As you prepare for your first platform go-live, ensuring robust cybersecurity measures are in place is crucial. This can mean different things for different companies depending on the industry and regulatory oversight that needs to be addressed. For example, the Australian Essential Eight Assessment is a common starting point for businesses and government agencies to assess and target the required maturity level. One of the common controls you will come across deals with ensuring your ServiceNow logs are tamper-proof. This involves protecting your ServiceNow logs from unauthorised modification so that they can later be used for monitoring and investigation of potential security breaches.
Key Points for Log Protection:
- Protection from Unauthorized Changes:
- Ensure logs are secure from unauthorized modifications. No one, including trusted administrators, general users, or malicious actors, should be able to alter log data.
- Detection of Modification Attempts:
- Implement mechanisms to identify attempts to change logs. This is vital for maintaining security and ensuring awareness of potential threats.
Using SIEM Tools
Security Information and Event Management (SIEM) combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware, helping organizations detect, respond to, and manage security threats.
Typically, SIEM tools like Splunk, Elastic, or Microsoft Sentinel pull relevant logs into an enterprise repository via API. ServiceNow's Log Export Service can push logs to these tools using Kafka streams or MID server-based API, reducing the risk of on-platform log modifications before they reach the enterprise SIEM tool. Leveraging your enterprise SIEM is often the best method to meet security requirements.
ServiceNow Protected Tables Plugin:
ServiceNow offers the Protected Tables plugin specifically designed to prevent log tampering. This plugin provides various protection levels for core logging tables, from completely blocking updates to just logging tampering attempts.
The plugin allows configuration for insert, update, and delete operations and applies to the following tables:
| Table | Table Name |
| syslog | System Log |
| syslog_transaction | Transaction Log |
| sys_outbound_http_log | Outbound HTTP Logs |
| sysevent | Event Log |
| sys_audit | Audit Log |
| sys_push_notification | Push Notifications |
| protected_table_configuration | Protected Table Configuration |
The plugin offers the following settings
- Block and Log Attempts: Prevents the operation and logs the attempt.
- Only Block the Attempt: Prevents the operation without logging it.
- Only Log the Attempt: Logs the attempt without prevention.
- Don’t Block and Don’t Log: Disables protection on the table.
Recommended Configuration:
The following table outlines my recommended starting point when configuring your environment. This combination secures the critical tables while not significantly interfering with the operation of the ServiceNow platform.
| Table | Table Name | Update | Delete | Insert |
| syslog | System Log | Block & Log | Block & Log | Only Log |
| syslog_transaction | Transaction Log | Block & Log | Block & Log | Only Log |
| sys_outbound_http_log | Outbound HTTP Logs | Block & Log | Block & Log | Only Log |
| sysevent | Event Log | Only Log | Only Log | Don’t Block & Don’t Log |
| sys_audit | Audit Log | Block & Log | Block & Log | Only Log |
| sys_push_notification | Push Notifications | Don’t Block & Don’t Log | Don’t Block & Don’t Log | Don’t Block & Don’t Log |
| protected_table_configuration | Protected Table Configuration | Only Log | Block & Log | Block & Log |
Key Considerations:
- Locked Configurations: Some table configurations are locked for certain operations to ensure uninterrupted platform operations.
- Custom Scripts and Flows: Review any custom scripts or flows interacting with protected tables, as the plugin may block certain actions.
Separation of Duties:
Separation of duties is essential for IT system integrity and security. In relation to the ServiceNow Protected Tables plugin, it's crucial to ensure you have defined the roles appropriately and allocated the right people to look after each area. In this scenario,
- Security Administrators: Focus on security policies, controls, and compliance. They manage system security settings, access control lists, and security hardening.
- Administrators: Handle overall configuration, maintenance, and management, including user management, system updates, and workflow configurations.
Security Administrators must make all changes to the Protected Tables configuration.
Maintaining clear role separation reduces conflicts of interest, minimizes insider threats, and enhances overall security.
For the Protected Tables plugin, changes to the configuration must be made by a Security Administrator.
Outcomes
With proper planning and configuration, the Protected Tables plugin can help you meet the requirement to tamper-proof your ServiceNow logs. It does so by safeguarding your logs against unauthorized modifications and logging any attempts for later review. Protecting your logs is just one part of ensuring your ServiceNow environment meets your organization's required cyber controls.
To meet your security and cyber requirements, work closely with your security and cyber teams to understand and implement the necessary protections. This is crucial when aiming to meet a particular maturity level or committing to do so. Early collaboration helps prevent unintended consequences or undetected intrusions down the track.
Further Reading:
1 Comment
