Contact Tenable Support” under the Tenable menu in the left-hand pane will open a direct link to the

Tenable Support Portal.

About Tenable Network Security Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive

solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization.

Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and

more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's

customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses

in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with

Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.