Security Incident Response within ServiceNow’s Jakarta

Richard Briggs - 17th August 2017

This is the second instalment part of our IT Security Operations series and first look into this new functionality within their Jakarta upgrade, if you have missed the previous blog click here.

Within ServiceNow, Security Incident Response is Security Operations’ core application that works in unison with Vulnerability Response, Threat Intelligence and Trusted Circles. It also seamlessly integrates with ServiceNow’s traditional ITIL orientated components such as Event Management, CMDB, Change and Incident Management, Business Service Management and many more.

Looking at NIST’s security incident handling guide, the seven key stages (grouped into 4) of the Security Incident Response lifecycle are summarized into the following sections:

Preparation

This stage is focused on establishing your organization’s current incident response capabilities, then taking the necessary preventative measures to ensure your systems, networks and applications are secure.

So how will ServiceNow Security Operations help you at this stage?

  • Keep detailed security team contact information up to date, and other essentials such as staff on-call rota, enabling webchat communication and sharing of information. Do you know which security SME to assign a specific category of Security Incident, is he on-call?
  • Streamlining your security incident processes. You can prepare by defining your own workflows to suit your organization’s documented security runbooks; these can be adapted based on the type of Attack Vector you need to prepare for. What process do I follow, what page in the manual was that?
  • Making users aware of currently trending threats. (See Threat Intelligence and Trusted Circles) Procedures to ensure users are adequately trained, with related knowledge based articles already looked up for you!
  • Maintaining pro-active security. By assigning and tracking the status of key preparation tasks such as risk assessments, vulnerability scans (See Vulnerability response), as well as patching carefully controlled using Change Management.  What vulnerabilities does this version of IOS running on my switch have?

Detection and Analysis (Identification)

These stages are probably the most interesting to me and now that you are prepared (or should be!), this is where fun starts!

Depending on the type of security related events that your entire army of SIEM tools (all feeding into your ServiceNow instance) are capable of detecting (and maybe even responding too if told to do so!); e.g. malware detected, DDoS on a Web service, phishing email, escalation of user privileges, the list is endless. Depending on which SIEM tools you have at your disposal, events received may be identified as either an incident indicator (i.e. incident may have occurred or is happening now e.g. malware detected!) or precursor (i.e. may lead to something bad happening in the future e.g. uninvited nmap port scans!).

So how will ServiceNow Security Operations help you with detection and analysis?

  • Provides enhanced event analytics capabilities and targeted response that supports the aggregation of received event data, RCA and filtering out unwanted noise.  This is achieved using ALERT and IMPACT rules; IMPACT Rules determine the magnitude of a potential outage on business-critical CI’s (or its relationships) and Services to set the appropriate severity.  ALERT rules govern the resulting ACTION to be invoked when defined alert(s) conditions have been met (e.g. Create a new security Incident, prioritized accordingly and populate it with the affected CMDB CI’s and any other related information, auto-assign it to the security SME, notify them via email/pager and start the SLA timer, if they don’t respond to incident within 10 minutes, escalate to their manager and give them a clip round the ear… maybe smile ).

  • Helps you understand the dependencies and relationships between your Systems, Applications, Network resources and critical Business Services.  What impact will this have on my business services if this system is infected with malware? CMDB, Business Service Modelling and Asset Management are there to help
  • Notify other trusted organizations what you’ve identified using Trusted Security Circles, you never know, your selected partner organizations haven’t observed this type of attack yet (or vice versa!).  Not forgetting valuable Threat Intelligence to provide up-to-date guidance.
  • Can assist with event data enrichment using web-service API’s with popular vendor COTS tools (i.e. get me further information about a targeted CI pronto! e.g. resolve that host IP to FQDN, what processes are running on this box?, do any reported process names match any known threat IoC (Indicators of Compromise)?, if so update the security incident with related threat KB articles) and escalate priority, notify other skilled SME’s.
  • Multiple informative dashboards are available, providing live feeds and current status of Security Incidents. This simple but handy features caught my eye, called ‘Task boards’ that enable security teams or even your CISO to see easy to interpret pictorial overview of what’s going on with your open security incidents.

