Security Incident Response Setup / Configuration Understanding.

Sandeep Kumar6
Giga Guru

on ‎02-08-2019 02:21 AM

With Security Incident Response (SIR), manage the life cycle of your security incidents from initial analysis to containment, eradication, and recovery. Security Incident Response enables you to get a comprehensive understanding of incident response procedures performed by your analysts, and understand trends and bottlenecks in those procedures with analytic-driven dashboards and reporting.

Following are my understanding or observation from Security Incident Response.

Activate Security Incident Response

Security Incident Response activates these plugins

True/false indicates availability of plugin 

  • Service Management Core [com.snc.service_management.core]àtrue
  • Task-Outage Relationship [com.snc.task_outage] à true
  • Tree map [com.snc.treemap] àTrue
  • Threat Core [com.snc.threat.feeds] àFalse
  • Security Support Orchestration [com.snc.secops.orchestration] àTrue
  • Security Incident Response support [com.snc.security_support.sir]àFalse
  • WebKit HTML to PDF [com.snc.whtp] àTrue

Or

  • Security Incident Analyst [com.snc.security_incident.analytics] à True
  • Security Incident Response  [com.snc.security_incident] à True

 

Configure Security Incident Response

The options for configuring the applications are organized under Business Process, Assignment and Add-ons tabs.

There are few properties available under these tabs which allows to control the behavior of Security Incident

  • The Business Processtab contains options for setting up the request life cycle, creating catalogs and requests, and configuring notifications.
  • The Assignmenttab contains options for setting up manual and auto-assignment.
  • The Add-ons tab contains options for enabling the knowledge base, managed documents, and task activities.  

Optional setup steps include:

Create a Security Incident Response process definition

I have gone through the ServiceNow docs about it and tried reaching associates here regarding this process but it seems there is no definite process for S

Security Incident unlike Best Practice - Incident Resolution Workflow for Normal Incident

You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle

Before you begin

Role required: sn.si_admin

Procedure

  • Navigate to Security Incident > Administration > Process Definition.
  • Click New.

 

Security incidents can be logged or created in the following ways:

  • From Security Incident form.
  • From events that are spawned internally, or created by external monitoring or vulnerability tracking systems via alert rules, or manually.
  • From external monitoring or tracking systems directly.
  • From the service catalog

Create a security incident group

  • If you have the user_admin role, you can create security incident assignment groups.
  • If you have the sn_si.admin role, you can create and edit security incident assignment groups.
  • Navigate to User Administration > Groups or Security Incident > Setup > Groups
    • Fill all the information as required
  • I have tested this by creating a group name “SIR WalkThrough” in my PI.
  • In the Roles related list, add the roles that each member of this group receives.
  • For example, if you are making a group for Security Incident Response team members, add sn_si.analyst. If you are making a group for Security Incident Response administrators, add sn_si.admin

 Create a Security Incident Response SLA

  • This can be configured based on the requirement we have.
  • Navigate to Security Incident > Setup > SLAs

 Create a Security Incident Response runbook

  • Navigate to Security IncidentManual RunbookCreate New Runbook
  • We need to have knowledge base articles in the Security Incident ResponseRunbook knowledge base

We can achieve that by adding Security Incident Response Runbook in Knowledge Base

 

I have found few important terminology below in Security Incident Response, Try to have these in mind when you are going to start it.

Scoring in security incident

The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.

Following business rules trigger automatic calculation of risk scores:

  • Calculate Severity
  • Update risk score
  • Update SI risk score

 

Note: The risk score is calculated using weights defined in Risk score configuration

https://<Instance Name>.service-now.com/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_module...

 

Example

 

If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

 

  • The work notes are updated when the following fields are changed (causing the risk score to be updated):
    • Business impacton the Security Incident form
    • Priorityon the Security Incident form
    • Severityon the Security Incident form (hidden by default)
    • Business impacton the Affected Users related list
    • Business impacton the Affected Services related list
    • Business impacton vulnerabilities on the Vulnerable items related list

 

Risk score override

Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes

You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated

Secure notes

  • Click the lock icon to unlock the field, enter work notes that are visible to the security users, and click the icon again to lock it.
  • The work notes that are encrypted and not visible to the customer.

Read access

  • Gives a user with the special accessrole read access to the security incident. The user is able to read and write work notes.

