Security Operations: protection against cyber threats in ServiceNow
According to Gartner, by 2020, 15% of companies in which the information security department consists of 5 or more people will use SOAR (security operations, analytics and reporting) systems.
We suggest to understand what ServiceNow offers within the class of such systems.
/ Flickr / hivint / CC
')
Gartner defines SOAR as a toolkit that allows you to summarize data on security threats from different sources for later analysis. SOAR automates this process: from assigning priority to working with template "answers" to incidents.
What directly relates to the operation of SOAR:
ServiceNow Vice President Sean Convery stresses that SOAR products are aimed at integrating various sources of risk data and formalizing work with incidents. This will help strengthen the position of employees in analytical positions, and give them the tools that can be used "here and now."
If your organization does not use SOAR, IS specialists may encounter several problems. Security Operations Product Marketing Manager Janine Casella (Janene Casella) believes that the main difficulty faced by the information security staff is the lack of clear criteria for “complete security”. According to the Forrester study , among the bottlenecks in the work of information security departments, respondents identify the limitation of "visibility" of problems and the need to solve problems "manually." The first one does not allow tracking vulnerabilities at all levels, the second one slows down the response time and increases the expenses of the information security departments for resolving certain situations.
One of the tools to solve these problems is ServiceNow SOAR products. As Janine rightly noted, there are simply no universal criteria for evaluating the performance of information security units. However, it is possible to measure the economic benefits from the work of a system, including the SOAR-tools, compare the results (before / after) and draw conclusions.
To do this, ServiceNow contacted Forrester, which analyzed the work of the following Security Operations modules:
Analysts investigated the work of three large American companies from the sphere of finance and health care (the staff was 1,000, 4,200 and 13,500 people, the size of the information security department was 10, 50 and 80 people). According to the analysis of expert opinions, Forrester found out that the implementation of Security Operations modules yields the following results in projection for three years of the information security department:
In addition, Security Operations Toolkit is designed to improve interaction with other employees and IT services of the company and to provide a number of such employees with the ability to track the state of highly specialized systems in real time.
Prime Therapeutics used Qualys to detect vulnerabilities, but it did not use integrated tools to automate reporting. Such an approach slowed down the activity of the entire IS department and led to a too long “patching” of potential vulnerabilities. Security Operations helped integrate information flows from protection systems, streamline process management and automate work with reports.
Another case is the implementation of Security Operations in the Freedom Security Alliance. Here, the toolkit solved the problem of bringing information flows about potential threats into a “single channel” and subsequent incident management. The capabilities of the product to automate these processes helped the company to reduce the time to resolve incidents by 40% and save company resources at the stage of identifying the causes of incidents.
Other examples include the integration of Security Operations into the work of the information security department of the Australian organization AMP. The result is a 60% reduction in response time to vulnerabilities. And the introduction of the company DXC Technology - a similar metric was reduced by 50%, while the detection time of IoCs decreased by 5 times.
Security Operations offers several optional modules whose functionality is aimed at preventing cyberthreats. One of them, Trusted Security Circles, allows IB departments to share threat information in real time.
On the one hand, there are verified sources here, on the other hand, anonymity is preserved when exchanging information between them. The application works as follows: the information security unit forms an anonymous request in the selected thematic community. When the number of requests exceeds the set threshold, the incident is automatically opened in Security Operations.
Bart Murphy (Bart Murphy), CTO of CareWorks, emphasizes the importance of a systematic approach to information sharing for IT departments. Such an approach will help to eliminate mass attacks on industry companies (for example, financial ones) in time and reduce the response time.
The other component is Performance Analytics. It allows IT teams to monitor their systems using a dashboard and create real-time reports. The application is available to work with pre-installed KPI and the possibility of their customization.
Another thematic product is Identity Management (our post about this solution on Habré). The ServiceNow and Okta partnership offers this account management tool to customers. It allows you to identify problems, as well as eliminate “leaks” of identification data and ensure their safety.
Additional materials from the IT Guild corporate blog:
We suggest to understand what ServiceNow offers within the class of such systems.
/ Flickr / hivint / CC
')
What is SOAR
Gartner defines SOAR as a toolkit that allows you to summarize data on security threats from different sources for later analysis. SOAR automates this process: from assigning priority to working with template "answers" to incidents.
What directly relates to the operation of SOAR:
- Orchestration (Orchestration) - the integration of technologies and tools for decision-making based on information about the level of risk and the state of the system.
- Automation (Automation) - to replace tasks that were previously performed "manually" with automatic actions from the system (playbooks).
- Incident management and collaboration (Incident management and collaboration) - a cross-cutting approach to working with “assigning priority”, “logging actions” and “making decisions based on company policies”.
