In every organization, security incidents have become common. But how do we react to address these incidents as quickly as possible is important? The seriousness of consequences grows with time. Verizon releases the security breach reports worldwide every year. According to it, the vulnerabilities are increasing year on year despite all tools in place. These breaches are exposing email addresses, social security numbers, personally identifiable information, network information, healthcare records and credit banking information and lot more. To help businesses to be proactive and secure themselves, ServiceNow comes with full-stack security operations module.
State of Security Infrastructure Overview
The attacks are getting more and more luminous, the tools, the people and the processes we have are getting worst. The organizations sometimes are not keeping up with all the attacks as they are not able to scale and consume the space of the teams and there is always a chance that alerts being dropped, events unnoticed. This is also due to lack of proper metrics, workflows and task management. With a goal to identify the attacks, they are ending up with creating more noise in terms of alerts, reports, etc.
Tools like SIEM, Endpoint technology, firewalls, vulnerability scanners, etc are generating reports that need additional correlation. These tools don’t integrate well with each other, don’t operate in the same way. Each tool requires different pieces of training and expertise to manage and identify the alerts coming out of them. Manually someone needs to correlate the data to identify the threats. They will give an only 1-dimensional view of the potential problem and they don’t understand the context identified in your infrastructure.
How ServiceNow Security Operations Can be of Help Businesses
ServiceNow Security Operations is a security orchestration, automation and response engine built of Now Platform. Automation along with orchestration can provide an enormous benefit–by making the SecOps teams more efficient and able to respond more quickly to the alerts and high flow of Security incidents. Three main areas of ServiceNow Security Operations (SecOps) would handle well these security threats. The ServiceNow SecOps module basically works as a triage to address the threats in line with ITIL process. The ServiceNow security operations stack comprises of:
- Security Incident Response
- Threat intelligence
- Vulnerability Management
Security Incident Response
This is the area where all security risks are tracked, which is sourced from various tools. All the alerts fed to the SIEM platform through event sensors, state sensors, and so on and here is where the first correlation happens. There are other tools that also might feed the information to the SIEM platform depends on how you configure your infrastructure. ServiceNow has a lot of integrations for automation of threat intelligence, vulnerability and patching information to avoid the manual interventions. Without ServiceNow, this can be a nightmare to analysts to manually correlate and see the bigger picture of applications and services impacted and the continuous integrations (CI) that are involved. ServiceNow lists out the information automatically, thereby reducing human efforts and time which exponentially results in handling more vulnerabilities in no time.
ServiceNow Security Operations is a scoped application model meaning that you can engage other teams by providing secured access only to the information that you wish to share with them within their purview with a great access model. One can instantly engage with the appropriate team for the relevant actions.
Leveraging matured ServiceNow workflow engine processes can be automated and drive a diverse workflow based on business rules classification of assets or application. The automation capabilities can be leveraged to correlate other data stores and other log stores. With automated workflows, several tasks would be completed by the time incident is created and the team starts working on it, saving a lot of time.
Threat Intelligence is a vital part of the security operations. ServiceNow acts an ingestion point for any threat intelligence. This includes taxi feeds, commercial feeds from secure works and open source feeds coming into your inbound network (refer the below figure). Recurrently the security team verifies the URLs to check any malicious activity that is going on using some tools manually.
With the workflows incorporated using ServiceNow, all these activities are automated. It correlates automatically within the history of incidents and leverages with the endpoints processes or PAP (Password Authentication Protocol), checking for network connections. It correlates with the threat intelligence to find out any feeds used. It can also have a check on the malicious emails received by the users in an organization and leverage with that.
The very purpose of vulnerability management is to help the organizations to understand most common and severe threats from the external sources. When the news broke on two major security catastrophic issues Meltdown and Spectre in 2018, the experts broke their heads to identify the level of risk exposure and predominantly where to apply the solution first. Majority of the breaches are due to existing vulnerabilities. They are the precursors through which security breaches are manifested.
With ServiceNow, we can design in such a way that a vulnerability scan data is automatically imported into the Security Operations Vulnerability Response application using APIs and is matched against both the ServiceNow Configuration Management Database. These resulting vulnerable items are assigned a risk score based on multiple factors, including the severity of the vulnerability, and the importance of the affected asset. The risk score is configurable and provides quick prioritization.
The complete information about the vulnerability (such as What it is? How it is exploited? and How to remediate?) and the threat is automatically pulled into vulnerability response from the National Vulnerability Database (NVD), eliminating the need for manual research. The customizable dashboards can show the organization’s overall vulnerability exposure, workflows, automation, and orchestration, speed up analysis, containment, and eradication. Now all organizations must be is conscious enough to implement a vulnerability management program to protect them from the breaches proactively.
Paul Jayaker is an IT veteran exposed globally since 21 years with Unix Administration, BMC Remedy implementation with a strong blend of Service Delivery including Apps support and Infrastructure Management. Currently he is leading ServiceNow development team from V-Soft’s offshore development center.