GRC Series Article 1: GRC, Security Ops and Security Incident Response

Vivektietsood
Tera Guru
Tera Guru

on ‎09-08-2020 05:03 PM

 The Governance, Risk, and Compliance applications

The ServiceNow Governance, Risk, and Compliance (GRC) applications help transform inefficient processes across your extended enterprise into an integrated risk program. Through continuous monitoring and automation, ServiceNow delivers a real-time view of compliance and risk, improves decision making, and increases performance across your organization and with vendors. Only ServiceNow can connect the business, security, and IT with an integrated risk framework that transforms manual, siloed, and inefficient processes into a unified program built on a single platform.
  • Risk Management–Detect, and assess the likelihood as well as business impact of an event based on data aggregated across your extended enterprise, and respond to critical changes in risk posture.
  • Policy and Compliance Management–Automate best practice lifecycles, unify compliance processes, and provide assurances around their effectiveness.
  • Audit Management–Scope and prioritize audit engagements using risk data and profile information to eliminate recurring audit findings, enhance audit assurance, and optimize resources around internal audits.
  • Vendor Risk Management–Institute a standardized and transparent process to manage the lifecycle for risks assessments, due diligence, and risk response with business partners and vendors.

The GRC solution can be configured for many scopes, at any level. Yet, keep in mind that SecOps is IT focussed, while GRC is at its best when focussing at the highest Corporate level.

 

https://community.servicenow.com/community?id=community_question&sys_id=84e0700fdb30bfc8fece0b55ca96...

This link gives a very good description of relation between GRC and Security Ops.

Although there can be many relations and applications between GRC and Security ops, the following is one take: 

 find_real_file.png

Any SecOps incidents are very confidential by nature. The tracking of those in GRC could allow you to let your Risk and Compliance managers to be aware of sensitive events, without granting access to them to specific confidential details.

Security Operations in a nutshell

The Security Operations ecosystem can be configured in any number of ways, depending on the needs of your company and the Security Operations products you license.

  1. The first step is to use the ServiceNow Discovery application to find applications and devices on your network, and then update the ServiceNow Configuration Management Database (CMDB).
  2. Integrate your existing Security Information and Event Manager (SIEM) tools with Security Operations applications to import threat data (via APIs or email alerts), and automatically create prioritized security incidents.
  3. Use workflows and the Vulnerability Response application to instantly prioritize events, security incidents and vulnerabiliies.
  4. Enrich data using the Threat Intelligence application, as well as other machine learning or artificial intelligence operations capabilities.
  5. Use Risk Management and other Governance, Risk, and Compliance applications to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations.
  6. Workflows built into all Security Operations applications take the guesswork and the busywork out of remediation.
  7. Instantly see detailed information about your security posture using dashboards.

 

At the heart of the Security Operations ecosystem is the Security Incident Response (SIR) application. Security Incident Response simplifies the process of identifying critical incidents by applying powerful workflow and automation tools that speed up remediation. Integrate your existing Security Information and Event Manager (SIEM) tools with Security Operations applications to import threat data (via APIs or email alerts), and automatically create prioritized security incidents.

There are many avenues within the Security Operations ecosystem for automatically and manually creating security incidents, as illustrated.
 
The integration with Secureworks is managed from the ServiceNow platform. Every few minutes (configurable) a REST API call is sent to SecureWorks to obtain new and updated alerts.  Security incidents are created or updated at which time SIR automation kicks in.  This includes assigning to a triage team, pulling in threat intelligence, scoring risk based on multiple factors including the business criticality level of the at-risk asset, and execution of the workflow.
 
Security Incident Response. Track security incidents as they progress from detection and analysis through containment, eradication, recovery, and closure.
 
Life-cycle of SIM
 
Security incidents can be logged or created in the following ways.
  • From the Security Incident form
find_real_file.png
  • From events that are spawned internally, or created by external monitoring or vulnerability tracking systems via alert rules, or manually
find_real_file.png

 

  • From external monitoring or tracking systems

 

find_real_file.png

 

  • From the service catalog
find_real_file.png
 find_real_file.png
 
Life-cycle Stages
 
- Draft - The request initiator adds information about the security incident, but it is not yet ready to be worked on.
 
 
- Analysis -This is where the analysis of the opened incident happens.The incident has been assigned and the issue is being analyzed.
 

Depending on the selected view, you are using (default, Non-IT Security, Security ITIL, and so on), the Security Incident form can show any combination of vulnerabilities, incidents, changes, problems, tasks on the affected CI and affected CI groups. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the National Institute of Standards and Technology (NIST) database, or other third-party detection software. As security incidents are resolved, you can use any incident to create a security knowledge base article for future reference.

Perform further analysis using a business service map to locate other affected systems or business services that can be infected.

- Containment, Eradication and Recovery
 
As you monitor and analyze vulnerabilities, you can create and assign tasks to other departments. You can use a business service map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth.
 
- Contain -The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist.
- Eradicate -The issue has been contained and the security staff is taking steps to fix the issue.
- Recover - The issue is resolved and the operational readiness of the affected systems is being verified.
- Review - The security incident is complete and all systems are back to normal function, however, a post incident review is still needed.
- Closed - The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab.
 

- Review

 
After the incident is resolved, other steps can take place before closure. You can perform a post incident review. Creating knowledge base articles can help with future similar incidents. Significant incidents may require a post-incident resolution review. This review can take several forms. For example:
  • Conduct a meeting to discuss the incident and gather responses.
  • Write and distribute to those teams who worked on an incident a list of resolution review questions designed for each category or priority of incident.
  • Incident managers can write the report and gather information on their own.
 
Add response task adds task
 
 
find_real_file.png
 
 
 
find_real_file.png
 
The following process definitions are used for security incident tasks.
 
Ready - The task is ready to be worked on once it is assigned to an agent
Assigned - The task is assigned to an agent
Work In Progress - The assigned agent is working on the task
Complete - The task is complete
Canceled - The task was canceled 
 
Please comment / like or bookmark if this article helps you.

 

 

Preview file
659 KB
Preview file
194 KB
Preview file
489 KB
Preview file
44 KB
Preview file
22 KB
Preview file
49 KB
Preview file
78 KB
Preview file
404 KB
  • 4,112 Views
Comments
amurana2
Tera Contributor
‎10-24-2020 07:23 AM

I like the entire SIM process.  Well-done.  

Kirthi2
Tera Contributor
‎03-08-2021 10:03 AM

Great article, I was trying to explore the security operations and reviewing the Product documentation. This article has given me an overall summary.

Thank you!

0 Helpfuls
shevangi
Tera Contributor
‎06-05-2023 02:35 PM

great help

0 Helpfuls
Version history
Last update:
‎09-08-2020 05:03 PM
Updated by:
Tera Guru