Reduce resolution time for container vulnerabilities with ServiceNow & Sysdig

By Durgesh Shukla - APRIL 25, 2023


Today, security and development teams are drowning in vulnerabilities. Most security tools identify issues, but don’t provide reliable prioritization or simplify remediation. To help solve these challenges, Sysdig runtime vulnerability management – part of Sysdig’s Cloud Native Application Protection Platform (CNAPP) – provides a runtime image scanner coupled with an eBPF probe to analyze container behavior and identify the vulnerable packages that are in use at runtime. This capability – what we call Runtime Insights – helps users prioritize the remediation of the vulnerabilities that represent real risk.

Sysdig is now bringing this successful vulnerability management philosophy to our partners in the ecosystem to better serve our joint customers. The idea is to integrate with existing customer workflows (e.g., incident response, alert triage, etc.) and provide similar benefits within these much-loved platforms, like ServiceNow.

To quote one of our joint customers: “We are able to autotune Sysdig, which enables us to focus on the most pressing issues, filter our rules, and reduce the burden of alert fatigue. Within the first few weeks, we achieved a 30% reduction in alerts without sacrificing security.”

Sysdig Secure with ServiceNow CVR

Taking the previously mentioned philosophy further, the team at Sysdig wanted to create a direct impact on our customers’ entire vulnerability management lifecycle and go beyond vulnerability detection and prioritization. The ServiceNow Vulnerability Response and Configuration Compliance for Containers application, commonly referred to as ServiceNow Container Vulnerability Response (CVR), offers this exact opportunity as it allows for vulnerability triage, response, and troubleshooting automation.

ServiceNow CVR has a number of capabilities, but a key feature is its ability to receive and process container-related metadata. Since containers are instantiated images, the CVR application allows for container correlation with corresponding base images and registries. It also facilitates the management of components like packages and versions. You can also correlate elements with National Vulnerability Database (NVD) CVEs and other Configuration Management Database (CMDB) assets.

Sysdig has created an official CVR connector app to integrate Sysdig Secure with ServiceNow CVR so that customers can send insights about their container workloads along with granular cloud-native context and in-use packages details to the ServiceNow platform.

Sysdig Secure and ServiceNow CVR

The top 3 benefits of using Sysdig Secure with ServiceNow CVR

Alert triage activities involve evaluating and prioritizing security alerts to determine the severity of threats and whether they should be escalated to incident response. Security engineers and analysts often face a high volume of alerts due to the inclusion of irrelevant threat data and a lack of tools providing context and understanding.

At the crux of this integration, Sysdig’s unique Runtime Insights feature equips ServiceNow CVR users to prioritize the remediation of in-use vulnerable packages actually loaded in memory and therefore exposed to risk at runtime. This results in quicker, more effective prioritization, reducing the number of vulnerabilities to fix by up to 95%.

They key benefits of integrating Sysdig with ServiceNow CVR are:

  • Vulnerability prioritization: Prioritize vulnerability remediation within the ServiceNow platform based on “in-use” security context sent from Sysdig, and combine it with other important vulnerability parameters like exploitability, criticality, and CVE report date.
  • Faster triage and assignment processes: Ingest Sysdig detected container vulnerabilities into the ServiceNow Container Vulnerability data model as CVIs (Container vulnerability items), and automate tasks like triage, contextualization, and assignment.
  • Quicker and more accurate incident response activities: Leverage vulnerability details for asset management, security workflow orchestration, automation, visualization, and response – ultimately reducing your total time to resolve.

Adding to this is the bonus benefit of being able to map Sysdig-secured assets, such as images and registries, in ServiceNow’s Config Management Database (CMDB) to get a more comprehensive understanding of risk.

Our VP of Technology Alliances at Sysdig, Bryan Smoltz, explains, “Our integration with ServiceNow CVR allows our customers to get detailed information about vulnerabilities directly in their ServiceNow interface. Using Sysdig to help prioritize these vulnerabilities, security and developer teams are able to quickly address real threats and speed up the MTTR.”

How to set up the integration?

To get started, you can refer to the documentation and installation guide on the Sysdig CVR app page. Please note that while the Sysdig integration connector is available at no cost, you must purchase the ServiceNow CVR app. Visit the store or talk to your ServiceNow rep or partner for more details.

Additionally, the ServiceNow NVD integration module is recommended to import CVEs information into ServiceNow so you can better understand your vulnerability exposure.

For details on how to install plugins in ServiceNow, refer to the ServiceNow Plugin Activation Overview. You will need to have an admin user role within your ServiceNow instance to get started.

Vulnerability prioritization and remediation

Runtime vulnerabilities for containers are detected by Sysdig Secure and flagged in the UI if they are “in-use”:

Sysdig Secure/ServiceNow CVR

Through the integration, these vulnerabilities are imported periodically into the ServiceNow platform based on a the interval of your choice (e.g., daily), and get represented as “Container Vulnerable Items” in ServiceNow.

Sysdig Secure/ServiceNow CVR
Sysdig Secure/ServiceNow CVR

ServiceNow users can then take further action, such as kickstarting remediation workflows. More importantly, the severity of Container Vulnerability Items will be raised in the event the vulnerable packages is in-use. This ensures that the critical vulnerabilities that might pose runtime risk are prioritized for remediation.

Sysdig Secure/ServiceNow CVR
Sysdig Secure/ServiceNow CVR

If you’re a Sysdig Secure and ServiceNow user, we encourage you to try out the integration. We will continue to refine and improve the plugin so we would love your feedback! You can communicate with us from the Sysdig in-app chat, via our support team, or through your customer success rep.

Additional resources:

Subscribe and get the latest updates