VR or SIR and a Phase 2

Chris McDevitt · ‎05-23-2024

All,

I am doing some planning... so a question for everyone:

Once VR or SIR are up and running successfully, what is important enough to start a Phase 2 project?

What I mean is... Would you like additional configurations, new integrations, new OOB capabilities, or new related applications (for example, after SIR adds MSIM or after VR adds Patch orchestration)?

I know this is a vague question 😁 but I was interested in your thoughts on this topic.

PSCWILLEY · ‎05-23-2024

This is a fantastic question. So even though we have SIR and VR setup, there is still a ton moving back and forth (swivel chair) in other applications to act on what we are alerted about. Starting with SIR. CowdStrike Real-Time Response is fantastic, but I still have to have service now ticket open, and there is a lot of copy/paste that happens when taking information in a SIR and then porting that over to find the CrowdStrike record so I can connect to the host. If there were a “links” section of the SIR that I could make open another application, I wouldn't have to go through the other portal, but it could click and take me right to the thing I wanted in the other application. That would be amazing. We have looked at trying to get a Playbook setup that we could trigger automation based on what application we needed, and the Playbook would populate the info, open the portal, or give us the ability to go straight to what we want. But this is not something that will happen soon I don't think.

VR. My biggest fight is organizing all the records into Application Vulns and Container Vulns. Right now, my two most popular security scanners just dump it all into the Host Vulnerable Items. We have also integrated with Jira. I can create a record in the Jira Agile Tools for Containers, Applications, and Remediation Tasks. Still, I can't use the agile tools for the Host Vulnerable Items, where everything is being dumped upon import. It would be so nice if all my teams were contained in the Now Platform, but I have many response teams who refuse to use it and want to be in Jira.

The Microsoft integrations are fantastic when adding a file repository for MSIM. However, not every group in my org is using O365. I would love to send them a one-way folder upload for observables, but they have Google Drive, Dropbox, and other file-sharing systems. From what I can see, it looks like SharePoint is the only option for integration on that right now. I could be wrong.

This is a lot, so feel free to cherry pick from here what you want and my DM's are always open if you are looking for more pain points.

PatrickMutchler · ‎05-24-2024

Chris,

I'm going to jot down some senseless ramblings and hope that they are helpful. It largely depends on what all was done in Phase I. I'm going to focus on the SIR side of the house. If Phase I was a basic implementation, moving security incidents out of the incident table and into their rightful place within SecOps, then I could see Phase II being something like playbooks, integrations, calculators, enhanced reporting & analytics. Depending on the organization, I could see the Security Incident catalog being a big chunk of the Phase II. If Phase I included that stuff, I think Threat Intelligence would be a great business case for a Phase II. It definitely helps when the business can see tangible results. MSIM is one of those big ticket items that justifies a Phase II, as you mentioned.

I hope this is helpful!

Chris McDevitt · ‎05-28-2024

Thank you.