How ServiceNow uses Security Operations to Deliver 6X Faster Processing via Automation and Integration
- December 6, 2017
At security conferences, technologies like artificial intelligence and machine learning are often in the spotlight. But for security operations teams, a very pragmatic topic is even hotter: integration. Because no security product or company can do everything, security environments often consist of dozens of disparate tools. These tools are typically focused on protection and detection, with security teams manually collecting alert data from the various sources. The challenge is to bring all the data from these tools together in one location where analysts can access information quickly and manage the appropriate response actions. ServiceNow® Security Operations was designed to do precisely that, and our own experience is a good example.
ServiceNow’s own security operations team has been using the Now PlatformTM from the beginning but has enhanced it steadily over time. We started with incident management, then built custom security applications and workflows for tasks like event management and alerts. Once ServiceNow created an official Security Operations product, we immediately transitioned to it in order to improve efficiencies and enhance our capabilities around incident and vulnerability management.
An integral aspect of ServiceNow’s environment includes third-party security information and event management (SIEM), endpoint security and threat intelligence tools. All of these products are tightly integrated into Security Operations, which has allowed us to automate several manual processes. For example, when one of our security tools detects a threat, Security Operations immediately creates a security incident. For each type of security incident, Security Operations has a set of workflows that drives our response. Processes like analyzing a hash or IP address, which would normally require logging into multiple security tools to do research, are all automated. Thus, our analysts can quickly drive blocking or remediation from within Security Operations. These automations have allowed us to accelerate both investigation and resolution of threats. And we’ll continue to automate other processes, both large and small, as we see the value.
Automated reporting using Performance Analytics helps us stay well informed, track progress over time to pinpoint areas for improvement, and demonstrate security compliance to audit teams.
According to Yuval Cohen, ServiceNow Chief Information Security Officer, “When our analysts investigate a security incident, they have all the data they need in one place. Our platform provides the relevant vulnerabilities and patching cycles, problems (PRBs) and remediation projects, CMDB data, threat intel and many other types of valuable data that now all tie together to give us a full picture.”
I look forward to sharing more Now on Now examples of how we’re “drinking our own champagne” and using the Now Platform to streamline and accelerate every corner of the enterprise.