How To Really Scare Microsoft Marcus J. Ranum CSO, Tenable Network Security, Inc.
How-to Guide: Tenable for ServiceNow€¦ · Tenable for ServiceNow HOW-TO GUIDE Introduction This...
Transcript of How-to Guide: Tenable for ServiceNow€¦ · Tenable for ServiceNow HOW-TO GUIDE Introduction This...
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Tenable for ServiceNow
HOW-TO GUIDE
Introduction This document describes how to deploy Tenable SecurityCenter ™ for integration with ServiceNow Security Operations.
Please email any comments and suggestions to [email protected].
As the leader in IT Service Support Management (ITSSM), ServiceNow’s cloud platform and form-based workflow engine
enables its customers to overcome the increasing challenges faced within IT service delivery. ServiceNow’s ability to
automate the service management process through the use of a single system of record and automated workflow helps IT,
operations, and business users increase efficiency and productivity, while lowering costs.
Tenable Network Security has partnered with ServiceNow to allow ServiceNow customers and partners the ability to
leverage Tenable™ vulnerability data. Through the use of a custom Java application residing on a ServiceNow MID server,
calls are made to SecurityCenter APIs to retrieve specific vulnerability data. The Tenable vulnerability data is then
automatically imported into ServiceNow Security Operations allowing for enhanced visibility and context of the
vulnerabilities within your organization. The result is a stronger security posture through improved workflows, reporting,
and automated action.
Integration Requirements The following are required in order to integrate SecurityCenter with ServiceNow Security Operations:
ServiceNow subscription to Security Operations (Premium Option)
http://www.servicenow.com/products/security-operations.html
ServiceNow MID server installed and registered within your ServiceNow instance
http://wiki.servicenow.com/index.php?title=MID_Server_Configuration#gsc.tab=0
Tenable for Security Operations application
https://store.servicenow.com
SecurityCenter version 5.x or higher
SecurityCenter “Security Manager” account dedicated to ServiceNow integration
To confirm your ServiceNow account has access to the ServiceNow Security Operations functions and that you
have a valid subscription, log in to the ServiceNow console and verify that there is a “Vulnerability” menu option in
the left-hand pane (see screenshot below). If there is no “Vulnerability” menu option, please contact your
ServiceNow representative.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 2
Integration Configuration
SecurityCenter Configuration
To create the dedicated “Security Manager” account, log in to SecurityCenter using a previously created administrator
account, navigate to “Users”, and select “Users” from the drop-down menu.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 3
Click “+Add” to create a new user.
Enter an account “Username”and “Password” (confirm password). Next, click the “Role” drop-down under the “Membership”
section and select “Security Manager”. Click the “Organization” and select the organization the account is a member of. Click
“Submit”.
ServiceNow Security Operations Configuration
To begin the ServiceNow configuration, browse to https://store.servicenow.com and search for and install the “Tenable for
Security Operations” application.
A Tenable JAR file is installed on your ServiceNow MID server during the installation of the “Tenable for Security
Operations” application. To verify the JAR file has been installed, navigate to “MID Server > JAR Files” in your
ServiceNow console.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 4
Once the “Tenable for Security Operations” application and Tenable JAR file are installed, navigate to “Tenable” in the left-
hand pane of the ServiceNow console to expand the menu options.
Navigate to “Connection Settings” in the left-hand menu and click “New” to add a connection to your SecurityCenter.
Enter the information for each field on the “Connection Settings” screen (see screenshot below). Refer to “Table 1 –
Connection Settings Configuration” below for details of each field.
Click the “MID Server” drop-down and select the MID server used to connect to SecurityCenter. The “MID Server Record
Size” is set to “500” by default. Depending on your Internet connection, this value may need to be lowered to allow the
SecurityCenter data to be transferred to ServiceNow in smaller record sets.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 5
To verify the connection settings to SecurityCenter are correct, click the “Test Connection” button. A notification
stating “MID Server contacted Tenable SecurityCenter at (Tenable Address)” will be displayed if the connection is
established. If the connection cannot be established it will display a “MID Server Failed to connect host at
(Tenable Address)” message.
If the connection is successful, click the “Submit” button (highlighted below).
Table 1 – Connection Settings Configuration
Connection Settings Options Description
Name Enter a descriptive name for the SecurityCenter connection
Host IP address or DNS name of the SecurityCenter instance
Port TCP port used to communicate from the MID server to your SecurityCenter instance.
The default is port 443 (HTTPS).
Username Username of the administrator account created in Security Center
Password Password of the administrator account created in Security Center
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 6
If the connection fails, please refer to the following troubleshooting tips:
Confirm you have a working MID server with access to SecurityCenter. MID server configuration is located in the “MID Server > Servers” menu within the ServiceNow console. For additional information on MID server configuration please visit http://wiki.servicenow.com/index.php?title=MID_Server_Configuration#gsc.tab=0.
