Security Operations: Protection Against Cyber ​​Threats in ServiceNow

    According to Gartner, by 2020, 15% of companies in which the information security department consists of 5 or more people will use SOAR (security operations, analytics and reporting) systems.

    We offer to understand what ServiceNow offers within the class of such systems. / The Flickr / Hivint / CC




    What is SOAR?


    Gartner defines SOAR as a toolkit that allows you to aggregate data about security threats from different sources for further analysis. SOAR automates this process: from prioritizing to working with template “responses” to incidents.

    What directly relates to the work of SOAR:

    • Orchestration - the integration of technologies and tools for decision making based on information about the level of risk and the state of the system.

    • Automation (Automation) - to replace tasks that were previously performed "manually", automatic actions from the system (playbooks).

    • Incident management and collaboration (Incident management and collaboration) - a cross-cutting approach to work with "priority appointment", "Activity log" and "acceptance on the basis of policy decisions."

    • Reporting (Dashboards and reporting) - visualization of information on key metrics and reporting (for three types of employees - analysts, heads of SOC (Security Operations Center) and directors for information security (Chief Information Security Officer, CISO).

    A bit about Security Operations


    ServiceNow Vice President Sean Convery emphasizes that SOAR products are aimed at integrating various risk data sources and formalizing work with incidents. This will help strengthen the position of employees working in analytical positions and give them tools that can be used "here and now."

    If your organization does not use SOAR, information security experts may encounter a number of problems. Security Operations Product Marketing Manager Janene Casella believes that the main difficulty that the security team faces is the lack of clear criteria for “complete security”. According to researchForrester, among the bottlenecks in the work of information security departments, respondents highlight the limitation of “visibility” of problems and the need to solve problems “manually”. The first - does not allow tracking vulnerabilities at all levels, the second - slows down the response time and increases the costs of information security departments to resolve certain situations.

    One tool to solve these problems is ServiceNow SOAR products. As Janine rightly noted, universal criteria for evaluating the performance of information security departments simply do not exist. However, it is possible to measure the economic benefits of a particular system, including SOAR tools, compare the results (before / after) and draw conclusions.

    For this, ServiceNow contacted Forrester, who analyzed the operation of the following Security Operations modules:

    • Security Incident Response - simplifies incident identification. This module is responsible for importing data from already used solutions and SIEM systems (Security Information and Event Management) using the API and customizing processes taking into account information security policies.

    • Vulnerability Response - prioritizes vulnerable elements. Due to this, the information security department quickly determines whether business critical systems are at risk or not. Using the configuration management database (CMDB), the module analyzes dependencies, evaluates the impact of changes and downtime on business processes. If potential risks are detected, the module will offer to make changes and carry out their verification later.

    • Intelligence Threat - helps the IT department to detect indicators of possible compromise (Indicators of Compromise, IoCs) and track threats on a deeper level. The module supports various standards for exchanging threat data, allows you to connect custom sources and exchange data with third-party systems.

    Analysts investigated the work of three large American companies in the field of finance and health (the staff is 1,000, 4,200 and 13,500 people, the size of the information security department is 10, 50, and 80 people). Based on the analysis of expert opinions, Forrester found that the implementation of Security Operations modules gives the following results in the projection for three years of the information security department:

    • savings of up to $ 4.7 million by improving efficiency in the process of prioritizing and resolving incidents by 30-50%;
    • up to 535 thousand dollars - due to the effective analysis of potential vulnerabilities by 60%;
    • up to 355 thousand dollars - due to the updating of protection tools.

    In addition, the Security Operations toolkit is designed to improve interaction with other employees and IT services of the company and provide a number of such employees with the ability to monitor the status of highly specialized systems in real time.

    Where does it already work


    Prime Therapeutics used Qualys to detect vulnerabilities, but did not use integrated reporting automation tools. This approach slowed down the activity of the entire information security department and led to too long "patching" of potential vulnerabilities. Security Operations helped integrate information flows from security systems, streamline process control and automate work with reports.

    Another case- Implementation of Security Operations in the Freedom Security Alliance. Here, the toolkit solved the problem of reducing information flows about potential threats into a “single channel” and subsequent incident management. The product’s ability to automate these processes helped the company reduce incident resolution time by 40% and save company resources at the stage of finding out the causes of incidents.

    Other examples include the integration of Security Operations with the security department of the Australian organization AMP. The result is a 60% reduction in response time to vulnerabilities. And the introduction of DXC Technology - a similar metric was reduced by 50%, while the detection time of IoCs was reduced by 5 times.


    Additional solutions


    Security Operations offers several optional modules whose functionality is aimed at preventing cyber threats. One of them, Trusted Security Circles, allows IS departments to exchange threat data in real time.

    On the one hand, there are verified sources here, on the other hand, when exchanging information between them, anonymity is maintained. The application works as follows: the information security division forms an anonymous request in the selected thematic community. When the number of requests exceeds the set threshold, the incident automatically opens in Security Operations.

    Bart Murphy, CTO of CareWorks, emphasizesthe importance of a systematic approach to information sharing for IT departments. This approach will help in time to eliminate massive attacks on industry companies (for example, financial) and reduce response time.

    Another component is the Performance Analytics application. It allows IT teams to monitor the status of systems using the dashboard and create real-time reports. In the application, work with predefined KPIs and the possibility of customizing them are available.

    Another thematic product - Identity Management (our post on this solutionon Habré). The ServiceNow and Okta partnership offers customers this credential management tool. It allows you to identify problems, as well as eliminate the "leakage" of identification data and ensure their security.

    Additional materials from the corporate IT Guild blog:


    Also popular now: