Best Practice for Insider Threat Investigations

Go to solution
qcj3
Kilo Guru

‎03-07-2019 12:56 PM

Does anyone have a best practice or workflow suggestion on using the SecOps module for Insider Threat investigations?  One requirement is making sure that the scope of knowledge is limited to just one group in the SOC.  Therefore, VM and IR teams are not aware of an investigation and the SITs attached to it.  Also, is SIR the right approach since this isn't really an incident yet?

0 Helpfuls
  • 1,978 Views
1 ACCEPTED SOLUTION

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎03-07-2019 04:18 PM

SIR is the perfect place for this. First, you can think of the beginning states as "Security Incident Candidates" that need to be investigated. Also, you could add a field "Is Incident" if you need that level of definition.   

It is very easy to limit who can see an internal investigation, just use Tags.

1. Create a new role and assign it only to the Team that does internal investigations.

2. Create a new Tag for this team and assign the role to the Read and Write User Access. (And Enforce Restricted Access Check box and of course, do this in the Security Incident Scope)

3. Simply Tag the Security Incident with this Tag and it is locked down!

 

find_real_file.png

Please mark this is Correct or Helpful so others can benefit from our conversation. 

View solution in original post

Preview file
49 KB
6 REPLIES 6

Go to solution
qcj3
Kilo Guru
In response to andy_ojha

‎03-08-2019 09:52 AM

Andy,

Can I run reports against Security Tags?  I think I did that once and it was challenging for some reason.

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to qcj3

‎03-08-2019 03:15 PM

Hey there - the limitation you likely ran into may have been around the ability to perform a 'Group by' on Tags.  Since the Tags field can have multiple values (i.e. multiple tags) there's a limitation of not being able to do a 'Group by' Tags in a report.

However, you can specify in your report condition (and also filter conditions on a list view), which records should be returned from a query based on Tags - e.g. show me SIR records where -> {Security Tags | Contains | TLP Green}.

From the perspective of a security analyst using the SIR form, and also strategic reporting around security incident handling -> having clear Categories and Subcategories would be important here to start with.

You could explore using Security Tags (and Rules associated to them), or investigating ACLs + fields + form sections + roles, to perform the lockdown requirements.