ServiceNow bug exposed customer instance data online

Show Notes

A ServiceNow vulnerability exposed how quickly SaaS platforms can become part of your attack surface, while new federal guidance is shrinking vulnerability response windows to just three days. This episode breaks down what the ServiceNow incident means in practice, why CISA's seventy two hour remediation expectation is a major shift, and how AI agents are quietly expanding identity risk inside most organizations. The common thread is speed and visibility. Teams are being forced to make faster decisions with less margin for error, while managing identities and data they often cannot fully see. We also cover Cyera's major funding round and what it signals about data security becoming the control layer for AI, along with key updates from Microsoft, Fortinet, and others. Learn more at https://crestvale.io

Transcript

SPEAKER_00 0:00

Your SaaS platform can leak data without a single compromised account. And the window between exposure and exploitation is shrinking to days, not weeks. That changes how fast you have to see, decide, and act. This is the Crestvale Newsroom Daily Podcast. ServiceNow just patched a vulnerability that cuts right to a common assumption that SaaS sits outside your security boundary. It does not. The issue was a platform-level authentication failure. Under certain conditions, it allowed unauthenticated queries into customer instance tables. That means data access without logging in. ServiceNow says it patched the issue on June 5th and is notifying impacted customers. But there are two details that matter more than the patch itself. First, the company has acknowledged that table queries did occur. Second, there is uncertainty around how long this was exposed before the fix. That combination is what should get your attention. If ServiceNow is part of your IT, HR, or workflow stack, it likely holds sensitive tickets, internal conversations, credentials, and integrations. In many environments, it is a central nervous system. And in this case, the control that failed was not yours. It was the platform. That shifts the response. This is not just about patching. It is about scoping exposure. You need to review instance logs for unusual queries. You need to validate what data was accessible. And you need to reassess what you are choosing to centralize in a system you do not fully control. Because when a SaaS platform fails at the authentication layer, your blast radius is defined by your own data decisions. That is the part most teams underestimate. Now, step back and look at how fast the response window is compressing. The Cybersecurity and Infrastructure Security Agency has effectively set a new clock for vulnerability management. Three days. If a vulnerability is internet-facing, actively exploited, and can be automated, you now have 72 hours to fix it or take the system offline. This is not a suggestion. It is a directional signal for where expectations are going. The key shift is prioritization, not volume, not severity scores, exploitability and exposure. If attackers can weaponize it quickly and reach it over the internet, you are expected to move immediately. And if you cannot patch in time, disconnecting the system is now part of the playbook. That raises the bar on a few things at once. Asset visibility has to be precise. You need to know what is internet accessible in real time. Your vulnerability program has to track active exploitation, not just published CVEs. And your incident response process has to start before a confirmed breach, not after. Because at a three-day window, delay is indistinguishable from failure. This is where many enterprise programs will start to break. Weekly patch cycles do not survive in a 72-hour world. Meanwhile, there is a quieter shift happening that is even harder to see. AI agents are rapidly expanding your identity surface. Every agent is an identity, and most organizations are not governing them that way. Recent data shows companies with heavy AI adoption are seeing breach rates close to four times higher than others. Not because AI is inherently unsafe, but because these agents are operating with access that is not being tracked or constrained. Most teams cannot answer a basic question quickly. Who has access to what? Now add autonomous agents making decisions and taking actions across systems. The problem compounds fast. A majority of organizations still cannot revoke inactive access in real time. Many admit accounts have excessive permissions or unknown entitlements. Now layer AI agents on top of that. You are effectively introducing privileged actors into an already messy identity environment, without visibility, without governance. That is not a tooling gap. That is an identity model that has not caught up to reality. And right now, attackers are far more likely to exploit that gap than your latest endpoint control. And that connects directly to where the market is placing its bets. SIRA just raised $600 million at a $12 billion valuation. That is not about funding hype. It is about control. Data security posture management is becoming the layer that determines what AI systems can see and do. If identity answers who, data security answers what. And in an AI-driven environment, what matters just as much? SIRA is expanding beyond data discovery into identity context, data loss prevention, and what it calls agentic security. The goal is to sit at the control plane between data, identities, and AI execution, because if you cannot map sensitive data to the identities and agents that can access it, you cannot meaningfully govern AI at all. Identity without data context is blind, and data without identity context is just inventory. The companies that connect those two layers will define how AI is controlled inside the enterprise. Here is what else is worth knowing today. Microsoft released a patch set with more than 200 vulnerabilities. The volume alone is a signal that discovery is accelerating faster than remediation capacity. Fortinet reports that cloud security teams are overwhelmed by tool sprawl and signal overload. The issue is no longer detection. It is deciding what to act on. Meta is doubling down on AI infrastructure capacity through a new data center partnership. Compute is becoming a constraint, not just a cost. New platforms are emerging that use AI agents to triage and even fix vulnerabilities. That shifts patching from backlog management toward real-time response. And startups are building context layers that map identities, permissions, and data relationships for AI systems. That suggests governance, not models, is becoming the limiting factor. Before we close out, here is a quick look at where markets landed. Equities moved lower in the previous session, with both SPY and QQQ finishing down, pointing to a more cautious tone in tech and broader markets. The 10-year treasury yield moved higher, continuing to push up borrowing costs. In commodities, oil climbed while gold pulled back, and Bitcoin also declined, reflecting a mixed but slightly risk-off posture across alternative assets. Here is the takeaway. If you cannot map identities to data and enforce control within 72 hours, your security model is already outpaced by how systems are being exploited. Tomorrow we are watching how organizations operationalize three day patch windows without breaking production systems. If this was useful, follow the Crestvale Newsroom Daily Podcast so you don't miss it. Thanks for listening.