Security Incident Response Overview

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response Overview

    The Security Incident Response Overview provides insights into security incident activities, including trends, reports, and detailed data tailored to user roles. Users can interact with various visualizations, such as charts and heatmaps, to access specific incident information and detailed lists of incidents by clicking on the visual elements.

    Show full answer Show less

    Key Features

    • Security Incident Manager Overview: Accessible to Security Incident Administrators and Managers, it includes key reports such as counts of critical incidents, SLAs expiring soon, and incidents categorized by risk and severity.
    • Security Analyst Overview: For Security Incident Analysts, this section displays personal workload metrics, including critical incidents assigned and SLAs due, along with visual representations of incident distribution by type and region.
    • Security Incident CISO Overview: Available with the Security Incident Analytics plugin, it provides advanced reporting on incident counts, closure rates, and average times for containment and eradication, along with visual data on regional incident distribution.

    Key Outcomes

    By utilizing these overviews and reports, ServiceNow customers can effectively monitor security incidents, prioritize their responses based on severity and SLA deadlines, and analyze trends over time. This leads to enhanced decision-making capabilities and improved incident management processes within their organizations.

    The Security Incident Response Overview provides an executive view into security incident activity, providing trends and reports, and drill-downs into specific data.

    The Overview module displays security incident information that is tailored to the role of the user. You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. See the following image. If you click any part of a report, a list opens to provide detailed information.
    Figure 1. Trend of All Security Incidents
    Sample report from Security Incident Manager Overview

    Security Incident Manager Overview

    Users with the Security Incident Administrator and Security Incident Manager roles view the Security Incident Manager Overview. It contains the following reports in the base system.
    Table 1. Security Incident Manager Overview reports
    Name Visual Description
    Team Critical Security Incidents Single score The number of critical security incidents assigned to the team.
    Team High Security Incidents Single score The number of high security incidents assigned to the team.
    SLAs expiring within 24 hours Single score The number of SLAs that expire within the next 24 hours.
    Risk vs Severity Heatmap The distribution of security incidents assigned to the team by risk and severity.
    Security Incidents by CI Class, last 3 months Bar chart The count of security incidents assigned to the team by configuration item class.
    Trend of All Security Incidents Trend Plots the count of the number of security incidents received by category or priority.
    Unauthorized Access Security Incidents Bar chart Displays the types of security incident categories received over time.
    Average Time to Contain Single score The average time it takes to contain all security incidents.
    Average Time to Contain Critical Single score The average time it takes to contain all critical security incidents.
    Average Time to Identity Single score The average time it takes to identify all security incidents.

    Security Analyst Overview

    Users with the Security Incident Analyst role view the Security Analyst Overview. It contains the following reports in the base system.
    Table 2. Security Analyst Overview reports
    Name Visual Description
    My Critical Priority Work Single score The number of critical security incidents assigned to me.
    My High Priority Work Single score The number of high security incidents assigned to me.
    My SLAs expiring within 24 hours Single score The number of SLAs assigned to me that expire within the next 24 hours.
    Security Incidents assigned to me Bar chart Security Incidents assigned to me by incident state or category.
    Work assigned to me by Type Bar chart Security tasks (incidents, tasks, or requests) assigned to me by type or priority.
    Security Incidents, Requests, Tasks assigned to me List A list of all security incidents, security requests, and tasks assigned to me.
    Security Incident Location Map Regional location of the security incidents.
    Count Map Number of security incidents per region.
    Min/Max Count Color Spectrum Bar The minimum and maximum numbers of security incidents per region represented by a color spectrum bar.
    Percentage of Count Map Percentage of the total incident count per region.

    Security Incident CISO Overview with Security Incident Analytics activated

    When the Security Incident Analytics plugin is activated, users with the Security Incident CISO and System Administrator roles view the Security Incident CISO Overview. The following CISO reports are provided in the base system.
    Table 3. Security Incident CISO Overview reports (with Security Incident Analytics activated)
    Name Visual Description
    New Security Incidents This Week Single score The number of new security incidents received in the current week.
    Security Incidents Closed This Week Single score The number of security incidents closed in the current week.
    New Security Incidents (Running 7 Days) Single score The number of security incidents opened within the last 7 days.
    Security Incidents Closed (Running 7 Days) Single score The number of security incidents closed within the last 7 days.
    Daily New Security Incidents vs Closed Security Incidents Trend New and Closed security incident counts over time by day.
    Weekly New Security Incidents vs Closed Security Incidents Trend New and Closed security incidents over time by week.
    Security Incident Close Code Trend Full count of closure codes over time.
    Security Incident Business Impact Treemap Business services with security incidents with available groupings by business criticality.
    Average Time to Contain (Weekly) Trend The 7-day average time it takes to contain a security incident over time.
    Average Time to Eradicate (Weekly) Trend The 7-day average time it takes to eradicate a security incident over time.
    Average Time to Identity (Weekly) Trend The 7-day average time it takes to identify a security incident over time.
    Security Incident Location Map Regional location of the security incidents.
    Count Map Number of security incidents per region.
    Min/Max Count Color Spectrum Bar The minimum and maximum numbers of security incidents per region represented by a color spectrum bar.
    Percentage of Count Map Percentage of the total incident count per region.

    Security Incident CISO Overview without Security Incident Analytics activated

    When the Security Incident Analytics plugin is not activated, users with the Security Incident CISO and System Administrator roles view the Security Incident CISO Reporting Overview. The following CISO reports are provided in the base system.
    Table 4. Security Incident CISO Overview reports (without Security Incident Analytics activated)
    Name Visual Description
    New Security Incidents This Week Single score The number of new security incidents opened in the current week.
    Security Incidents Closed This Week Single score The number of security incidents closed in the current week.
    New Security Incidents (Running 7 Days) Single score The number of security incidents opened within the last 7 days.
    Security Incidents Closed (Running 7 Days) Single score The number of security incidents closed within the last 7 days.
    Weekly New Security Incidents Trend The new security incidents opened on a weekly basis.
    Weekly Closed Security Incidents Trend The security incidents closed on a weekly basis.
    Security Incident Close Codes Trend Security incident close codes over time.
    Business Services with Security Incidents - Business Impact Treemap Business services with security incidents with available groupings by business criticality.
    Average Time to Contain Single score The average time it takes to contain all security incidents.
    Average Time to Contain Critical Single score The average time it takes to contain all critical security incidents.
    Average Time to Identity Single score The average time it takes to identify all security incidents.
    Note:
    The Security Incident Response base system includes Performance Analytics Solutions for displaying preconfigured best practice dashboards. The dashboards present important metrics for analyzing your Security Incident Response process, such as new security incidents or the average age of open security incidents. For more information and installation instructions, see Security Incident Response Platform Analytics Solutions.