Home New York Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Vulnerability Solution Management

Vulnerability Solution Management

Starting with Vulnerability Response v8.0, automatically correlate the vulnerabilities in your environment with solutions from the Microsoft Security Response Center. Starting with v10.3 of Vulnerability Response, you have access to Red Hat Solution Integration solutions. Identify the remediation actions that apply to your vulnerabilities and prioritize them by the greatest reduction in vulnerability risk.

Security and IT teams often spend a significant amount of time researching vulnerability findings in order to identify the most effective treatments for their environment. Given the volume and complexity of vulnerabilities in large organizations, translating vulnerability findings into remediation tasks is a manual, tedious, and error-prone process.

With Vulnerability Solution Management, you can automatically correlate your vulnerability findings with the solutions that remediate them. Identify the software patches, configuration updates, and other controls that have the highest impact for your organization without the manual overhead.

Vulnerability Solution Management requirements

Vulnerability Solution Management is a feature available within the Vulnerability Response application. Vulnerability Solution Management requires a separate subscription.

For more information about getting entitlements for applications from the ServiceNow Store, see Get entitlement for a Security Operations product or application. See Install the Vulnerability Solution Management application for more information about installing the application after you have downloaded it onto your instance.

After it is installed, Vulnerability Solution Management provides you access to Microsoft Security Response Center data from within Vulnerability Response. Starting with v10.3 of Vulnerability Response, the Red Hat solution data is also available.

Note:

You can configure both solution applications from within Setup Assistant. See Vulnerability Response configuration using the Setup Assistant.

See Understanding the Microsoft Security Response Center Solution Integration and Understanding the Red Hat Solution Integration for more information on the imported solutions.

Available versions

For the most current version of Vulnerability Solution Management, verify you have the most current version of Vulnerability Response installed.


Release version	Release Notes
Vulnerability Solution Management v10.3 Vulnerability Solution Management v8.0	Vulnerability Response release notes

Understanding solutions and supersedence

A superseded update is a complete replacement of a previous release or releases. For example, a hotfix update may be superseded by a Service Pack. Solutions are related to vulnerabilities. Solutions can also relate to other solutions in a supersedence chain. Solutions address vulnerabilities in preceding solutions as well since they’re cumulative. Vulnerability Solution Management automatically associates vulnerabilities from preceding solutions with superseding solutions. If an older vulnerability is found, any higher superseding solution can address it, but the highest supersedence solution is preferred, since it is the most cumulative.

Potential versus Preferred Solutions

A potential solution is one that could address a vulnerability. Vulnerabilities often have many potential solutions. A preferred solution is the single solution targeted for remediating a vulnerability or vulnerable item (VI). It communicates intention, and enables more detailed deployment metrics.

Preferred Solutions

Vulnerability Solution Management automatically sets the most effective solution (Preferred Solution) for the detected vulnerability based on highest-supersedence when only one highest-supersedence solution exists. If more than one highest-supersedence exists for the vulnerability, no value is set. In Vulnerability Response, Preferred Solution is the Microsoft Security Response Center solution with the highest supersedence derived from the solutions associated with the vulnerability.

Preferred Solution values can be set on the vulnerable item or the vulnerability. When set on the vulnerability, all vulnerable items associated with the vulnerability inherit that solution. Starting with v10.0, you can change the Preferred Solution values for multiple vulnerable items using the bulk edit feature. When bulk edited, only the Preferred Solution on the vulnerable item is updated since setting the Preferred solution at the vulnerability entry level would set the Preferred solution for all new VIs going forward. Bulk editing only applies to current vulnerable items.

Note: If multiple highest-supersedence solutions exist for a vulnerability, Preferred Solution values at the vulnerability level are cleared, since that solution depends on the affected asset. When multiple highest-supersedence solutions exist for a vulnerability, set a Preferred Solution on the vulnerable item. You can set a different solution using the Lookup list on the Vulnerable Item form.

All preferred solutions for the vulnerable items in a vulnerability group are in a related list on the Vulnerability Group form.

Not all solution imports result in full data refreshes. The supersedence process updates when:

A vulnerable item is created.
Data has changed on an active VI.
New solution data was released since last import.

What does Vulnerability Solution Management do?

