ServiceNow’s Model on Streamlining Security Incident and Response

Editor’s note: The following article has excerpts from ServiceNow’s white paper, “Streamlining Security Incident and Vulnerability Response”. You can access the security operations full document here.

The fundamental question for security is “are we secure, and are things getting better or worse?” The tough break is that there is no simple answer, and organizations even struggle with baseline metrics for their security posture. Without the ability to track over time, companies also lack the ability to strengthen infrastructure and improve their response time.

A recent CSO study revealed that the average enterprise uses 75 security products. Security admins must manually sift through hundreds or thousands of alerts each day, making it difficult (or even impossible) to determine which events are most important. Due to this flood of information, it now takes approximately 201 days for an enterprise to discover a breach.

So, with lack of data tracking, data breaches on the rise, and detection time measured in months- reducing response times is critical. How do you even start such a project? Security incident identification and remediation are daunting challenges for any security teams; manual processes, multiple cross-team hand-offs, and the proliferation of security tools hinder a team’s ability to quickly assess and remediate vulnerabilities and attacks. A roadmap and defined goals are crucial as you take the first steps along the security checklist

Information Security Challenges

The biggest obstacles to achieving “incident response excellence” are security and IT tool integration and coordinating an incident response, according to a study from the Enterprise Strategy Group. Without automated and integrated solutions, security teams are forced to communicate with IT via email, phone, and complicated spreadsheets. Even if analysts can identify an imminent threat, they may not know whom to contact on another team for remediation.

Relying on incident manual processes inevitably leads to a lowered security posture for the organization and could result in an eventual breach or compromise. Choosing an effective security operations solution is essential for combatting these ever-increasing security challenges.

Evaluating a Security Operations Solution

The right security response platform will make remediation exports more efficient, streamline response processes, and provide the ability to visualize the enterprise’s
security posture.

To accomplish these goals, it must be able to:

  • Pull data from multiple sources into a single system Prioritize incident workload
  • Understand the business criticality of all enterprise assets
  • Route information to the appropriate teams and people
  • Enable IT and security teams to work from the same system
  • Automate all basic tasks and processes
  • Provide intuitive, visual dashboards that reflect current security posture

Unfortunately, very few of today’s security operations solutions can provide all of this essential functionality.

ServiceNow Security Operations

ServiceNow Security Operations meet 
the requirements of the ideal security incident and vulnerability response solution.

It extends the advanced workflow and systems management capabilities of the core ServiceNow platform to give security teams a single solution for managing and understanding
the security posture of all critical business services and IT infrastructure. Security Operations helps organizations streamline remediation, accelerate responsiveness, and increase the overall accuracy of incident handling by leveraging collaboration functionality built into the platform.

Security Operations uses the ServiceNow Configuration Management Database (CMDB) to map security incidents and vulnerabilities to business services and IT infrastructure.
This mapping enables threat prioritization based on business impact, ensuring that security teams are able to focus on the most critical events first. In addition, a service level
view of all security incidents supports a more coordinated response that minimizes change requests and downtime and effectively remediates all open threats.

Security Operations Use Case: Investigating a SIEM Alert

An enterprise has linked its Security Information and Event Management (SIEM) system to ServiceNow Security Operations and has determined which alerts will be automatically imported into the solution. (The set-up process in this example was easy because Security Operations provides built-in integration with Splunk.)

Align Workflows to Your Security Runbook

Security Operations uses pre-defined workflows to ensure that the security runbook is always followed. Overall incident response processes follow National Institute of Standards and Technology (NIST) best practices but can be customized to follow the organization’s security runbook. Workflows can be customized for each type of incident or affected resource. In this example, the workflow involves a potential breach of sensitive personal information, so legal, human resources, and law enforcement contacts are included, ensuring that all required groups are consulted and decisions documented.

Search for Indicators of Compromise

Next, the security analyst searches for any Indicators of Compromise (IoCs). Data from Splunk showed a suspicious executable file, and the security analyst pastes the file name into the IoC search field. The system searches against threat intelligence feeds (Security Operations supports both STIX and TAXII standards), and the results show that the file is related to TorrentLocker. Clicking on this information tells the security analyst more about the threat: it is a type of ransomware. The analyst now has the necessary information to remediate the threat—much faster than using manual research and correlation methods.

Need more convincing? We have the proof. Security is too important not to get right, which is why we want to give you everything you need. Download the complete, free, ServiceNow Security Operations whitepaper. Along with additional use cases and examples, use the graphs and images as the proof you need to reevaluate your Security Operations. With the right tools, you can track your incidents, reduce your response time, and plan for the future. Let us help you, and let’s get started.

Continue Reading