Security Incident Response – A Deeper Look [Plus a Demo Video!]

*Scroll to the bottom to watch a full ServiceNow Security Operations demo video*

Responding to a security incident takes time, due diligence, and intelligence from multiple tools.

A Few Numbers

According to a 2017 study by SANS, 50% of incident response teams reported an average dwell time fewer than 24 hours. While that number may seem large, this is actually a drastic improvement from 2016…

…That being said, the average cost of a data breach is currently $3.62 million, according to Ponemon. How can decreasing response time and increasing visibility into security threats actually drive down the costs of a breach?

ServiceNow enables your organization to respond to incidents more quickly via its flexible integration and automation capabilities and gives every member of your security team the insights they need to contain a breach before it’s too late, putting millions of dollars in breach costs right back into your pocket.

Don’t believe me? Dive right into the heart of ServiceNow’s SecOps module with screenshots and details on the process of creating a security incident all the way through post-incident analytics.

ServiceNow Security Detection STATs1. 2017 data from SANS

Equipped with CMDB and all of your other favorite aspects, SecOps in ServiceNow helps prioritize threats, automate remediation, perform analysis via threat intelligence, and report with quantifiable data to your CISO. The journey through security operations is best visualized via the following diagram from ServiceNow:

Customer Journey Outcomes Chart2. ServiceNow Vision

Creating a Security Incident

There are many ways to create a security incident from manual and automated processes. Third-party integration such as Splunk can not only enrich your incidents with critical data, it can also create security incidents based on certain conditions. Here are a few ways a security incident can be created:

  • Manual creation
    • Security analysts can create from the security incident list view
    • Security analysts and/or end-users can create from the security incident catalog
    • Security analysts and/or ITIL users can create from an incident
    • Security analysts and/or ITIL users can create from the event management alert form view
    • Security analysts create from the vulnerability form view
  • Third-party alert monitoring tools, like Splunk, can trigger security incidents to be created
  • Automated alert rules can be configured to create from the event management module

Assigning a Security Ticket and Incident Analysis

How does ServiceNow Security Incident Response (SIR) assign an analyst to a ticket?

Assigning an analyst can be done a few different ways. Similarly to incidents, SIR can be configured to require manual assignment. I really only see this approach to be viable whenever there are a limited number security analysts in an organization. Another route is workflow-based selection, which is needed for companies with a custom analyst selection process.

Finally – and this is where SIR really shines – you can configure automatic assignment via agent ratings, agent proximity to the affected CI’s location, time zones, skill-based selection, group coverage areas, or a combination of these. How does the equation for multiple selection criteria work?

(Criteria_1 rating x Criteria_1 weight) + (Criteria_2 rating x Criteria_2 weight) + (Criteria_3 rating x Criteria_3 weight) / Number of criteria types used

Once an agent has been assigned, they begin their analysis where they can review observables, scan for vulnerabilities, and trigger orchestration. For example, if an agent finds a strange pattern of communication to an IP address associated with TOR or to, they will flag that as an observable and associate it with the security incident. Any time an observable is added to a security incident, ServiceNow will automatically query for IoC’s. You can also perform an IoC lookup on any attachments on the security incident.

Post-Incident Review and Reporting

Post-incident review is another import aspect of handling security incidents and SecOps provides an excellent OOTB questionnaire. They work like surveys within ServiceNow so you can customize them to meet your organizational needs.

Security Detection and Analysis Screenshot

3. Post-Incident Review

During analysis of a security incident that has associated CI’s, such as servers, you can trigger a vulnerability scan directly from the security incident form. Organizations with Palo Alto and Threat Intelligence can take it a step further with SNOW’s integration enabling security incident data enrichment via automated log retrieval of firewall activity related to the incident.

Enter, stage right: On-Demand Orchestration.

Analysts are able to perform really cool workflows like gathering network statistics around a windows node, retrieving a raw process dump, see a list of running services. Or run just about any kind of custom workflow you can think of – all without ever having to leave SNOW.

Calculating severity is a critical part of security incident response. If an incident threatens two of your windows servers, will you know which server to prioritize?

This is where SI calculators come in. If the affected CI is crucial to the delivery of a critical business service, the SI will be prioritized over the same threat affecting a local dev server. OOTB, the calculator groups populate fields such as severity and business impact based on the conditions of its SI calculators.

ServiceNow Security Incident Calculator Screenshot4. SI Calculators

Depending on the maturity of your organization, you might have runbooks defined for handling the various types of security incidents. ServiceNow enables conditional displaying of runbooks so your security analysts can follow one runbook for malware and another for phishing.Pic 6

 5. Runbook Configuration

One key feature many organizations desire around SecOps is demonstrable value. ServiceNow has some excellent out-of-the-box reports that give managers and executives the numbers they need.

ServiceNow Security Incident Explorer Screenshot

6. Out-of-the-Box (OOTB) Reporting

So if you are looking to have better insight, quicker response times, and make the jobs of your security analysts more fulfilling, ServiceNow’s SecOps modules can help you achieve that. And this is only the tip of the iceberg. To wrap up, here is a more holistic view of the full suite around Security Operations and some screenshots to help you visualize.

  • Security Incident Response
    • Tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post-incident review, knowledge base article creation, and closure.

ServiceNow Security Request Screenshot7. Security Request Form

  • Vulnerability Response
    • The National Vulnerability Database (NVD) and many other sources collect information about known vulnerabilities, such as weaknesses in software, operating systems that can be exploited by malware, and other attacks. The ServiceNow® Vulnerability Response application aids you in tracking, prioritizing, and resolving these vulnerabilities.
  • Configuration Compliance
    • Configuration Compliance is a Secure Configuration Assessment (SCA) application that aggregates scan results from integrations with configuration scanning applications, such as Qualys Cloud Platform. You can prioritize configuration compliance issues using the Configuration Management Database (CMDB). Configuration Compliance tightly integrates with the IT change management process to remediate non-compliant configurations.
  • Threat Intelligence
    • Used to access and provide a point of reference for your company’s Structured Threat Information Expression (STIX™) data. Included in Threat Intelligence is the Security Case Management application, which provides a means for analyzing threats to your organization posed by targeted campaigns or state actors.

Security Incident Catalog Screenshot8. Security Incident Catalog

  • Trusted Security Circles
    • Allows you and other users to generate and receive community-sourced observables (in the form of IP addresses, hashes, domains, URLs, and so forth) with the goal of improving threat prioritization and to shorten the time to identify and remediate threats.
  • Security Operations integrations
    • Several integrations are included with the Security Operations. ServiceNow also provides basic guidelines for developing your own integrations, as well as details on specific integrations included in the base system.
  • Security Operations common functionality
    • Whenever any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications.

Join Scott Lindsay Jr. as he walks through key features and processes in ServiceNow’s SecOps module.

Seen enough? Still have questions? Your security is too important to put on hold, talk to a ServiceNow expert today.

CTA SecBlog