Automatically associates new vulnerable items and vulnerability groups with solutions during Microsoft Security Response Center Solution Integration and Red Hat Solution Integration import.import. Starting with Vulnerability Responsev10.0, solutions are associated with the latest bulletin the solution appears in.
Automatically associates vulnerable items and vulnerability groups with solutions when vulnerability records are associated manually with solutions.
Note: Vulnerable items manually re-assigned to another solution are not automatically updated with solution changes at the vulnerability level.
MSRC: Creates supersedence chains during import that you can view in the solution's related list.
Indicates whether a solution is a highest-supersedence solution or not.
Lists the Solution Risk score associated with each solution to provide you with the biggest opportunities for risk reduction.
Maintains Remediation Status for solutions on Third-party Vulnerability Entries and Vulnerability Solution records so you can track remediation progress.
It contains:
- Vulnerable item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
- Configuration Item (CI) counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
- Vulnerable item counts by percent remediated, for those VIs with Potential Solutions, with and without those VIs in the Deferred state.
- Configuration Item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.

What can you do with Vulnerability Solution Management?

Create, update, view, or delete solutions associated with vulnerabilities, so that you can track vulnerability solutions that are not covered by third-party solution content.
Associate third-party vulnerabilities and NVD entries with a solution record.
Remove and reassociate vulnerable items and vulnerability groups with a solution.
View the Preferred Solution applicable to a given vulnerability on the vulnerability and vulnerable item forms.
View a Preferred Solutions related list on vulnerability group forms that lists all the solutions that have been preferred by at least one active VI within that group.
View the Remediation Status details on a solution that show the risk reduction associated with deploying the Preferred Solution on vulnerability, vulnerable item, vulnerability group, and solution forms.
View vulnerabilities applicable to a given solution on the solution form.
MSRC: View the superseding solutions for a given solution on a vulnerability, to find the latest update to deploy, or an earlier, more focused, efficient update.
View lists of solutions sorted for different characteristics.
- All: Solutions sorted by Date published and Number.
- MSRC: Highest Supersedence: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence, Date published, and Number.
- With Vulnerable Items: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence or Preferred, Risk Score, and Number. If deployed, the top entries in the list provide the largest risk reduction for the assets in your environment.

Solution record Risk score and Risk rating

Note: The Solution record Risk score and Risk rating are distinct from those fields used for vulnerabilities, vulnerable items, and vulnerability groups.

The Solution record Risk score is a weighted calculation based on the vulnerable item Risk score and a count of active vulnerable items with this solution as their Potential Solution. Solution Risk score provides an estimation of the reduction in risk that the solution is expected to accomplish.

Solution record Risk score is calculated as follows:

It starts by taking 85% of the highest or maximum Risk score of a vulnerable item with that potential solution.
Solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
- 0–09 vulnerable items adds no points
- 10–99 vulnerable items adds 5 points
- 100–999 vulnerable items adds 10 points
- 1000 and beyond vulnerable items adds 15 points
For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution record Risk score would be 78.

The Solution record Risk rating separates the Solution record Risk score into ranges from Critical to None. Solution Risk rating rates the risk reduction for the vulnerable items that this solution remediates.

Risk ratings separate the resulting Solution Risk score into the following ranges:

1 — Critical (90+ Solution Risk score)
2 — High (70-89 Solution record Risk score)
3 — Medium (30-69 Solution record Risk score)
4 — Low (1-29 Solution record Risk score)
5 — None (0 Solution record Risk score)

Use Cases

View the status deployment progress of a current patch cycle using the highest-supersedence module, sorted by date.

View highest value solutions using the With Vulnerable Items module, sorted by risk score.

Solution lists communicate key solution details, risk scores, and deployment metrics. Use Risk score and active VI counts for prioritization. See which solutions in the current patch cycle are not progressing, possibly an indication of a missed deployment prerequisite.

Note: Add %VIs remediated(percent_nd_pref_vis_remediated) from the Personalize List Columns menu for remediation progress on the Vulnerability Solutions form.

Previous topic

Next topic

Release version

Vulnerability Solution Management

Vulnerability Solution Management requirements

Vulnerability Solution Management is a feature available within the Vulnerability Response application. Vulnerability Solution Management requires a separate subscription.

Note:

You can configure both solution applications from within Setup Assistant. See Vulnerability Response configuration using the Setup Assistant.

See Understanding the Microsoft Security Response Center Solution Integration and Understanding the Red Hat Solution Integration for more information on the imported solutions.

Available versions

For the most current version of Vulnerability Solution Management, verify you have the most current version of Vulnerability Response installed.


Release version	Release Notes
Vulnerability Solution Management v10.3 Vulnerability Solution Management v8.0	Vulnerability Response release notes

Understanding solutions and supersedence

Potential versus Preferred Solutions

Preferred Solutions

All preferred solutions for the vulnerable items in a vulnerability group are in a related list on the Vulnerability Group form.

