Highlights of New Features in Major Security Incident Management (May 2024)!

Earlier this month during ServiceNow's Knowledge Conference, several new features launched in Major Security Incident Management. You can get your hands on those from the ServiceNow Store by downloading version 3.1.2 of the application. Here is a summary of the highlights which we’ll cover in more details in this blog post.

 

 

(1) Auto-Creation of Slack Channels

 

Starting in version 3.1.2 of MSIM, customers have the ability to automatically create dedicated Slack channels for Incident Managers to engage with Incident Responders to manage major security incidents. With the MSIM Slack integration, Slack messages are imported into the Collaboration Tab of the MSIM workspace. In the MSIM Collaboration Tab, Incident Managers can:

 

1. Add or remove users or groups to the corresponding Slack channel(s) created for that Major Security Incident (MSI)
2. Search and filter on the chat messages from within MSIM. This for example could be by keyword, a person, or a time duration.
3. Tag an important chat message to be “Timeline Event”. This for example could be a message from a responder confirming when they uploaded a log file, or when they performed a response action (such as quarantining a device, removing a malicious executable file, or deploying a patch)

 

It’s worth noting that with the MSIM Slack integration, people that are authorized and added to the Slack channel, have the ability to create a Task directly into MSIM, using a simple slack command: /Create a task

 

Here’s a short demo of the MSIM Slack integration courtesy of our Software Engineer, Ashwin Mishra @ashwinmishra, that walks through:

 

1. How to configure the MSIM Slack integration (with 1 or more channels)
2. How Slack channels get created automatically (when an MSI is Promoted)
3. How messages (including files and attachments) in Slack channels synchronize to the MSIM Workspace
4. How managing (or renaming) Slack channels can be done from MSIM
5. How Tasks can be created from Slack into MSIM

 

 

(2) Code Names and Categories

 

Code Names is a new concept that we’re introducing to enable your company to use a code name to track a major security incident. For example Red Dragon, Wild Tiger, Log5J, or any code name of your choosing. When a standard security incident is being Promoted to a major security incident, you can specify the Code Name.

This Code Name is also be included in the Chat channels that are created in Microsoft Teams chat or Slack. By default channels names are configured to have the following format: MSI Number – Code Name. This format can be changed via a simple configuration.

 

Out-of-the-box categories for major security incidents have been updated to the ones shown in the diagram below. Starting in version 3.1.2 it is required to choose an MSI category when promoting a major security incident. Previously the default category was set to the category of the standard security incident.

 

 

(3) Legal Request Playbook

 

A common topic we hear from MSIM customers is the desire to streamline communication between Security and Legal, to facilitate the ability for the Incident Manager to provide a summary of a major security incident to their Legal teams. From there Legal can take that summary and use it in filing an 8K or 10K form to comply with the regulatory bodies such as the SEC when disclosing security breaches.

 

This is where the Legal Request Playbook comes in. The Playbook which is built using ServiceNow's Playbook Automation Designer (PAD) enables Security to populate a summary of the incident for Legal to review. Once this is done a Task in created in the Visual Task Board of MSIM, which enables Security to keep track of when Legal has completed the review of the summary.

 

The Task also enables Security & Legal teams to community on the Task’s activity stream to provide any further clarifications as needed. Note that the steps and sections in the playbook are entirely configurable from the Process Automation Designer.

 

 

 

 

 

(4) Next Update Logic

 

Here are the main things to know about the Next update logic and widget that was introduced in version 3.1.2:

 

• Next update appears on the Overview Tab of an MSI
• Next update is defaulted to 24 hours from the time an MSI is Promoted. This can be changed at any time by the Incident Manager (by clicking on the edit icon)
• When creating an Executive Status Report, the Next update is automatically populated into the status report (if Next update is set to a time in the future)
• 2 hours before Next update is reached, the incident manager receives an email reminder that Next update is approaching. The duration of the reminder is configurable via a system property.

 

 

 

 

(5) Adding Groups to Chat Channels

 

Another ask from customers has been the ability to add groups to chat channels directly. In this release, MSI Managers can do so, by navigating to the Collaborations Tab. Clicking the channel name under Chat Channel Manager now enables MSI Managers to add people or groups to a channel. Note that members from groups who are already in the channel will not be added. A confirmation message of the addition will be shown on the Activity stream of the Collaboration Tab.

 

 

 

(6) Sharing Status Reports with External Recipients

 

In addition to sharing Executive Status Reports with users on your ServiceNow instance, you now have the ability to share Executive Status Reports with users outside your ServiceNow instance. This could include third party vendors, or other entities. This could also include email distribution lists. Simply type in the external address or distribution list and you’re good to go!

 

 

 

Feel free to let us know in the comments if you have any questions on the new features!

 

Thanks,

Antonio & The MSIM Team