Streamline Security Incident Response with ServiceNow

GRC Challenges – ServiceNow to the Rescue
May 31, 2019
Vulnerability Response with Madrid
July 31, 2019

ServiceNow is a truly multi-faceted, state-of-the art cloud platform that empowers organizations to streamline their operations and improve collaboration with clear visibility. Aside from the more popular ITSM (IT Service Management) and ITOM (IT Operations Management) modules, ServiceNow also has powerful security capabilities. Security Operations is a security orchestration, automation, and response engine built on the Now platform.

It has been designed to help security teams respond faster and more efficiently to incidents and vulnerabilities. It streamlines security response and improves visibility, by using:

  • Intelligent workflows
  • Business prioritization
  • Deep IT connection

Security Incident Response or SIR is one of the applications in ServiceNow Security Operations. It allows you to track security incidents, analyze and contain threats and eradicate them from your network. In a nutshell, it automates many tasks related to security incident response and provides clear visibility and functionality for a rapid response to contain threats.

It provides playbooks containing tasks which associate relevant knowledge base articles to help security analysts quickly resolve incidents. It essentially builds on past experience and knowledge through these playbooks, providing invaluable support to security analysts. Once an incident is remediated, it also creates post incident reviews which allow the team to learn from and improve their incident handling.

Security Incidents

So how are security incidents created? Data from your existing security tools and Security Information and Event Manager or SIEM are imported via APIs or email alerts to automatically create prioritized security incidents. These sources can also be imported into Event Management if additional steps are necessary prior to creating a security incident.

Any user can submit security incidents via the Security Incident catalog. Users with the security incident basic role can submit security incidents through the Security Incident form. This form can be accessed by navigating to any Security Incident list and clicking New, or by accessing the Security Incidents New UI and clicking Create Incident.

Users can also send or forward an email to an address designed by your organization for reporting suspected security issues, such as phishing attacks.

Security Incident Response

The next thing you might wonder is how are these security incidents addressed? The Security Incident Response process is defined by how you set up the application. You must first purchase a subscription by contacting your ServiceNow account manager, then you can activate the plugin within your production instance.

Step 1 – Integrate your security products, managed security service provider (MSSP), or a combination of the two with SIR. ServiceNow provides pre-built integrations for many products.

Step 2 – SIR automatically prioritizes incoming security incidents based on your criteria, leveraging the CMDB to map threats to business services and IT infrastructure.

Step 3 – Security incidents are automatically enriched with data from your third-party intelligence sources.

All of these steps take place before the Security Analyst has a first look at the SIR record. 

Step 4 – SIR provides playbooks for analysts to follow which address common security scenarios you can leverage to review security incidents and take recommended action.

Step 5 – Remediate threats quickly by leveraging the Now Platform to orchestrate action or create tasks or changes for all affected users and systems.

Step 6 – The application creates post incident reports that you can review and share with your security and IT teams for insight into handling related incidents. 

ServiceNow SIR tracks the progress of security incidents through every stage from discovery and initial analysis to containment, eradication and recovery, as well as post-incident action such as post-incident review, knowledge base article creation and closure. It is comprehensive and supports security analysts in responding to security incidents faster and more effectively.

SIR for Phishing

Let’s consider an example of using SIR to respond to a fairly common security incident – phishing. 

A user can forward a suspicious email to the company’s phishing address. Once the forwarded email is received, the system creates a security incident, then parses and analyzes the file. If any suspicious elements called observables are found, including IP addresses, MD 5 hashes of malware or URLs, or domain names, the system inserts them in the correct fields in the incident record so that automated enrichment and threat lookups can take place. 

Note that your instance needs to have the Threat intelligence plugin installed for automated lookups to be performed. Logged in as a security analyst, we can access security incidents in one of two ways. The classic UI provides filtered incident lists or you can launch the new UI which provides one interface for reviewing all incidents with additional functionality. Filtering can be done by options and you can further filter the results with Quick Filters. It is easy to quickly understand how the incident was generated and take steps to contain and eradicate the threat. 

If you’re interested in Security Operations with ServiceNow, please feel free to contact us. Our experts at abhra Inc. are experienced ServiceNow implementation partners for all things ServiceNow such as ServiceNow implementations, MSPs, CMDB and modules for GRC, SAM and more.

Description: Learn more about Security Incident Response (SIR) capabilities with ServiceNow.


Leave a Reply

Your email address will not be published. Required fields are marked *