A large financial group implemented ServiceNow Service Management (ITSM) in 2015, and the Cyber Security Operations Center (CSOC) started using the platform for task and time tracking in 2016.
While the process provided the client Information Security organization task and time metrics, it was very manual and required careful documentation for analysts. Furthermore, the client Information Security organization had implemented numerous security technologies and capabilities since 2015.
Many of these solutions are segmented from each other and require specialized skills/knowledge to interconnect and maintain. Working within so many processes and tools caused both inefficiencies as well as delays in detecting, prioritizing, and resolving security incidents as they arose.
While evaluating current Security tools, processes, and functions, it was realized that the features of Security Orchestration, Automation, and Reporting (SOAR) tools would greatly help simplify workflows, automate repetitive tasks, and provide management with desired metrics.
The client had already invested in and implemented ServiceNow as their Enterprise Service Management platform. Upon evaluating SOAR tools, there was a realization that ServiceNow already contained a solid base of key business intelligence data (such as business services, service priorities, and user metrics). Along with these key data points, the ability to integrate disparate security tools, and leverage the aggregation and decision metrics of this data, made sense for the information security department to invest in the Security Operations modules of ServiceNow and not another tool.
Selecting (and ultimately implementing) the ServiceNow Security Operations suite of tools, allowed the client's Information Security teams to align with the desired objectives of maturing security process, aggregating information from disparate tools into a single toolset, driving a single point of calculated decision based on the aggregated data, and driving continual process improvement by utilizing SLA’s, process/task workflows, and ultimately, orchestration.
By evaluating the current state of Security Operations with the client, GlideFast Consulting was able to align the current business processes and the ServiceNow SecOps platform, while implementing process changes, tool integrations, and platform in a way that allowed the client to see an immediate improvement in time to detection and time to resolution of incidents as they arose.
Key to the success of this effort was the client's commitment and willingness to adjust some existing response processes, detection tool metrics and rules, as well as seeking out training for the internal Security Engineer who would ultimately be tasked with maintaining and improving the Security Operations toolset within ServiceNow.