Today’s security climate requires modern enterprises to operate and scale up at lightspeed to respond to incidents. ServiceNow SecOps offers platform APIs, integration tools, and analytics capabilities that help organizations address security concerns faster by integrating valuable resources inside and outside the enterprise.
SecOps integration kits support broad integrations, automated workflows, orchestrated external systems, and continual security improvements. Consequently, they directly drive business results — and avoid the usual integration boundaries between people, data, systems, and processes!
Several integrations are included with the Security Operations applications, viz., Security Incident Response, Threat Intelligence, and Vulnerability Response.
|Securing an organization seamlessly boils down to activating the relevant plugins and configuring the integrations. SecOps also provides guidelines for developing custom integrations! SecOps works flawlessly with third-party tools such as Qualys, Tanium, Cylance, IBM QRadar, Palo Alto Networks, Splunk, and VirusTotal, among others.|
How ServiceNow SecOps Integration Works
The ServiceNow SecOps Integration Capabilities framework provides a consistent architecture to support interoperability with third-party integrations. By abstracting the interface and data model, SecOps insulates the core security applications and provides a consistent and predictable user experience.
Any security incident launches the corresponding implementation workflow, which in turn activates the relevant plugins. Workflows can be executed in parallel or sequentially, or in a completely different order if needed.
|Block Action||Used to contain identified threats by blocking observables associated with a security incident on a firewall, web proxy, or other control point
|Email Search and Delete||Identifies the number of threat emails from an email server search with options to get further details or delete the emails
|Enrich CI||Enables you to enrich data for configuration items associated with a security incident
|Enrich Observable||Contains identified threats by enriching observables with additional information from a variety of sources
|Get Network Statistics||Retrieves a list of active network connections from a host or endpoint
|Get Running Processes||Retrieves a list of running processes on a configuration item (CI) from a host or endpoint
|Isolate Host||Restricts system connections to other devices
|Publish to Watchlist||Adds observables and indicators associated with a security incident to a third-party watchlist that monitors for security events and generates alerts
|Sightings Search||Accepts a set of observables, finds any integrations that support a Sightings Search, then executes these searches
|Threat Lookups||Performs threat intelligence lookups to determine whether one or more observables are associated with known security threats
ServiceNow SecOps Integration Capabilities framework capabilities
For instance, when a Configuration Incident (CI) is added to an open security incident in Security Incident Response in a Tanium endpoint security and systems management implementation, the Get Running Processes workflow is triggered and identifies the running processes for the affected CI.
If your organization uses the Qualys Cloud Platform integration to detect vulnerabilities, you can integrate it with Vulnerability Response. When the third-party Qualys scanner detects vulnerability data, that data is imported to Vulnerability Response for tracking, prioritization, and resolution.
ServiceNow SecOps changes the way organizations look at security by integrating diverse applications on a single platform, automating workflow, removing dependencies on email, spreadsheets and other manual processes to transform the enterprise security space.
Credits: Icons designed by Eucalyp Studio https://www.iconfinder.com/ratch0013 under the Creative Commons 3.0 license. https://creativecommons.org/licenses/by/3.0/