to continue reading.
Click here to Download the PDF or continue reading below.
What is a security incident?
While organizations can develop their own definitions of security events and incidents, there are some generally accepted definitions.
A security event is an occurrence or an observation the represents an anomaly. This can be anything that represents an abnormal activity – including system glitches, or a firewall blocking a connection attempt. Events with negative impact – like a malware attack – are considered adverse events. Security Incidents are either an imminent threat or a current violation of information security policies, standards or acceptable use.
NIST lists a set of attack vectors, including the following:
- External / Removable media
- Attrition (According to NIST, attrition is “An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.”)
- Web
- Improper Usage
- Loss or theft of equipment
- Others
Clearly, each of these different types of incidents requires a different approach for identification, analysis and response.
Since incidents tend to impact or compromise sensitive data, including Personally Identifiable Information (PII), cardholder data and sensitive authentication information (PCI), Patient Health Information (PHI), etc., it is critical to respond quickly and effectively when security breaches occur.
The Challenge With Responding To Incidents
Your organization most likely employs a number of detection systems like Security Information & Event Management (SIEM) systems, Firewalls, Security Endpoints, Identity & Access management tools, Threat Intelligence and Vulnerability detection tools, and other network security systems. Using all of these typically results in a lot of “noise” – generating thousands of events per day and terabytes of data per month. Sifting through these events and separating the wheat from the chaff requires significant effort and manpower - generally Security & IT teams cannot scale to manage.
Acting on this noise requires organizations to be in a position to not only consolidate all this information, but also have the capacity to understand the business impact and prioritize the incidents by their risk profile and the organization’s security posture.
Mapping the security incident to the business services and the configuration items it is most likely to impact (or is already impacting), establishing and executing a workflow to arrest and remediate the breach, and enabling cross-department coordination ends up being the most time-consuming aspect of the response coordination.
Security responders are typically overwhelmed by the size and disruption; or, even more worryingly; may not have a true understanding of the business impact or prioritization for the incidents. This generally happens because responses are coordinated and managed manually, through the use of excel spreadsheets, emails, chat sessions etc. There is no prior knowledge base with historical information that captures what activities or tasks were performed the last time a similar incident occurred.
Enterprise Strategy Group (ESG) Custom research conducted a survey, “Incident Response Survey,” in 2016, in which 93% of the responders said that their ability to respond to a security incident was either significantly or somewhat limited by the burden of manual processes.
ServiceNow Security Operations
ServiceNow Security Operations leverages the platform’s native ITIL capabilities and NIST 800-61 guidelines to provide organizations with the ability to respond to security incidents more efficiently and effectively.
It integrates with 3rd party detection systems to consolidate threat information, prioritize incidents and provides request automation between IT, Information Security and Business teams.
ServiceNow Security Incident responder automatically creates a security incident and uses data already available in ServiceNow’s Configuration Management Database (CMDB) to list the critical business services impacted by the compromised assets. In addition, ServiceNow integrates with the National Vulnerability Database to gather intelligence related to known vulnerabilities, allowing the responder to “enrich” the security incident data.
This enables responders to quickly determine the response, remediate threats fast by launching the appropriate emergency patches to these assets, set SLAs for activities to be performed by other teams, and to automate communications and notifications.
Conclusion
With a stack of several applications already within your Security Operations portfolio, you might be wondering whether you need to add one more.
The reality is that the systems you already have in your technology stack are most likely geared towards identification and prevention; but not towards coordinating and automating security incident responses, or towards generating alerts, notifications or communications.
It’s also likely that your security operations systems are not integrated with your CMDB and /or service management platforms, and thereby you are missing the opportunity to automatically catalog and prioritize incidents, based on vulnerability risk and business service impacts.
ServiceNow Security Operations solves that gap in your current capability maturity.
INRY works extensively with organizations looking to implement ServiceNow GRC and Security Operations applications to
- Improve cross-department collaboration during the SIR process
- Streamline remediation by using predefined workflows and automating routing tasks
- Configuring security dashboards that enable you to measure and report on your overall security metrics
For further information regarding our approach, or to know more about ServiceNow’s Security Operations capabilities, please contact us at info@inry.com.