How detection engineering keeps ServiceNow safe

“Security defense is exciting, because you’re always trying to stay ahead of the bad guys,” says Tracy T., senior staff detection engineer at ServiceNow. Who are these bad guys? They could be malware or hackers who try to threaten the security of employee data or the company network—or anything in between.

Detection engineering plays a major role in keeping a company safe, especially amid changing tool capabilities and detection methods.

At ServiceNow, we had a lot of moving parts to keep threat detections centralized and monitorable. New detections were written by incident responders. These cases made their way through various teams before being assigned and resolved. Our threat defense and response team needed a consolidated prioritization of work to reduce silos between security teams.

A DASH of security

The threat defense and response team is tasked with detecting suspicious behavior, identifying potential threats, and keeping the company safe from cyberattacks.

When John Y., senior manager of threat intelligence, started at ServiceNow, his work was mostly manual. “It was essentially a spreadsheet that tracked the development of our custom security detections, and it was just me running it,” he says.

Today, John manages both threat intelligence and detection engineering. His teams are responsible for building content and detecting security threats. To get ahead of risks, they used the ServiceNow citizen development program to build a unified application: Detection Approval and Sync Handover (DASH).

“We needed to be more flexible,” John explains “We needed to move faster to adjust and, instead of tracking, focus our efforts on discovering gaps and creating new detections.”

Running on the Now Platform, DASH centralizes and consolidates the entire detection engineering workflow system. Major benefits include:

• Increased collaboration among threat and response teams

• Streamlined processes for prioritization

• More defined criteria, greater visibility, and detection transparency

Teamwork makes the dream work

DASH has given John and his teams a stronger, more efficient app to meet the company’s security detection needs. “We have a good diversity of backgrounds on my teams from other service providers and technology companies. All of this experience helps when we're troubleshooting a particular use case that we're building content around,” he says.

“Our biggest customer is the global incident response team, and through DASH, we’re really in step,” Tracy adds. “Now that there’s a categorization process, it’s greatly helped our relationship. There’s not a lot of wasted time and no duplication of work.”

DASH works as the operational piece in the detection workflow. Developing new integrations in the workflow system also involves an application-building process. This is where Angela Z., senior information security engineer at ServiceNow, steps in.

“Think of John and Tracy as my internal customers,” Angela says. “They come to us with an issue. This could be creating a new app. If we can create and fix it for them, we can work together and figure out a solution.”

Angela started her ServiceNow career as an intern on the security incident response team. “I was organizing a lot of the team’s documentation,” she recalls. “I had to read and understand the [securities] process. Being on that team, I was able to see what they go through daily and understand their process.”

Angela’s experience allows her to be a great liaison between her team and other security teams. “I’ve grown and learned so much in my role over the last four years,” she adds. “I’ve built strong relationships across our security teams and continue to expand my skill set.”

Using our own technology

“Detecting malicious or suspicious activity is imperative to ServiceNow to keep our company data and our customer data safe,” Tracy says. When heightened security threats arise due to low resource capacity around summer vacations and holidays, John and his teams are sometimes tasked with working extended hours.

“That's kind of typical of how close we are to security operations and support,” he says. “We help as much as possible so that the security response team has visibility into the things they need to respond to.”

DASH has given employees like John, Tracy, and Angela the ability to do their best work to keep the company, our customers, and data secure. Through our very own Now Platform, employees are given the opportunity to be citizen developers to prioritize work needs, solve business problems fast, and get the job done every time.

Join a company where your work can make a difference. Explore ServiceNow careers.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.