Servicenow And Security Operations Center (SOC) Modernization

Security professionals face the daunting task of defending their organizations against a constant barrage of exposed vulnerabilities, active exploits, and ongoing cyber-attack campaigns. The good news is that many organizations recognize that cyber-threat prevention, detection, and response is business-critical and are willing to increase cybersecurity budgets to deploy the right countermeasures and reinforce security operations. The bad news, however, is that many are doing so from a position of weakness. Nevertheless, there are promising developments on the horizon for security operations that could help decrease risk, improve threat detection, and automate incident response. This white paper concludes:

• Security operations challenges abound. Security teams struggle to monitor security across the attack surface, keep up with security alert volume, and respond to constant emergencies. These challenges are driven by the fact that many SOCs depend upon point tools and manual processes while remaining understaffed and lacking advanced skills. These challenges result in SOCs that can’t scale to prevent, detect, or respond to cyber-threats in a timely manner. Firms must address this situation or face growing risks of a devastating cyber-attack.

• Organizations have bold security operations objectives for the future. These problems are all too real for CISOs who are under immense pressure to improve every aspect of security operations. This may be why organizations are increasing security budgets and maintain a long list of security operations objectives like improving detection of advanced threats, increasing automation of remediation tasks, and accelerating mean time to respond to threats. ESG believes these are the right goals, but organizations won’t be able to achieve them without a creative strategic effort to transform from manual, disjointed to automated and integrated SOCs.

• SOC modernization has the potential to address security operations challenges and enable objectives. Many CISOs are taking the right steps for improvement through SOC modernization projects. Simply stated, SOC modernization projects are intended to enable security operations teams with greater visibility, intelligence, and automation. These technical capabilities then empower them to harden the attack surface, improve threat detection, automate workloads, enhance collaboration, and produce a measurable positive impact on staff productivity. This is especially true with major security incident management in response to potentially damaging ransomware, data breaches, and nation-state attacks.

At the same time, while workers have begun to return to the office, many are doing so via a hybrid model that ESG research respondents expect to continue for at the least the next 24 months (see Figure 1).² To support these changes, many businesses have prioritized network infrastructure updates, including the adoption of SD-WAN technologies. However, updating security strategies to better address these changing dynamics remains a work in progress for many organizations.

• Monitoring security across the attack surface. Additional ESG research indicates that two-thirds (67%) of organizations say that their attack surface has grown over the past 2 years, often driven by third-party connections, remote worker support, and cloud computing adoption. This makes it difficult to gain adequate visibility across a growing volume of assets, accounts, vulnerabilities, and misconfigurations. Blind spots and monitoring challenges can only increase cyber-risk or result in damaging cyber-attacks that disrupt operations or exfiltrate sensitive information.

• Keeping up with the volume of security alerts. The addition of security point tools has led to high volume “alert storms” that quickly overwhelm Tier-1 security analysts, leading to a constant stream of threat escalation. Additionally, vulnerability scanners often report tens of thousands of software vulnerabilities, many with CVE scores of 7 or above. This leads to a situation where thousands of alerts and vulnerabilities must be triaged, prioritized, investigated, and remediated, but since few organizations have the processes or staff size to keep up, critical alerts and vulnerabilities are often ignored for days or weeks.

• Firefighting. Security operations teams spend a lot of time rotating from one emergency to another. This is often exacerbated by their reliance on point tools and manual processes. Regardless of the reasons, dealing with constant security emergencies can result in high costs, employee burnout, and limited progress on continuous security operations improvement. Finally, haphazard emergency response is inappropriate when dealing with a major security incident like a confidential data breach, ransomware attack, or public vulnerability disclosure. In these instances, organizations need formal procedures for collaboration workflows, evidence handling, and external communications, not chaotic reactions.

