In a world where cyber breaches dominate the headlines, cybersecurity is more important than ever. According to the Ponemon Institute and IBM, the average cost of a data breach in 2022 is $4.35 million USD, and it takes an average of 277 days to identify and contain a breach. While there are many ways that a data breach can happen, the most common are phishing, email compromise, software vulnerability, compromised credentials, and insider threats.
What is ServiceNow SecOps?
Protecting data is easy with ServiceNow Security Operations (SecOps). This product includes proactive and reactive measures and a host of readily available 3rd party threat intelligence resources. Proactive measures include Vulnerability Response (VR) and Configuration Compliance. Reactive measures include Security Incident Response (SIR). ServiceNow SecOps seamlessly integrates with other security products and capabilities such as security control tools.
Why ServiceNow SecOps?
- Provides a single source of truth and system of action to solve
- Integration between IT and Security teams for SIR/VR improves communication, raises visibility, and reduces resolution time
Why do we need SecOps?
- 60% of breaches are due to unpatched vulnerabilities
- Security tools/teams are in disconnected silos. E.g., IT, Security, Service Desk, and GRC
- Problems are compounded by various factors such as people, processes, partners, and technology.
- Manual SecOps based on email, calls, texts, and spreadsheets
- It takes weeks to resolve or mitigate a security incident/vulnerability
Who benefits from the solution?
- Many individuals across the enterprise, including C-suite executives, end users, IT, security, service desk, GRC, HR, and legal teams.
What values does ServiceNow SecOps bring to the table?
- A single ServiceNow platform for all SecOps applications and integrations
- Automation & Orchestration to streamline the processes and save time for better accountability and SLAs
- Reducing SIR or VR time from weeks to hours
- IT, Security, Service Desk, and GRC teams working together seamlessly
- Rich dashboards and reporting for better governance and visibility
ServiceNow SecOps Use Cases
ServiceNow SecOps is a powerful tool with many capabilities. To see how ServiceNow SecOps could protect your company, we’ve outlined a few use cases (UCs) below.
UC #1: User Reported Security Incident — SIR Playbook
Vigilant users are an organization’s first line of defense! They can report oddities using the Security Incident Catalog. A phishing email can be reported via “Report Phishing” Outlook plugin, Wombat. For each security incident category, the SIR playbook can be orchestrated covering the entire SDLC (i.e., NIST) – Preparation; Detection & Analysis; Containment, Eradication & Recovery, and Post Incident Activity.
UC #2: Infrastructure Vulnerability Response (IVR) and Application Vulnerability Response (AVR)
The scanner (Qualys, Tenable, or Rapid 7) can be integrated into ServiceNow VR to scan the environment and create Vulnerable Items (VI’s). IVR manages vulnerabilities on networked assets including servers and network devices.
The scanner (Veracode or Fortify) can scan the environment and create Application Vulnerable Items (AVI’s). AVR manages vulnerabilities in custom-developed applications or 3rd party software. By leveraging Software Asset Management, Software Exposure Assessment can be used to create AVI’s and Remediation Tasks proactively.
Vulnerability Solution Management correlates your vulnerability exposure with Microsoft Security Response Center (MSRC) and Red Hat solutions for remediation activities and monitors their completion.
UC #3: Automation and Orchestration
Threat Intelligence (TI): relevant TI data can be imported directly into the SIR and VR for enrichments for security analysts to make decisions, reducing their need to perform manual lookups and freeing up their attention to understanding the depth of the security incident.
Sighting Search: Searches various SIEMs or other log sores for instances of observables to determine the presence of malicious IOCs in your environment.
Incident Enrichment: Enrich configuration items (CI’s) or observables with additional information from different sources during SIR investigations.
- Get Network Statistics: Retrieves active network connections from an endpoint/host
- Get Running Processes: Retrieves running processes from an endpoint/host
Containment/Eradication:
- Block/unblock observables on the firewall, web proxy, or other control points
- Isolate/ endpoints or hosts associated with a security incident
- Search an email server and delete emails from the server.
UC #4: SIR/VR Reporting and Analytics
ServiceNow SecOps provides rich Dashboards, Analytics, and Reporting for different personas such as CIO/CISO, security managers, and analysts. More out-of-the-box or customized reporting and analytics are available. The visibility is defined by the access controls.
- Security Operations Efficiency Dashboards
- Analysis Efficiency – how many open or closed incidents per analyst?
- Detection and Response Effectiveness – false/true positive security incidents, backlog/closed security incident analysis
- Security incident Stage Analysis – how many are in the Draft/Analysis/…/Review stages?
- Security Incident Explorer
- Security Incident Closure by Priority
- Security Incident by Attack Category
- Security Incident Map – provides incident location worldwide
- Vulnerability Management Dashboards
- Vulnerable Items by Remediation Target Status
- Deferred Vulnerable Items Expiring this week
- Vulnerable Item by Age
If you are interested in learning more about our ServiceNow practice and our ServiceNow SecOps capabilities, reach out!