Is your business secure? It’s a straightforward question that can be difficult to answer. Most organizations today use a variety of different security products, often from different vendors, that don’t communicate with each other. These products generate thousands of notifications and alerts—far more than your security team can investigate. As a result, it’s possible for issues to be missed simply because they were hidden amid the noise.
These challenges lead to long discovery and remediation times when incidents occur. In 2017, the Ponemon Institute reported that it took organizations an average of 191 days to spot a breach and 66 days to contain it. That’s nearly nine months from infection to remediation. In addition, many organizations track remediation in spreadsheets or via email, which are difficult to maintain and report from. It’s also hard to tell whether your security runbook is actually being followed, and it’s tough to get visibility across teams. In fact, in a study from the Enterprise Strategy Group1, the top incident response challenge cited was coordinating between security and IT teams.
For example, how long does it take your team to resolve security incidents on average? What kind of records do you have so you can repeat the process next time something similar happens? Solving these issues requires a solution to help you deliver faster, more efficient security response, connect security and IT, and know your security posture.
What would make your security team more efficient when responding to incidents?
• Prioritization by asset criticality
• Spending less time on manual tasks
ServiceNow Security Operations is an Enterprise Security Response engine that leverages key strengths of the ServiceNow platform, including intelligent workflows, automation, and a deep connection with IT, and adds capabilities for security incident response, vulnerability response, and threat intelligence. When Security Operations receives alerts from your existing security products, it can deduplicate events and create security incidents. Before the incident is assigned to an analyst, the affected asset is matched against the ServiceNow Configuration Management Database (CMDB) to determine priority based on how critical the asset is to your business. In parallel, Security Operations correlates threat intelligence data and automates analysis using orchestration tools to perform additional malware scans or pull running processes from an affected endpoint. This condenses up to an hour of research into just seconds. The security analyst now has a wealth of information available from the very first moment he reviews the incident.
How do you better connect security and IT?
• Have security and IT work from the same platform
• Use service level agreement tracking for accountability
With ServiceNow, security analysts better communicate with IT by working from the same platform. They can easily hand off tasks, such as patching, to IT while still maintaining visibility into the task. Skills-based routing gets tasks to the correct responders, and service level agreement tracking ensures tasks are completed on-time. ServiceNow’s single platform allows security and IT to collaborate faster, but access to sensitive security data is protected through user roles. This means even a ServiceNow admin can’t see security data unless he also has a security role servicenow.