It is worth noting that security operations challenges are also aggravated by the perpetual global cybersecurity skills shortage. According to research from ESG and ISSA, 57% of organizations claim they’ve been affected by the skills shortage with impacts including increased workloads, open jobs, and an inability to use security technologies to their full potential. Are things improving? No—44% of organizations believe the skills shortage has gotten worse over the past 2 years. Finally, SOCs are especially vulnerable to skills and staffing deficits, as 30% of organizations claim to have an acute shortage of security analysis and investigations skills.

Clearly, increasing security operations spending alone isn’t enough. Ongoing security operations challenges remain and pose a substantial risk to the business. Addressing this situation should be a high CISO and CIO priority.

CISOs recognize and want to address these deficiencies. Beyond spending increases, SOC teams have several defined objectives in security operations areas like threat detection and response. Security professionals report that their organizations are setting goals for (see Figure 2):

• Improving detection of advanced threats. This means moving beyond basic correlation rules, signatures, and alert triage. To enhance detection of advanced threats, SOC teams need a deep understanding of the tactics, techniques, and procedures (TTPs) commonly used by cyber-adversaries. Many firms are addressing this requirement by embracing and operationalizing the MITRE ATT&CK framework. For example, 81% of security professionals claim that the MITRE ATT&CK framework has become an increasingly important component of their organization’s security hygiene and posture management. In this way, MITRE ATT&CK is used for threat prevention as well as detection and response.

• Increasing automation of remediation tasks. Between manual processes and the cybersecurity skills shortage, SOC team productivity needs vast improvement. This calls for creating the right workflows across security and IT to prioritize and remediate cyber-risks like blocking IoCs, patching software vulnerabilities, and addressing coverage gaps. Security process automation tends to start by automating mundane and repetitive tasks (e.g., looking up IP addresses, finding a file hash on VirusTotal, enriching alerts with threat intelligence, etc.) and then moving on to end-to-end process automation across security and IT operations.

• Improve mean time to respond to threats. Beyond threat detection, organizations need to minimize damages from cyber-attacks by improving the efficiency of the incident response actions. Many SOC teams are addressing this by automating IR workflows like blocking indicators of compromise (IoCs), quarantining systems, or disabling user accounts as soon as a credible cyber-threat is detected. In this case, process automation is complemented through technology integration and orchestration across security controls like endpoint security software, firewalls, network proxies, CASB, malware sandboxes, etc. Additionally, CISOs want to institute best practices for those major security incidents that could greatly impact business operations. In this case, organizations want to develop virtual war room capabilities, including a dedicated workspace for major security incident response, collaborative workflows and communications tools, evidence collection and handling procedures, status reports, and summary metrics.

• Decreasing and hardening the attack surface. While security operations discussions often focus on threat detection and response, security modernization objectives include threat prevention through risk-based vulnerability management. With SOC modernization, security teams pull data from vulnerability scanners, correlate vulnerabilities with cyber-adversary exploits, categorize vulnerabilities based on criticality and asset value, and share lists of patching priorities with IT operations. Modern SOCs also integrate security, IT asset management, and IT operations systems to monitor the vulnerability management lifecycle across discovery, ticketing, case management, and patching. By reducing the attack surface, SOC modernization can decrease cyber-risk, making it more difficult for cyber-adversaries.

• Improving the accuracy and fidelity of security alerts. Typically, this is done by augmenting threat detection technologies like signatures, heuristics, and correlation rules with artificial intelligence (AI) and machine learning (ML) algorithms. This can include “nested algorithms” where the results of one algorithm are put through others to improve threat detection precision. The goal here is to reduce the alert triage workload while providing substantial evidence for streamlining security investigations.

• Automating tasks and workflows, enabling security operations agility. SOC modernization includes automating basic security operations tasks, delegating incidents to the right groups, managing audit trails, and orchestrating remediation workflows with integration into security controls and IT infrastructure. Task and workflow automation can help organizations reduce mean time to detect (MTTD) and mean time to respond (MTTR) while bolstering SOC productivity.