 

Privileged access

Gives a user with the special access role read and write access to all fields of the security incident except Assigned to. Users with special access roles have their own module containing all security incidents assigned to them. No other modules are available to them. No one else can see the Visible to Me module

Note:

  • If a user is added to both Read accessand Privileged accesslists, then only

the Privileged access permissions persist

  • Only an assigned user or someone with a security role (for example, sn_si_analyst or sn_si.admin) can change the Assigned to

 

SIR Lifecycle

Draft à Analysis à Contain à Eradicate à Recover à Review à Closed

  • Normally it will follow NIST process but you can jump or skip one or two state and directly go for Recover or Review.
  • We can’t close any Security Incident until we complete or close all the related tasks.
  • We can close Security Incident after contain state before that we don’t even have option to close it.
  • Assignment Group and Assignee are auto populating as one workflow (Assignment Workflow for SM) is running behind which is checking skill based resource and assigning the incident to him.
  • We can cancel Security Incident from button that appears on header when state changes from Draft to Analysis
  • But I could fine cancelled state for response task.
    • Ready à Assigned à Work In Progress à Complete à Cancelled

Reference Link:

https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response/concept/what-is-sir.html

 

Please Hit like or helpful if you find this interesting.

Happy Learning!

Sandeep

  • 5,891 Views
Comments
divs
Kilo Contributor
‎03-05-2019 02:32 AM

Hi Sandeep,

 

Thanks for sharing this small and useful document to understand the Secops process.

Hey need quick help, i am getting an error while running the orchestration related link in Security incident form in London version.

find_real_file.png

 

Kindly help me to resolve this issue.i created cross application scope also.but still its not working.

0 Helpfuls
Sandeep Kumar6
Giga Guru
‎03-07-2019 11:28 PM

Hi, Divs, 

 

This is known error from ServiceNow side.

you can go through below links they may help you.

https://community.servicenow.com/community?id=community_blog&sys_id=44ad22a9dbd0dbc01dcaf3231f961921

https://community.servicenow.com/community?id=community_question&sys_id=d9dfc3a5dbdcdbc01dcaf3231f961922

 

Please hit correct if this gave your answer.

Sandeep

0 Helpfuls
divs
Kilo Contributor
‎03-08-2019 01:23 AM

Hi Sandeep,

so what is resolution of this issue?

i need to run this orchestration..

Please help me.

 

I know this issue is related to cross-access application scope.

0 Helpfuls
Sandeep Kumar6
Giga Guru
‎03-08-2019 05:33 AM

Hi Divi,

 

You can go to the Restricted Caller Access form and look for records that do not have the status of "Allowed". the operation is making a call into the HR:Core scope that you have not allowed.

This Restricted Caller Access is a new feature in Kingston.

Best way is you can raise a High ticket on this if its nor solving your problem 

 

Regards

Sandeep 

divs
Kilo Contributor
‎03-14-2019 02:21 AM

Hi Sandeep,

Thanks for your reply.

I have one more question to you.How is risk score card is getting calculated in security incident form.As mentioned in the document, Risk score card calculation is based on Business impact and priority

For example, if a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

 

but it is not calculating as per the description given in the above example which is from below link

https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response/concept/si-risk-score-calculations.html

Please help me to understand the logic of risk score card calculation.

 

0 Helpfuls
Sandeep Kumar6
Giga Guru
‎03-14-2019 02:32 AM

HI Divi,

The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.

Following business rules trigger automatic calculation of risk scores:

  • Calculate Severity
  • Update risk score
  • Update SI risk score

 Note: The risk score is calculated using weights defined in Risk score configuration

Security Incident -> Setup -> Risk Score Configuration

https://<instsance_name>.service-now.com/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_modul...

 

 Example

 If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

 

  • The work notes are updated when the following fields are changed (causing the risk score to be updated):
    • Business impacton the Security Incident form
    • Priorityon the Security Incident form
    • Severityon the Security Incident form (hidden by default)
    • Business impacton the Affected Users related list
    • Business impacton the Affected Services related list
    • Business impacton vulnerabilities on the Vulnerable items related list

 

Risk score override (CheckBox)

Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes

You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated

 

Reference:

https://community.servicenow.com/community?id=community_question&sys_id=e2a051f1dbccf3005129a851ca9619ca

 

Please hit correct if this gave your answer.

