Six Easy Steps to Combat WannaCry with ServiceNow Security Operations

On Friday, 12 May 2017, many organizations around the world reported they were victim to a devastating ransomware attack now widely known as “WannaCry”.  As of Monday, 15 May 2017, there are over 200,000 reported WannaCry infections in over 150 countries.

While ransomware attacks are relatively common, WannaCry is significantly more lethal because it has the ability to spread inside of an organization by leveraging a Microsoft Windows vulnerability, which was announced and patched by Microsoft in March 2017.

While every organization would love to patch every vulnerability as quickly as they are announced, the reality is that it can take many organizations weeks or months to get all their systems patched.  And when a crisis like WannaCry occurs, the process to respond quickly can take many organizations much longer than desired.

The Typical Vulnerability Response Process Doesn’t Cut It During Crisis

Most organizations will learn Information about a highly publicized attack very quickly.  A small amount of research online will easily uncover information about the exact vulnerabilities being exploited – typically by the Common Vulnerabilities and Exposures or CVE number released by NIST and the NVD.  Once the specific CVEs are found, a little more research should reveal the specific patches that can be applied to remediate the vulnerabilities.

But then what?

The traditional way that vulnerability management teams work from this point doesn’t scale to this type of crisis.  Now that they understand the vulnerabilities and appropriate patches, they need to start the remediation process.

First step is to export the matching CVEs and any information about affected systems from the vulnerability scanner, or at some organizations, multiple scanners.  Next, the change process needs to be adhered to and an emergency change request created.  The patch then needs to be tested in development and applied in production.  Vulnerability response teams need to determine who the owners or patch teams of the affected systems.  Determining patch or remediation ownership can be problematic and using emails and phone calls to communicate with stakeholders is difficult, at best.  Eventually re-scans will need to occur to make sure all systems have been patched.

If you have one or two systems, this might work.  But what if you have dozens? Hundreds? Thousands?  This can’t scale.  In a major outbreak, the vulnerability management team may also need to brief executives on a regular basis.  During a crisis, the above processes are cumbersome and the time it takes to gather information and communicate can result in the problem continuing to spread.

How ServiceNow Security Operations Can Help

Contrast the typical vulnerability response process above with ServiceNow.  Security Operations includes a Vulnerability Response application which provides automation for this process, coordinates and streamlines remediation, while also allowing executives and security personnel to clearly view the organization’s posture against this specific outbreak.  This can not only simplify the vulnerability response process; it can dramatically decrease an organization’s exposure to an attack.

Here’s how to activate a complete vulnerability response process for WannaCry in ServiceNow Security Operations – in six easy steps:

Step 1: First, create a new vulnerability group with all the CVEs associated with the WannaCry malware.

Step 2: Next, customers should have previously created a pre-defined, but dormant “vulnerability crisis” workflow template for this once a year / twice a year type of vulnerability– this template includes the crisis communications plan for just such a scenario.   Creating a copy of the workflow and renaming the copy to “WannaCry vulnerability crisis workflow” allows us to enter specifics and execute a workflow customized to this specific threat.

Step 3: Select the properties of the WannaCry workflow to edit the condition for the workflow to run by entering the vulnerability group number for the WannaCry vulnerability group created in Step 1.

Step 4: Edit the task descriptions in the workflow with information about the specific vulnerability and appropriate patches.

Step 5: Publish and run the workflow!

Step 6: Get real-time visibility into status using reporting in Security Operations using the vulnerability group created in Step 1, and schedule the report to be sent to stakeholders at the cadence appropriate for your organization.


In a matter of minutes, Vulnerability Response inside of ServiceNow Security Operations allows you to:

  • Create a vulnerability group specific to the threat
  • Automatically incorporate a communications plan into the response process
  • Launch a dynamic response workflow to customize response for this specific threat to include:
    • Automatically create the emergency change request
    • Automatically notify stakeholders and appropriate executives
    • Automatically assign tasks to patching teams
    • Automatically route approval requests to applicable groups
    • Automatically trigger rescanning of affected systems after patching complete
    • Automatically close the response process when patching is complete.
  • Provide real-time reporting to stakeholders and executives

The actual Vulnerability Crisis workflow is at the bottom of this blog.

If you want to learn more about Vulnerability Response from ServiceNow, go to or contact your local ServiceNow sales representative.