Today a large retail based ServiceNow Security Operations customer went live! In the last few posts I’ve focused on some specific benefits of ServiceNow’s Security Operations suite. This time around I’d like to step back and talk about how Security Incident Response as a whole is making a difference in the daily lives of the Security Analysts.
After going live we were preparing to trigger a sample alert when a real threat occurred. The IT Security Operations Lead jumped right it and within no more than 30 minutes she was showing the automatically generated post incident review to the CISO. The work was done, originating alerts closed, documentation complete, and management notified. More importantly, the Security Analysts had spent the vast majority of their time working the alert.
Before Security Incident Responses, analysts would spend more than half their time moving information between systems and people. Like many compliance requirements, documentation is a mundane, but mandatory, task. With Security Incident Response all of the information is pulled together automatically. With one place to do all the work, documentation is reduced to adding details as part of the natural flow of an investigation. Simply put, Security Incident Response automates the mandated information collection process, freeing IT to focus their time on the critical tasks: isolating and removing threats.
I don’t want you to read just my version. This customer is an organization that already has a good handle on the concept of Security Operations. Here’s what their IT Security Operations Lead had to say this morning:
“Security Operations for us is the combination of alert monitoring, incident response, vulnerability management, and threat hunting to drive our security detection and response efforts. We're using the ServiceNow Security Operations module to help streamline our incident response processes so our responders aren't bogged down in documentation. The module will help us to couple the concept of a single pane of glass with standardized incident response workflows. In the future, we hope to expand the module to encompass our vulnerability remediation efforts.”