Not all solution imports result in full data refreshes. The supersedence process updates when:

A vulnerable item is created.
Data has changed on an active VI.
New solution data was released since last import.

What does Vulnerability Solution Management do?

Automatically associates new vulnerable items and vulnerability groups with solutions during Microsoft Security Response Center Solution Integration and Red Hat Solution Integration import.import. Starting with Vulnerability Responsev10.0, solutions are associated with the latest bulletin the solution appears in.
Automatically associates vulnerable items and vulnerability groups with solutions when vulnerability records are associated manually with solutions.
Note: Vulnerable items manually re-assigned to another solution are not automatically updated with solution changes at the vulnerability level.
MSRC: Creates supersedence chains during import that you can view in the solution's related list.
Indicates whether a solution is a highest-supersedence solution or not.
Lists the Solution Risk score associated with each solution to provide you with the biggest opportunities for risk reduction.
Maintains Remediation Status for solutions on Third-party Vulnerability Entries and Vulnerability Solution records so you can track remediation progress.
It contains:
- Vulnerable item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
- Configuration Item (CI) counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
- Vulnerable item counts by percent remediated, for those VIs with Potential Solutions, with and without those VIs in the Deferred state.
- Configuration Item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.

What can you do with Vulnerability Solution Management?

Create, update, view, or delete solutions associated with vulnerabilities, so that you can track vulnerability solutions that are not covered by third-party solution content.
Associate third-party vulnerabilities and NVD entries with a solution record.
Remove and reassociate vulnerable items and vulnerability groups with a solution.
View the Preferred Solution applicable to a given vulnerability on the vulnerability and vulnerable item forms.
View a Preferred Solutions related list on vulnerability group forms that lists all the solutions that have been preferred by at least one active VI within that group.
View the Remediation Status details on a solution that show the risk reduction associated with deploying the Preferred Solution on vulnerability, vulnerable item, vulnerability group, and solution forms.
View vulnerabilities applicable to a given solution on the solution form.
MSRC: View the superseding solutions for a given solution on a vulnerability, to find the latest update to deploy, or an earlier, more focused, efficient update.
View lists of solutions sorted for different characteristics.
- All: Solutions sorted by Date published and Number.
- MSRC: Highest Supersedence: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence, Date published, and Number.
- With Vulnerable Items: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence or Preferred, Risk Score, and Number. If deployed, the top entries in the list provide the largest risk reduction for the assets in your environment.

Solution record Risk score and Risk rating

Note: The Solution record Risk score and Risk rating are distinct from those fields used for vulnerabilities, vulnerable items, and vulnerability groups.

Solution record Risk score is calculated as follows:

It starts by taking 85% of the highest or maximum Risk score of a vulnerable item with that potential solution.
Solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
- 0–09 vulnerable items adds no points
- 10–99 vulnerable items adds 5 points
- 100–999 vulnerable items adds 10 points
- 1000 and beyond vulnerable items adds 15 points
For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution record Risk score would be 78.

Risk ratings separate the resulting Solution Risk score into the following ranges:

1 — Critical (90+ Solution Risk score)
2 — High (70-89 Solution record Risk score)
3 — Medium (30-69 Solution record Risk score)
4 — Low (1-29 Solution record Risk score)
5 — None (0 Solution record Risk score)

Use Cases

View the status deployment progress of a current patch cycle using the highest-supersedence module, sorted by date.

View highest value solutions using the With Vulnerable Items module, sorted by risk score.

Note: Add %VIs remediated(percent_nd_pref_vis_remediated) from the Personalize List Columns menu for remediation progress on the Vulnerability Solutions form.

How search works:

Topics are ranked in search results by how closely they match your search terms

Vulnerability Solution Management

Vulnerability Solution Management

Vulnerability Solution Management requirements

Available versions

Understanding solutions and supersedence

Potential versus Preferred Solutions

Preferred Solutions

What does Vulnerability Solution Management do?

What can you do with Vulnerability Solution Management?

Solution record Risk score and Risk rating

Use Cases

On this page

Vulnerability Solution Management

Vulnerability Solution Management

Vulnerability Solution Management requirements

Available versions

Understanding solutions and supersedence

Potential versus Preferred Solutions

Preferred Solutions

What does Vulnerability Solution Management do?

What can you do with Vulnerability Solution Management?

Solution record Risk score and Risk rating

Use Cases

Log in to personalize your search results and subscribe to topics