Responding to security incidents and vulnerabilities is an ongoing process. For teams that are both frequently understaffed and overwhelmed by alerts, automation along with orchestration can make these teams more efficient and responsive.
Your SecOps solution should bring in security and vulnerability data from your existing tools, using intelligent workflows, automation, and a deep connection with IT to streamline security response.
As part of ServiceNow’s Now Platform, Security Operations can leverage the ServiceNow Configuration Management Database (CMDB) to map threats, security incidents, and vulnerabilities to business services along with IT infrastructure. This mapping enables prioritization and risk scoring based on business impact, ensuring your security teams are focused on what is most critical to your business. Working in a single platform makes handing off tasks to IT easy, and adds the benefits of visibility, service level agreement tracking, and live collaboration tools.
To help you visualize this cohesive platform, we’ve pulled six SecOps scenarios:
- Automating threat analysis
- Phishing response and remediation
- Responding to misconfigured software
- Addressing a high-profile vulnerability
- Managing routine vulnerability scan results
- Improving security visibility
Download your Use Case Guide here to read all six, or enjoy a quick excerpt below.
Scenario One: Automating Threat Analysis
Security incident triage and analysis is a necessary step in the response process to weed out false positives and to determine how best to contain and remediate an incident. A 2017 survey from SANS reported the median time from detection to containment was 6 to 24 hours.
Most organizations already use threat intelligence feeds as part of their incident response process. Correlating that information automatically and leveraging threat enrichment from other security tools can dramatically reduce the time spent on analysis.
An organization using ServiceNow Security Operations receives an alert about a suspicious file from its Security Information and Event Manager (SIEM), which creates a new security incident. The creation of this incident kicked off several parallel workflows, which extracted Indicator of Compromise (IoC) information, including the hash of this suspicious file and the originating IP address.
The first workflow performs IoC lookups against threat intelligence feeds the organization has connected to the Threat Intelligence application. In parallel, the IoCs can also be sent to other security tools for additional reputational data, including VirusTotal, Palo Alto Networks WildFire™, and more.
A second workflow uses Tanium Incident Response™ and Windows Management Instrumentation (WMI) to get the running processes and network statistics from the affected endpoint to see what activity may have been caused by the suspicious file. Another workflow performs sightings search against the IoCs to see if there is a wider outbreak in the network.
All of the resulting data is reported back to ServiceNow Security Operations within seconds and is displayed in the security incident record. Now, a security analyst can view all of the data in one place and determine the next steps to take in the response process.
Automation is just the beginning. Don’t stop there, get the complete Use Case Guide here.