Security Orchestration, Automation, and Response (SOAR) has, if you’ll pardon the play on words, soared in popularity as security teams work to scale and mature their teams. Our latest release provides five new ways to make operations faster and more effective—from cloud to the full application stack. The Paris release introduces a new use case for application vulnerabilities, brings machine learning to vulnerability management, rolls out incident response best practices as playbooks, and makes it even easier to automate phishing response with an off-the-shelf, predictive intelligence driven playbook. We’ve also integrated with Microsoft Azure Sentinel to enable visibility into cloud operations and the security tools hosted there.
For ServiceNow Vulnerability Response (VR):
- Orchestrate response for Application Vulnerabilities: The 2020 Verizon Data Breach Investigations Report indicated that web applications are the top assets involved in breaches, at more than 40%. Our new Application Vulnerability Management feature, integrates with Veracode to scan for DAST (Dynamic App Security Testing) results and determine the riskiness of the vulnerability. It enables vulnerability teams to centralize all the data and get full visibility into vulnerability exposure across applications, configurations, and infrastructure. (Requires ServiceNow VR Professional or Enterprise; currently in Limited release - please contact your account manager for access)
- Better chronological detail for Vulnerability Response
Customers who use Vulnerability Response know that a vulnerable item is created whenever a new vulnerability is detected on a configuration item. Historically, only the initial detection information was displayed, but our customers asked us for even more granularity in the reporting. Now, with improved Vulnerable Item Detections, vulnerability managers will be able to see the most granular level of data that’s imported from the vulnerability scanner. For example, if a scanner reports a vulnerability multiple times because it’s found on multiple ports or protocols on the affected configuration item, that information will be imported into the Vulnerable Item. This increased granularity in data will result in better analytics and more intelligent remediation.
For ServiceNow Security Incident Response (SIR):
- Automate phishing triage and response using Predictive Intelligence: You’ve all experienced the uptick in spoofed malicious emails attached to a COVID topic, including return to workplace. These have created an enormous backlog for organizations, who already face pressure to scale their security capacity and keep operations resilient. In the Paris release, you can now leverage Predictive Intelligence for user-reported phishing to quickly identify phishing emails that are suspicious and automate triage and prioritization of the analyst queue based on a Confidence Score. This helps determine the legitimacy of a phishing threat.
We’re also using similarity analysis to associate and consolidate user reported phishing incidents to reduce the volume of investigations by deflecting incidents from the analyst queue. This pre-filtering means analysts see a much shorter, well-organized and prioritized incident queue and avoid the dreaded duplicate investigation. (Requires ServiceNow SIR Professional or Enterprise; ; currently in Limited release - please contact your account manager for access). Analysts can also quickly view the original phishing submission, so that they can understand the aggregation logic and how to predict future attacks.
- Implement Proven Playbooks for Critical Use Cases: Security analysts often struggle with multiple, manual, repeated tasks over the course of handling a security incident, which affects MTTR. This new library packages up Gold Standard response procedures to help you automate the most common and critical use cases. It frees up analyst time on recurring investigations, improves speed and accuracy, and guides analysts to address more complex investigations. Faster responses help to contain potential business impact.
- Extend Visibility and Response to Azure through 2-way integration with Microsoft Security products: Cloud SIEMs are disrupting the traditional SIEM market, and Microsoft’s security tools are changing the game for countermeasures. Customers with a Microsoft security infrastructure want a centralized point of incident management, to create network-wide visibility, scalability, and confidence in responding to incidents. To give you the visibility and efficiency you need, we have used the Microsoft Graph API to automate incident creation from Azure Sentinel, Defender ATP, and Azure Security Center. We then filter and aggregate for consolidated response. You gain a centralized view across your estate so you can prioritize and act. This integration leverages the ServiceNow platform to connect security with IT teams to make task handoffs smoother and resolutions faster. It also provides deeper insights into your security posture and status, with the data needed to improve process and team performance. (Available to all SIR license levels.)
To learn more, check out the Paris Release Notes, attend our Now@Work Spotlight on October 6, engage with the active Security Operations Community, or contact your sales team.
© 2020 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.