- Reporting (Dashboards and reporting) - visualization of information on key metrics and report writing (for three types of employees - analysts, heads of Security Information Centers (SOC) and Chief Information Security Officers (CISO).
A bit about Security Operations
ServiceNow Vice President Sean Convery stresses that SOAR products are aimed at integrating various sources of risk data and formalizing work with incidents. This will help strengthen the position of employees in analytical positions, and give them the tools that can be used "here and now."
If your organization does not use SOAR, IS specialists may encounter several problems. Security Operations Product Marketing Manager Janine Casella (Janene Casella) believes that the main difficulty faced by the information security staff is the lack of clear criteria for “complete security”. According to the Forrester study , among the bottlenecks in the work of information security departments, respondents identify the limitation of "visibility" of problems and the need to solve problems "manually." The first one does not allow tracking vulnerabilities at all levels, the second one slows down the response time and increases the expenses of the information security departments for resolving certain situations.
One of the tools to solve these problems is ServiceNow SOAR products. As Janine rightly noted, there are simply no universal criteria for evaluating the performance of information security units. However, it is possible to measure the economic benefits from the work of a system, including the SOAR-tools, compare the results (before / after) and draw conclusions.
To do this, ServiceNow contacted Forrester, which analyzed the work of the following Security Operations modules:
- Security Incident Response - simplifies the identification of incidents. This module is responsible for importing data from already used solutions and SIEM systems (Security Information and Event Management) using the API and customizing processes based on information security policies.
- Vulnerability Response - prioritizes vulnerable elements. Due to this, the information security department quickly determines whether business critical systems are at risk or not. Using the configuration management database (CMDB), the module analyzes dependencies, assesses the impact of changes and downtime on business processes. If potential risks are detected, the module will offer to make changes and check them later.
- Threat Intelligence — Helps IT find Indicators of Compromise (IoCs) and track threats at a deeper level. The module supports various standards for the exchange of threat data, allows you to connect custom sources and exchange data with third-party systems.
Analysts investigated the work of three large American companies from the sphere of finance and health care (the staff was 1,000, 4,200 and 13,500 people, the size of the information security department was 10, 50 and 80 people). According to the analysis of expert opinions, Forrester found out that the implementation of Security Operations modules yields the following results in projection for three years of the information security department:
- savings of up to $ 4.7 million due to increased efficiency in the process of setting priorities and resolving incidents by 30–50%;
- up to 535 thousand dollars - due to the effective analysis of potential vulnerabilities by 60%;
- up to 355 thousand dollars - due to the update of protection tools.
In addition, Security Operations Toolkit is designed to improve interaction with other employees and IT services of the company and to provide a number of such employees with the ability to track the state of highly specialized systems in real time.
Where is it already working
Prime Therapeutics used Qualys to detect vulnerabilities, but it did not use integrated tools to automate reporting. Such an approach slowed down the activity of the entire IS department and led to a too long “patching” of potential vulnerabilities. Security Operations helped integrate information flows from protection systems, streamline process management and automate work with reports.
Another case is the implementation of Security Operations in the Freedom Security Alliance. Here, the toolkit solved the problem of bringing information flows about potential threats into a “single channel” and subsequent incident management. The capabilities of the product to automate these processes helped the company to reduce the time to resolve incidents by 40% and save company resources at the stage of identifying the causes of incidents.
Other examples include the integration of Security Operations into the work of the information security department of the Australian organization AMP. The result is a 60% reduction in response time to vulnerabilities. And the introduction of the company DXC Technology - a similar metric was reduced by 50%, while the detection time of IoCs decreased by 5 times.
Additional solutions
Security Operations offers several optional modules whose functionality is aimed at preventing cyberthreats. One of them, Trusted Security Circles, allows IB departments to share threat information in real time.
On the one hand, there are verified sources here, on the other hand, anonymity is preserved when exchanging information between them. The application works as follows: the information security unit forms an anonymous request in the selected thematic community. When the number of requests exceeds the set threshold, the incident is automatically opened in Security Operations.
Bart Murphy (Bart Murphy), CTO of CareWorks, emphasizes the importance of a systematic approach to information sharing for IT departments. Such an approach will help to eliminate mass attacks on industry companies (for example, financial ones) in time and reduce the response time.
The other component is Performance Analytics. It allows IT teams to monitor their systems using a dashboard and create real-time reports. The application is available to work with pre-installed KPI and the possibility of their customization.
Another thematic product is Identity Management (our post about this solution on Habré). The ServiceNow and Okta partnership offers this account management tool to customers. It allows you to identify problems, as well as eliminate “leaks” of identification data and ensure their safety.
Additional materials from the IT Guild corporate blog:
Source: https://habr.com/ru/post/349378/
All Articles