Extending Service Management to Security Operations and Incident Response

You’re the CISO of a large organization. You’re barely into your first cup of coffee and you get a frantic phone call from a tech in your security operations (SecOps) department. Your company is under attack!

To make matters worse, this is no ordinary attack. Hackers seem to be coming after multiple systems at once, using a variety of attack techniques.

And then the tech lets the big bomb drop. This attack has been going on under your nose for days – and the hackers have already exfiltrated unknown millions of sensitive customer records: Social Security numbers, credit card numbers, the lot. Gone.

What do you do next? Your vulnerability response team has to shut down the attack and fast. You also have to analyze and remediate the damage. Don’t forget to call the CEO and the PR team for damage control. And what about law enforcement? Should you bring in the FBI?

The Nightmare of Incident Response

firefightingThe scenario above indicates just how traumatic and chaotic responding to a cybersecurity incident can be. No one likes to think about the complexities of incident response (IR) – and as a result, IR planning is often sketchy, IR processes tend to be manual, remediation is an afterthought, and rehearsals? Who has time for those?

The sad reality is that for most organizations, existing IR processes are woefully inadequate. Sure, standards bodies like NIST and SANS provide standard incident response processes, but for most organizations, following them are infrequent, manual activities.

At the center of IR is the vulnerability response itself, which typically falls to the SecOps team. However, SecOps is dependent upon IT to get work done, as IT deploys all the technology. Unfortunately, the interactions between SecOps and IT are typically inefficient, and when an unusual event occurs, any response can be error prone and fraught with delays and confusion.

Vulnerability response, however, isn’t the whole IR story, as groups beyond SecOps must participate in IR. Executive management has their role to play, as the public (and shareholder) facing voice of the company.

Someone must be in charge of interacting with law enforcement, including the chief compliance officer and chief counsel. And of course, PR must be kept in the loop, as they will lead the damage control efforts with the press and customers.

Ideally, this complex interplay of individuals should follow a carefully written and rehearsed script – but even when such an IR plan exists, people rarely pay attention to it until the need is urgent, only to find that it’s out of date.

ServiceNow: Incident Response as a Service Management Challenge

To address these issues of vulnerability and incident response, service management vendor ServiceNow is extending its platform with a new Security Operations offering that consists of two new applications: Security Incident Response and Vulnerability Response.

ServiceNow is already well-known for its cloud-based service management, including IT and business service management as well as application development workflow support. ServiceNow is extending this support to the SecOps and vulnerability response teams.

Before ServiceNow, there was no central location to coordinate IR. Several groups and individuals were involved, leading to confusion, errors, and delays in the remediation of any breach. ServiceNow is able to leverage its platform’s strengths to address these challenges.

ServiceNow built its new SecOps capabilities on the ServiceNow platform, which many IT organizations have already put in place to deal with general service management workflows. Now, ServiceNow extends those capabilities to the SecOps team, as well as the overall IR effort.

The platform’s cloud-based workflows help orchestrate the security team’s efforts so that they can be productive and efficient. ServiceNow also provides a single source of truth to the team, as the platform can ingest security alerts from security information and event management (SIEM) products, either directly or based on the action of a rules engine.

With its ability to visualize such data over time, ServiceNow helps security personnel understand the organization’s overall security posture – what vulnerabilities have been addressed as well as which ones still exist.

By extending ServiceNow’s existing cloud-based workflow and automation software to incident and vulnerability response, organizations can rework inefficient, manual processes, which often depend upon emails, phone calls, or spreadsheets. Instead, workflows structure and automate IR, reducing the time from discovery of a breach to its remediation.

ServiceNow is also able to correlate vulnerability alerts with their corresponding business value, thus providing a dynamic triage capability to SecOps and IR teams. For example, if an executive’s laptop is the target, remediation may take a higher priority than a less important laptop might require. Such triage capability is also important when attackers are mounting more than one attack at a time, and is absolutely critical when the attack pattern includes a diversion.

ServiceNow also helps with the onerous task of incident reporting. Nobody wants to write such reports, of course – which means such reports are often incomplete, delayed, or skipped altogether. To assist with this report writing, ServiceNow is able to automatically generate reports by persona – so everyone has the information they need when they need it.

The Intellyx Take: Choreographing the IR Dance

The sad truth is that incidents – cybersecurity or otherwise – are far too common in today’s organizations. Vulnerability and incident response processes and procedures, however, haven’t kept up with the diverse and complex needs of today’s enterprises.

Even though CISOs may own several security products, they still don’t know how secure their organization is, or whether the situation is getting better or worse – in other words, they don’t have a grasp on their security posture. Meanwhile, attacks continually target critical business services and infrastructure. Manual IR processes leveraging rudimentary tools simply don’t rise to today’s cybersecurity challenges.

To address these challenges, ServiceNow Security Operations provides a single platform for managing security incidents and vulnerabilities by extending the workflow, automation, orchestration, and systems management capabilities of the core ServiceNow platform to security operations and IR teams. In essence, ServiceNow automates manual processes, freeing IT and security teams to work together to address critical issues.

Furthermore, CISOs and their teams are now able to gain greater visibility into current security issues with ServiceNow’s role-based dashboards, including an executive dashboard showing all incidents for faster decision making. As a result, security teams are now able to prioritize security risks with business criticality, allows them to work on the most important issues first.

ServiceNow’s capabilities, therefore, are both well-timed and powerful. The various participants in the extended incident response can now breathe a bit easier knowing that should an incident occur, they have a single place to turn for the information they require to complete their part of the response.

ServiceNow is an Intellyx client. At the time of writing, No other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this article. Image credit: DVIDSHUB.

SHARE THIS:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.