Most companies like to think their security operations run like a well-oiled machine. In truth, however, many security teams could use a tune-up. Security teams often store plans that explain how they should respond to a data breach in documents on a fileshare, in spreadsheets or even in paper notebooks.
"Security vendors sell you systems to detect threats or enforce security policies, but CISOs are looking at how to address what to do when a rootkit is installed or when a data breach occurs," said Sean Convery, vice president and general manager of ServiceNow's new Security Business unit. The provider of service management software this week rolled out its first security product, called Security Operations.
The product is part of ServiceNow's long-term strategy to transform how organizations respond to security threats, Convery said. "We want to help security teams improve their day-to-day execution and workflow so they are not relying on static documents that they only refer to occasionally."
The company's customers are increasingly using its service management software for non-IT functions such as human resources and facilities management. When ServiceNow learned customers were building their own security apps on top of its platform, it realized there was an "unmet need in the market," Convery said.
Because the new product is part of ServiceNow's service management platform, it includes workflow, automation, orchestration and systems management capabilities that Convery said help security teams manage the processes involved in responding to and remediating incidents and removing manual processes that slow security incident resolution times. The product includes two cloud-based applications: Security Incident Response and Vulnerability Response.
Putting Security in Context
Running the applications on the same service management platform used by IT teams gives security teams context that they currently lack, Convery said.
Customers can attach incidents and vulnerabilities to records within the ServiceNow configuration management database (CMDB), he noted, which gives security teams insight into the virtual or physical assets at risk and the business services supported by those assets.
"Security analysts are often stuck in a world of IP addresses. When they get an alert, often the first question they need to answer is 'who the heck is this IP address?' That usually involves calling IT. With our platform they know more about that asset and often even the business service that the asset supports," he said. "This is incredibly useful in the triage stage of incident response when you have more things to do than you have time to do them. It helps to know if the attack is against your financial reporting infrastructure or a website where you are doing a survey about an employee summer picnic."
The system can trigger automatic patching, configuration changes to security infrastructure or other standard workflows to contain and fix security incidents and vulnerabilities. It also creates automatic post-incident reports, which are often needed for auditing purposes.
"We can effectively run the play all way through the remediation action itself," Convery said. "Instead of deciding 'this is bad' and then going into different tools to patch and quarantine, you can have the workflow kick off the necessary approvals and notifications to IT to retrieve an asset, to patch a system or to make some other emergency change. Rather than having to go from console to console, the security team can see the execution of the playbook from the initial alert being created all the way through to the actual production response to that event."
Part of the new product's appeal is its ability to help bridge the communications gap between IT and security teams, which often have a "Hatfield and McCoy relationship" that makes it tough to collaborate, Convery said.
"Security is heavily dependent on IT. If a change needs to be made to an endpoint or a server, IT needs to do it. Not only that, but sometimes HR needs to get involved or legal needs to get involved," he said. "How do you coordinate and collaborate as a group? How do you get the right people on the phone and the right people responding to emails? Collaborating in the enterprise is hard enough, but when you introduce a time-critical security event it just exacerbates all of those problems. That can lead to poor decisions being made when folks are under stress. A service management approach to security addresses some of those challenges."
A lack of coordination among teams and reliance on manual processes are common challenges, according to an Enterprise Strategy Group research study commissioned by ServiceNow. Nine out of 10 respondents said their incident response effectiveness and efficiency is limited by the burden of manual processes. A third of organizations spend at least half of all incident response time on manual processes. The top challenge cited by respondents was coordination between IT and security teams.
Proactive Security Response
The Vulnerability Response module will help security teams become more proactive, Convery said.
"Once you've learned about alerts, you can integrate with scanning vendors and map the information to assets. Then you can say 'Here are our 50 most critical business services, the IP addresses that support them and the vulnerabilities associated with those service.' Now you can have a direct action plan to reduce organizational risk by focusing on addressing vulnerabilities in your most critical capabilities," he said. "Again, you've got business context being introduced into the security conversation."
In addition, he said, ServiceNow's embedded analytics can give CISOs valuable visibility into an organization's security posture.
"When we ask CISOs if their security posture good or bad, if it's getting better or worse, we get a lot of anecdotal answers," he said. "With our embedded business intelligence analytics, we can do time-based trending on anything in the system so we can show you a timeline of security incidents being opened over time, the close rate, how long it took to identify and close them, how many are misconfigurations, how many are false positives. You can start feeding that information back into the organization to show trend lines."
Noting that most security teams already use multiple security tools, Convery said the Security Operations software integrates with third-party software applications, including security incident and event managers and vulnerability identification solutions. It also integrates with the National Vulnerability Database, which is the U.S. government repository of standards-based vulnerability management data.
"The entire product is API based. Some partners will build integrations for us and some less popular integrations can be built as custom," he said.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.