• Formalizing and automating major security incident response processes across the organization. To minimize damages associated with a major security incident, SOC modernization includes steps for formalizing and organizing incident response. This demands a fusion center that manages IR holistically throughout an incident lifecycle and encompasses all technical and non-technical participants in the IR process (i.e., security, IT, HR, legal, line of business managers, executives, etc.). These teams need a dedicated workspace integrated with modern collaboration tools, forensic artifact collection/storage, role-based dashboards, data filtering/searching, incident escalation management, etc.

• Aligning security operations with the MITRE ATT&CK framework to adopt a threat-informed defense. Created in 2013, the MITRE ATT&CK framework is a community-based matrix of the tactics, techniques, and procedures (TTPs) used as part of cyber-attacks by numerous threat actors. It also acts as a common language, describing attacks, security controls, and threat actors. With SOC modernization, organizations can use the MITRE ATT&CK framework to understand how internal security events map to adversary TTPs and cyber-attack campaigns. This knowledge can help red and blue teams adopt an “intent-based” perspective for tracking attacks, finding weaknesses in their defenses, and prioritizing remediation actions based on cyber-risks.

SOC modernization also includes technical requirements like:

• A cloud-native architecture built for scale and integration. This provides flexibility and scale by using modern software infrastructure like containers, serverless functions, and APIs.

• End-to-end visibility. Modern SOCs must be able to monitor all activity across hybrid IT infrastructure, including endpoints, networks, data centers, cloud workloads, and SaaS applications. Additionally, security visibility should also include identity context to monitor for credential theft, account takeover, and insider attacks.

• A common workspace. Rather than pivot from one tool to another, SOC analysts across all tiers need a common workspace. This is especially crucial for major security incident response activities that demand collaboration and cooperation from business, technical, and legal teams.

• Threat intelligence operationalization. This includes threat intelligence collection, processes, data management, and analysis. Threat intelligence must also be available in a machine-readable format to automate remediation actions.

While ServiceNow is most often associated with IT service management, its security products, services, and integration partners can help anchor a SOC modernization project. For example, ServiceNow can be used for:

• Hardening the attack surface. Organizations can improve attack surface and cyber-risk management using ServiceNow Vulnerability Response (VR), Incident Response (IR), IT Asset Management (ITAM), IT Operations Management (ITOM), and Integrated Risk Management (IRM). These technologies combine to provide risk-based vulnerability management and remediation actions across infrastructure, applications, cloud workloads, OT, and services. In this way, ServiceNow can help organizations maintain secure asset configurations across the attack surface while promoting collaboration across security and IT to mitigate cyber-risk.

• Improve security operations processes. ServiceNow built its business by enabling business agility through workflow automation. To do the same for SOC modernization, ServiceNow’s portfolio includes VR/IR, IRM, and privacy. These technologies can help SOC teams automate and orchestrate case management and other security operations processes, increasing productivity, efficiency, and scale.

• Automate IR. Using ServiceNow IR, VR, ITAM, ITOM, and IRM ServiceNow can manage major security incidents like ransomware and data breaches. For example, organizations can use ServiceNow to establish virtual “war rooms” where teams can coordinate IR actions, establish collaboration workflows via chat and conference integration, manage evidence, coordinate technical/non-technical tasks, and report progress and overall IR metrics.

SOC modernization certainly extends beyond the purview of any single vendor. Accordingly, ServiceNow partners include other security technology leaders like Anomali, Chronicle, Cisco, CrowdStrike, Fortinet, IBM, Microsoft, Okta, Palo Alto Networks, Recorded Future, Splunk, Tenable Networks, and many more. These partnerships include security technologies like threat intelligence platforms (TIPs), security information and event management (SIEM), eXtended detection and response (XDR), vulnerability management, and identity and access management (IAM). Through these integrations, ServiceNow and partners can deliver on SOC modernization goals like decreasing the attack surface, improving threat detection, and accelerating incident response.

On a final note, CISOs must remember what security evangelist Bruce Schneier once stated: “Security is a process, not a product.” This axiom truly applies here, as SOC modernization must be built on a foundation of process automation for cyber-risk management, threat detection, and incident response.