Regards

Sandeep

0 Helpfuls
Hansolo
Tera Contributor
‎10-10-2019 11:14 AM

@divs, not sure if this info is still useful to you or not, but the script include function that appears to load all of the parameters that are used to calculate the Risk score is RiskScoreUtil._populateRiskParamsAndCorrespondingRiskScores. 

_populateRiskParamsAndCorrespondingRiskScores: function (/* SI gliderecord */ siGR, params) {
    var calculateAll = false;
    this._parameters = {};
 
 
    if (gs.nil(params))
        calculateAll = true;
    else
        params = params.split(",");
 
    //If the risk score override is turned off, re-calculate all
    if (!gs.nil(params) && params.indexOf("override") > -1)
        calculateAll = true;
    else {
        var latest = new GlideRecord("sn_sec_cmn_risk_score_audit");
        latest.addQuery("task", siGR.getUniqueValue());
        latest.setLimit(1);
        latest.orderByDesc("last_updated");
        latest.query();
        if (latest.next()) {
            var parms = latest.getValue("risk_score_parameters");
            if (!gs.nil(parms))
                this._parameters = JSON.parse(parms);
        } else
            calculateAll = true;
    }
    if (calculateAll || params.indexOf("si") > -1) {
        if (!gs.nil(siGR.getValue("business_criticality")))
            this._lookupWeight("si", siGR.getValue("business_criticality"));
    }
    if (calculateAll || params.indexOf("si_severity") > -1) {
        if (!gs.nil(siGR.getValue("severity")))
            this._lookupWeight("si_severity", siGR.getValue("severity"));
    }
    if (calculateAll || params.indexOf("si_priority") > -1) {
        if (!gs.nil(siGR.getValue("priority")))
            this._lookupWeight("si_priority", siGR.getValue("priority"));
    }
    if (calculateAll || params.indexOf("ci") > -1)
        this._checkCIBusinessCriticality(siGR.getUniqueValue());
    if (calculateAll || params.indexOf("vi") > -1)
        this._checkVIBusinessCriticality(siGR.getUniqueValue());
    if (calculateAll || params.indexOf("user") > -1)
        this._checkUsersBusinessCriticality(siGR);
}

If you follow all of these functions in this script include, you can see, it also uses the Business Impact column on the sys_user table, the Business criticality column on the cmdb_ci_service table, and the Vulnerable item column on the sn_vul_m2m_item_task table, if that is enabled. So the likely missing number is the affected user's business impact. 

These are the additional weights found in the Security Incident > Setup > Risk Score Configuration list. i.e. Users Business Impact. 

The function that actually does the calculations:

_calculateRiskScore: function (siGR, message) {
    var total = 0;
    var counter = 0;
 
 
    for (var key in this._parameters) {
        total += this._parameters[key];
        counter++;
    }
 
    var risk_score = -1;
    if (total != 0 && counter != 0) {
        risk_score = Math.ceil(total / counter);
 
        var risk = siGR.risk_score;
        if (parseInt(risk) != risk_score) {
            //create risk score audit for score change
            var changeReason = gs.getMessage("Automatically updated due to {0}", message);
            var strParams = JSON.stringify(this._parameters);
            this.createRiskScoreAudit(risk_score, siGR.getUniqueValue(), changeReason, false, strParams, risk);
        }
    }
    return risk_score;
}

Example: If you go to the sn_sec_cmn_risk_score_audit table, you will see all of the times the Risk score changed on each of your SIR records. This will show you all of the parameters that were used to create this calculation. 

{"si":80,"si_severity":55,"si_priority":90,"user":60}

The risk score calculated for the above parameters is: 80+55+90+60 = 285 / 4 = 71.25, the ceiling of which is just 72.

This info took me a while to track down, and figure out since there seems to be very little documentation on this. 

Hope this helps someone else! -Hansolo

divyasurada
Tera Contributor
‎11-20-2019 02:21 AM

Hello Sandeep Kumar,

 

Do you have any idea about the view configuration for users while accessing security incident response form.

For end users it is directing to security_itil view. I want to change this view.

 

Thanks,

Divya Soorada

 

0 Helpfuls
rlatorre
Kilo Sage
‎02-01-2023 11:52 AM

Does anyone have an example of an SIR Auto-assignment Workflow?

0 Helpfuls
Version history
Last update:
‎02-08-2019 02:21 AM
Updated by: