Why ServiceNow “Security Operations” is important for organizations?

Why ServiceNow “Security Operations” is important for organizations?

As an amalgamation of IT Services and IoT devices, BYOD(Bring Your Own Device) is happening at a rapid pace in the organizations. The risk from IT Security breaches is increasing on daily basis; so much that the position of CISO(Chief Information Security Officer) is being elevated to report to the “Board of Directors” rather than to the CIO.

Most Organizations spend millions of dollars every year to mitigate the risk of security/data breaches; investing in security solutions ranging from SIEM tools (such as Splunk, Radar), Detection (such as McAfee, Palo Alto, Symantec), Access Management (such as okta) to Vulnerability Scanning Solutions (such a Qualsys, Rapid 7, Tenable) and many more.

Despite the successful implementation of these solutions in most organizations; in 2018 alone, we witnessed almost 10 high profile security breaches such as Facebook (87 million records breached) and India’s Aadhar (1.1 billion records). Most of these data breaches have been contained but the time taken to identify and contain breaches is most critical in security operations.

Cost of a Data Breach Study on an Organization

 “Cost of a Data Breach Study” sponsored by IBM was conducted by Ponemon Study on more than 450+ Organizations in July 2018. It points to the following key findings: –

  • The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 per cent since last year
  • The average cost for each lost record rose from $141 to $148, an increase of 4.8 per cent since last year
  • Meantime to identify a data breach is 197 days and Mean time to contain a data breach is 69 days
  • About 50% of all data breaches were due to malicious or criminal attacks, followed by human error issues and thereby system glitches
  • For companies that contained the breach in less than 30 days, the estimated average total cost of a data breach was $3.09 million — compared to $4.25 million for the companies who took more than 30 days to contain the breach.

Its clear from above that even with the advent of new security solutions, security processes are in fact broken! The reason being siloed working environment, lack of connected intelligence and no coordinated response of activities.

Issues Faced By Security Teams

Security teams often have issues which hamper their ability to respond to the breaches faster. Some of the common ones are: –

  • They are not able to determine the exact priority of security incidents based on business impact
  • They are overwhelmed by the huge amount of security event messages they get daily
  • They need to know the security runbook or read through SOPs to determine the actions to be taken which leads to higher time to resolve
  • They are not able to tie the threats or vulnerabilities found across to these Incidents/Events

 Solution Provided By ServiceNow SECOPS

This is where Service Now Security Operations Solutions come into place. It creates an environment where every security event comes together to be reconciled and thereby achieve a more coordinated and faster response to resolve.

Imagine it as a funnel, with Service Now acting as a single platform where all security solutions come together to be resolved and thereby remediated through a single system of record!

Figure: Service Now Funnel for Security Solutions

Before we dive into the specifics, let us consider a small use case to understand how Service Now Sec Ops Solution could help security operations personnel to resolve Security Incidents faster and with more context: –


The organizations using SIEM tools like Splunk, Arc Sight etc. are overwhelmed by the huge number of security events raised. However, in most cases prioritization is not effective.

Through ServiceNow SecOps Solution an effective way to resolve Security Incidents is achieved: –

a) Events raised by SIEM tools and prioritized based on the Business Services being affected; if an event affected a CI on which a critical business service is dependent; automatically the priority increases; service now does this through the platform-wide integration of CMDB

b) Service Now leverages existing Threat Intelligence and Vulnerability Information from leading sources/feeds such as TAXII, STIX and NVD to determine if these are known threats and how to respond to them

c) Service Now leverages its Knowledgebase and workflow to determine the exact steps, notification, orchestration to perform without looking into complex SOP documents

Hence, Usage of one platform for resolution, co-relation with feeds and automated orchestration help security professionals to respond faster and correctly to security events.

We will look at the architecture of service now security solutions, components and thereby other use cases in future blogs!

 (Content Courtesy: Srinivas Ramanujaiah)

One Comment

  • Himanshu Singhal says:

    December 20, 2018 at 6:56 pm

    Good one

Leave a reply

Your email is never published nor shared. Required fields are marked *

Are you Human? * Time limit is exhausted. Please reload CAPTCHA.

Pin It on Pinterest

Share This