In a world where cyber breaches dominate the headlines, cybersecurity is more important than ever.   According to the Ponemon Institute and IBM, the average cost of a data breach in 2022 is $4.35 million USD, and it takes an average of 277 days to identify and contain a breach.  While there are many ways that a data breach can happen, the most common are phishing, email compromise, software vulnerability, compromised credentials, and insider threats.

 

What is ServiceNow SecOps?

 

Protecting data is easy with ServiceNow Security Operations (SecOps). This product includes proactive and reactive measures and a host of readily available 3rd party threat intelligence resources. Proactive measures include Vulnerability Response (VR) and Configuration Compliance. Reactive measures include Security Incident Response (SIR). ServiceNow SecOps seamlessly integrates with other security products and capabilities such as security control tools.

 

 

Why ServiceNow SecOps?

Provides a single source of truth and system of action to solve
Integration between IT and Security teams for SIR/VR improves communication, raises visibility, and reduces resolution time

Why do we need SecOps?

60% of breaches are due to unpatched vulnerabilities
Security tools/teams are in disconnected silos. E.g., IT, Security, Service Desk, and GRC
Problems are compounded by various factors such as people, processes, partners, and technology.
Manual SecOps based on email, calls, texts, and spreadsheets
It takes weeks to resolve or mitigate a security incident/vulnerability

Who benefits from the solution?

Many individuals across the enterprise, including C-suite executives, end users, IT, security, service desk, GRC, HR, and legal teams.

What values does ServiceNow SecOps bring to the table?

A single ServiceNow platform for all SecOps applications and integrations
Automation & Orchestration to streamline the processes and save time for better accountability and SLAs
Reducing SIR or VR time from weeks to hours
IT, Security, Service Desk, and GRC teams working together seamlessly
Rich dashboards and reporting for better governance and visibility

ServiceNow SecOps Use Cases

ServiceNow SecOps is a powerful tool with many capabilities.  To see how ServiceNow SecOps could protect your company, we’ve outlined a few use cases (UCs) below.

UC #1: User Reported Security Incident — SIR Playbook

Vigilant users are an organization’s first line of defense! They can report oddities using the Security Incident Catalog. A phishing email can be reported via “Report Phishing” Outlook plugin, Wombat. For each security incident category, the SIR playbook can be orchestrated covering the entire SDLC (i.e., NIST) – Preparation; Detection & Analysis; Containment, Eradication & Recovery, and Post Incident Activity.

UC #2: Infrastructure Vulnerability Response (IVR) and Application Vulnerability Response (AVR)

The scanner (Qualys, Tenable, or Rapid 7) can be integrated into ServiceNow VR to scan the environment and create Vulnerable Items (VI’s). IVR manages vulnerabilities on networked assets including servers and network devices.

The scanner (Veracode or Fortify) can scan the environment and create Application Vulnerable Items (AVI’s). AVR manages vulnerabilities in custom-developed applications or 3rd party software. By leveraging Software Asset Management, Software Exposure Assessment can be used to create AVI’s and Remediation Tasks proactively.

Vulnerability Solution Management correlates your vulnerability exposure with Microsoft Security Response Center (MSRC) and Red Hat solutions for remediation activities and monitors their completion.

UC #3: Automation and Orchestration

Threat Intelligence (TI): relevant TI data can be imported directly into the SIR and VR for enrichments for security analysts to make decisions, reducing their need to perform manual lookups and freeing up their attention to understanding the depth of the security incident.

Sighting Search: Searches various SIEMs or other log sores for instances of observables to determine the presence of malicious IOCs in your environment.

Incident Enrichment: Enrich configuration items (CI’s) or observables with additional information from different sources during SIR investigations.

Get Network Statistics: Retrieves active network connections from an endpoint/host
Get Running Processes: Retrieves running processes from an endpoint/host

Containment/Eradication:

Block/unblock observables on the firewall, web proxy, or other control points
Isolate/ endpoints or hosts associated with a security incident
Search an email server and delete emails from the server.

 

UC #4: SIR/VR Reporting and Analytics

ServiceNow SecOps provides rich Dashboards, Analytics, and Reporting for different personas such as CIO/CISO, security managers, and analysts. More out-of-the-box or customized reporting and analytics are available. The visibility is defined by the access controls.

Security Operations Efficiency Dashboards

Analysis Efficiency – how many open or closed incidents per analyst?
Detection and Response Effectiveness – false/true positive security incidents, backlog/closed security incident analysis
Security incident Stage Analysis – how many are in the Draft/Analysis/…/Review stages?

Security Incident Explorer 

Security Incident Closure by Priority
Security Incident by Attack Category
Security Incident Map – provides incident location worldwide

Vulnerability Management Dashboards 

Vulnerable Items by Remediation Target Status
Deferred Vulnerable Items Expiring this week
Vulnerable Item by Age

 

 

If you are interested in learning more about our ServiceNow practice and our ServiceNow SecOps capabilities, reach out!