top of page

Managing Security Operations with ServiceNow® Security Incident Resolution (SIR)

Network security and vulnerability threats continue to pop up in the news, laden with dire warnings and tragic stories detailing millions of user accounts or records that were compromised somehow. This compromise can include the outright theft of individuals’ Personal Identifiable Information (PII) and their Personal Health Information (PHI).

According to CIO magazine, technology safety is listed as the top Organizational Change Priority for transformation. Security is one of the primary concerns across the world for government agencies, commercial or nonprofit organizations, and even individuals who are deciding whether to purchase products or services. Security Operations (SecOps) is responsible for securing the enterprise by managing IT Security and Vulnerability risks.

While we have come a long way toward securing the enterprise, today’s SecOps teams must continuously keep up with an increased number and ever-changing types of threats from individuals inside their organization, cyber pirates and even nation states. Increased enterprise vulnerability to detect and contain breaches occur when modern SecOps teams can’t respond to the threats fast enough. ServiceNow® reports that it takes approximately 197 days to detect a breach on average, and then an additional 69 days to contain a breach.

ServiceNow®, offers enterprises a way to address this challenge by providing a platform and suite of IT applications designed to work seamlessly together. ServiceNow's® NOW platform and SecOps suite provide applications for security orchestration, security process automation with a response engine and an integration framework to connect with your existing security tools. This integration allows your teams to prioritize and respond to incidents and vulnerabilities according to their potential impact on your enterprise. ServiceNow® SecOps includes Security Incident Response, Vulnerability Response, Configuration Compliance, Threat Intelligence, Trusted Security Circles, and Security Operations. There is a lot that we can cover when it comes to SecOps, but in this article, we will focus on Security Incidents.

Time, Resources, and Finding Data As stated in the ServiceNow® report, one of the major challenges facing enterprises, and particularly SecOps teams, are the following security incident metrics/KPIs:

  • -the mean time to understanding (MTTU) and

  • -the mean time to resolution (MTTR) of security incidents

With the frequency and volume of threats, it is taking more time to process data in a way that will allow security agents to detect that a breach has occurred. This issue is primarily due to the massive amounts of data that is generated and collected by various applications that detect vulnerabilities, provide Security Incident Event Monitoring (SIEM), protect against vulnerabilities and support Threat Intelligence monitoring and mitigation.

That’s not to mention the other reason: regular, everyday data. There are so many different systems collecting data for marketing, IT, finance, network operations, etc., that it can be impossible to keep up. Forbes reports we, as an internet society, generate 2.5 quintillion bytes of data each day, and that number is only increasing as the IoT network grows.


For reference, 2.5 quintillion is 2,500,000,000,000,000,000 Alphabet (Google’s parent company) is worth $136,800,000,000 The average household makes $59,039 (The monetary figures are annual, and the data figures are daily.)


It’s an extremely difficult to understand the size for its magnitude, and it’s one reason why it makes sense to filter the necessary data for pragmatic decision making and security operations within an organization.

Reign in Your Resources One way to reduce the time it takes to detect anomalies in data is to reduce the number of steps required to collect and process data. One way to do that is to use ServiceNow® as an all-in-one enterprise system to track security incidents from multiple sources.

ServiceNow® SecOps includes several “out of the box” integrations for many of the SecOps applications and tools, allowing enterprises to bring their data into one consolidated database. Once centralized, enterprise-level data managers can quickly establish and update business rules and workflows (e.g., assignment rules), set automation, and streamline processes.

For example, the IT department can use ServiceNow® SecOps to receive security data from an existing monitoring application, or to route it to a Security Incident agent. The agent can then provide recommendations for a resolution based on a centralized and integrated knowledge base. ServiceNow® SecOps can be used to capture agent’s actions to resolve the incident and provide a mechanism to route collaboration notifications to team members in other departments (like Financing or Marketing). This process then allows these departments to review the history of an incident and to provide clarification and additional information to IT that reduces both MTTU and MTTR.

By using ServiceNow® SecOps as the central system of engagement, incident data and resolution processes remain connected. This method saves time, money, and resources compared to procedures that require agents to monitor various channels, track down members and data from other departments via email or phone, clarify the data with other individuals involved, and to report once the resolution has been found.

ServiceNow® Security Incident Resolution A ServiceNow® Security Incident is used to track the progress of any security incident from any integrated system from initial analysis to containment, eradication, and recovery. Security Incidents can be created and updated in multiple ways:

  • -Via a Security Incident form

  • -From internal events, or external tracking systems

  • -Manually from alerts or automatically due to alert rules

  • -From the Service Catalog

For example, let’s assume that you’re using Splunk to review your log data for security threats and vulnerabilities. ServiceNow® SecOps can be easily integrated with Splunk, and by doing so you can set rules to filter out irrelevant threat data from all the other data in Splunk. You can then have the system automatically create Security Incident records in ServiceNow®, route that information to the agents that are responsible for resolving them, expose helpful information from prior incidents to inform agents, and to improve incident analysis to reduce MTTU and MTTR.

Since ServiceNow® also keeps a record of updates to each Security Incident, a report can be automatically generated, thereby eliminating the need for post-resolution documentation by an agent. This process streamlines the security incident resolution process in ways thought previously impossible.

CoreSphere has provided a simple example of this process in the following video:

Implementing ServiceNow® for SecOps with CoreSphere When integrating the SecOps solution, it is essential to focus on people-centric solutions. Technology is meant to serve people, whether internally, external, or both. If the solution doesn’t fit the organization and people that need it, then it is unlikely that the solution is adopted and used by those same. Security Operations doesn’t have to be cumbersome. Using industry-leading technology, CoreSphere provides SecOps solutions that improve the security management experience for everyone involved. CONTACT US TO DISCUSS YOUR SECOPS IMPLEMENTATION

bottom of page