Confirm the Tenable user account and password are correct.
Verify the MID server has access to SecurityCenter by opening a browser on your MID server and attempt to connect to your SecurityCenter instance (https://<SecurityCenter IP>) and log in with the account previously created.
If you have confirmed all of the above and the connection still fails, please refer to the “ServiceNow MID Server Product
Documentation” or contact Tenable Support.
Once you have confirmed a successful connection to SecurityCenter, navigate to “Schedule” under the Tenable menu in the
left-hand pane. Click “New” to create a scheduled import job.
To configure a scheduled import, enter the information on the “Scheduled” screen (see screenshot below) and click “Submit”.
Refer to “Table 2 – Scheduled Import Configuration” below for a description of each field.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 7
Table 2 – Scheduled Import Configuration
Scheduled Options Description
Name Enter a descriptive name for the scheduled import job
Active Enable this option to activate the scheduled import
Run Click the drop-down to select the frequency of the import. The options include: Daily,
Weekly, Monthly, Periodically, Once, or On Demand
Time Enter the hours, minutes, and seconds the import should begin
Imported Hours of
Vulnerability Results
Defines the amount of historical data to import. Typically this would be 24 hours. If you
have two import jobs per day, this could be set to 12 hours
Tenable Security Console Select the drop down to select the SecurityCenter instance configured previously in
“Connection Settings”
After a scheduled or manual import has been initiated, navigate to “Transfer Queue” under the Tenable menu in the left-hand
pane to view the status of any in-progress or completed import job. Note: This screen does not automatically refresh, so a
manual refresh is required to see the up-to-date status of import jobs.
“Properties” under the Tenable menu in the left-hand pane allows the number of days scan queue records are kept before
deletion (default 7 days) and the logging verbosity level (default info) to be configured.
These settings should not be adjusted unless directed to by support for troubleshooting purposes.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 8
To view the vulnerability data imported from SecurityCenter, expand “Vulnerable Items” in the left-hand pane under the
“Vulnerability” menu. From this menu, select the list of vulnerabilities you would like to view. The options include: “Open
Vulnerable Items”, “All Vulnerable Items”, or “Assigned To Me”.
From the vulnerability list, select a “Vulnerable Item” (highlighted below) to view the details of the vulnerability.
Hovering over the information button (highlighted below) will display available information about the vulnerability, including
“Source”, “Summary”, “Threat”, and “Solution”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 9
Selecting the “Configuration Details” tab (highlighted below) displays the system(s) identified with the vulnerability.
From the “Vulnerable Item” screen, the status of an identified vulnerability can be changed by clicking the “State” drop-down
and marking it as “New”, “Work In Progress”, “Closed”, “Closed - False Positive”, or “Ignored”. If “Ignored” is chosen, click the
“Ignore” tab and enter who the vulnerability was “Ignored by”, the “Ignore expiration” date, and the “Reason to ignore”.
The “Vulnerable Item” can also be assigned to a group and/or user by searching for or entering a name in the “Assignment
group” or “Assigned to” fields.
Click “Update” if changes are made to the status and/or if the item is assigned to an individual or group.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 10
If it is determined that a “Vulnerable Item” causes an incident, clicking “Create Security Incident” (highlighted below) creates
an incident task.
“Security Incidents” can be assigned to the appropriate individuals or groups, escalated, and managed through to resolution
and reporting.
Security incidents can also be automatically generated from pre-established conditions. For more information on
creating security incidents please refer to the ServiceNow Incident Management Support Documentation.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 11
If an incident(s) requires a change and/or fix, clicking “Create Problem” (highlighted below) on the “Vulnerable Items” screen
will create a problem task that can be tracked and assigned to individuals and/or groups.
Multiple incidents can be attached to a problem task, but an incident cannot be attached to multiple problem
tasks.
Once a problem is closed, the status of the attached incidents automatically changes to resolved.
For more information on creating problem tasks, please refer to the ServiceNow Problem Management Support
Documentation.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 12
If a change is required to IT infrastructure or operations to correct an issue uncovered by an incident, clicking “Create
Change” (highlighted below) on the “Vulnerable Item” screen will create a change request task.
The “Change Request” can be assigned to individuals and/or groups, modified for the appropriate level of risk and impact,
and tracked through the approval process. In addition, the “Change plan”, “Backout plan”, “Test plan” can also be entered on
this screen. Clicking on the “Schedule” tab (highlighted below) allows a user to enter the request date, planned start date, and
planned end date. Click “Update” to finalize any changes made on the “Change Request” screen.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 13
Incidents can only be attached to one “Change Request”.
For more information on creating problem tasks, please refer to the ServiceNow Change Management Support
Documentation.
Clicking “Contact Tenable Support” under the Tenable menu in the left-hand pane will open a direct link to the
Tenable Support Portal.
About Tenable Network Security Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive
solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization.
Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and
more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's
customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses
in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with
Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.