Situational Awareness
In the last post we discussed the importance of user account hygiene, and its importance for keeping your instance secure. But with potentially thousands of users accessing a system at any given time, how do you monitor what is going on?
Most activity will be normal and harmless, as users go about their everyday business. But there is a chance that something unwanted or malicious could be happening, caused either by active users or some external source... and that’s why monitoring is so important. Careful monitoring can help you identify potential issues and get on top of them before they become big problems.
Instance activity can be recorded in detail in the various system logs, giving information on user logins, browser activity, data access, etc., and providing an audit trail that you can use to help detect unwanted activity.
ServiceNow personnel cannot access information or logs within an instance without your express permission and can only monitor activity related to the platform infrastructure itself, not activity or data within an instance. This is by design and by default, and means it is your responsibility as the customer to ensure that the system logs are monitored.
Countermeasures
- Take a close look - The first step is understanding the various types of logs available to you – what they record, the level of detail, and which are most relevant, i.e. event, system and transaction logs. Then, you should review the logs, looking for and alerting on anything suspicious, and set up a process to make sure this happens often - or even better - continuously. You can view the logs within your instance, or export them using the syslog probe. Better still, you can send logs to your SIEM, if you have one, for correlation, analysis, and alerting.
- Keep historical data - It’s also a good idea to store copies of the logs for long term archival, which enables future reference for security investigations, auditing, and compliance.
- Find the norm - You should establish a baseline of activity for reference. This will help you to understand what ‘normal’ looks like, so you can pick up on deviations and anomalies which might suggest there’s something suspicious going on.
- Check things out – Anything unusual should obviously be investigated; this could include events such as multiple failed or concurrent logins, access from unexpected locations and devices, or privilege escalations.
The story so far…
So far in this blog series we have touched on the shared security model, password security, strengthening authentication, access controls, user account hygiene, and security monitoring.
Although each of these topics may seem quite simple by themselves, together they form a strong foundation. By following the advice and recommendations in the blog, you can significantly improve the security of your ServiceNow instance and help prevent unauthorized access and breaches.
One very real example of an attack that can be prevented with these simple approaches is a Password Spray Attack. Though these attacks have recently become more widespread, they are relatively easy to deflect by following basic security practices - like those explored in this series. This article explains more about how they are carried out and how to defend against them.
In the next post…
We have seen why you should monitor your instance carefully to help spot potentially malicious activity and attacks. In the next post, we will look at how to maintain platform security with updates and patches.