Containment, Eradication and Recovery

These stages are especially important when it comes to combatting the effect of infections spread via malware/worms that propagates at warp speed between adjacent hosts that each have identical vulnerabilities (unless of course you are ahead of the game). Therefore, the faster you contain, the less damage (hopefully!) will have been done, but a full recovery can still take months.

So how will ServiceNow Security Operations help you with these stages?

  • Provide an intelligent automated response if needed using Orchestration (i.e. take things to the next level by initiating a remediation workflow which can comprise manual and/or fully automated suite of tasks using Security Incident Response Orchestration using scripts to contain the infection e.g. block outbound access to a malicious IP on your Palo Alto firewall, initiate shutdown of infected systems). If you haven’t had time to automate such tasks just yet, don’t worry - perform them manually as defined in workflows to ensure what you’ve done is reproducible…and potentially automate the next round.
  • Use ServiceNow’s central CMDB to reference your system’s DRP related material (not forgetting valuable CI to Service relations!) These features will assist your teams to contain and recover systems; achieved by following the affected CI(s) related baseline installation and configuration instructions, restoring the last system tape backup or maybe even using the powers of orchestration to do it for you using either puppet or chef to spin up a fresh new ‘uninfected’ virtual system instance (subject to approval of course).
  • Initiate other automated activities? Once you’ve restored the infected systems – how do you test them to ensure things are eventually back to normal?  Again, orchestration/ scripting can be executed to confirm things like – a servers processes running, initiating a Nessus scan to check if your recently restored devices vulnerabilities have been re-exposed (due to the last restored backup not containing a recently applied patch - oops!), or even using network service testing products such as NETSCOUT’s nGenius PULSE could come in handy.
  • Assistance with Evidence gathering and handling.  Throughout all the key security incident handling stages mentioned, all actions performed to detect, analyze, identify, contain, eradicate and recover from the security incident must be accurately captured. A comprehensive Security incident audit trail is recorded for you, to be used for post incident review activities, lessons learnt and for forensics evidence useful for legal proceedings.

Post Incident Activity

This is a very important stage where valuable lessons learned are called upon in group discussions to enlighten you, since unfortunately not all things go smoothly first time! Your organization might have conducted a penetration test to help your teams prepare for this first round (of many maybe!).  However, you were all probably on-site, in the control room, all monitoring your dashboards waiting for something to happen at 8pm on a Thursday (outside normal service hours), maybe with some observers watching your every move. By the way - this is a highly valuable exercise and I sure have learnt a lot from witnessing what a pre-arranged DDoS attack does to an enterprise network without adequate protection (and response)!

So how will ServiceNow Security Operations help you with post incident activity?

  • Automatically create post incident reports for discussion at lessons learned meetings that can be reviewed and edited before being published. These can contain a comprehensive audit trail of all events and activities performed. Especially useful for completing Incident handling check-lists.
  • Security Incident statistics monitoring and reporting, used to indicate the measures of success, including cost. How many and what type incidents of were created? How long did each team spend resolving incidents?, What was the average Incident response time? How many Incident SLA’s were met/exceeded? Which security teams or SME’s were the busiest? Have no fear, performance Analytics can assist you here!

  • Issuing dynamic post incident questionnaires to staff. This helps collect further information about specific security incidents (e.g. did you have sufficient knowledge of that malware/worm/trojan? Were you aware of similar attacks from that source IP before?)
  • Feedback post incident review to Threat Intelligence (e.g. do I need to write my own STIX idiom for that incident?), update related Knowledge Base articles and share with others.

Well that’s it for now! Join me for part 3, when I’ll be running through Vulnerability Response and Threat Intelligence.

If you have any questions in relation to this blog post or wish to find out more about us, feel free to contact us using the links below.