Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™


Servicenow And Security Operations Center (SOC) Modernization

The Quest for Workflow Automation and Security Operations Agility

By Jon Oltsik, ESG Senior Principal Analyst and Fellow

Executive Summary

The year 2021 started under the shadow of SolarWinds, a supply chain hack that exposed the IT systems of more than 18,000 customers to cyber-attack. Things didn’t calm down from there as 2021 also featured a series of costly ransomware attacks at organizations like Acer, Colonial Pipeline, Kaseya, and JBS foods. As the year concluded, cybersecurity professionals faced yet another major issue, the Log4j vulnerability, a ubiquitous logging program buried within some of the 3 billion+ Java-based devices.
Security professionals face the daunting task of defending their organizations against a constant barrage of exposed vulnerabilities, active exploits, and ongoing cyber-attack campaigns. The good news is that many organizations recognize that cyber-threat prevention, detection, and response is business-critical and are willing to increase cybersecurity budgets to deploy the right countermeasures and reinforce security operations. The bad news, however, is that many are doing so from a position of weakness. Nevertheless, there are promising developments on the horizon for security operations that could help decrease risk, improve threat detection, and automate incident response. This white paper concludes:
Security operations challenges abound. Security teams struggle to monitor security across the attack surface, keep up with security alert volume, and respond to constant emergencies. These challenges are driven by the fact that many SOCs depend upon point tools and manual processes while remaining understaffed and lacking advanced skills. These challenges result in SOCs that can’t scale to prevent, detect, or respond to cyber-threats in a timely manner. Firms must address this situation or face growing risks of a devastating cyber-attack.
Organizations have bold security operations objectives for the future. These problems are all too real for CISOs who are under immense pressure to improve every aspect of security operations. This may be why organizations are increasing security budgets and maintain a long list of security operations objectives like improving detection of advanced threats, increasing automation of remediation tasks, and accelerating mean time to respond to threats. ESG believes these are the right goals, but organizations won’t be able to achieve them without a creative strategic effort to transform from manual, disjointed to automated and integrated SOCs.
SOC modernization has the potential to address security operations challenges and enable objectives. Many CISOs are taking the right steps for improvement through SOC modernization projects. Simply stated, SOC modernization projects are intended to enable security operations teams with greater visibility, intelligence, and automation. These technical capabilities then empower them to harden the attack surface, improve threat detection, automate workloads, enhance collaboration, and produce a measurable positive impact on staff productivity. This is especially true with major security incident management in response to potentially damaging ransomware, data breaches, and nation-state attacks.

Security Operations: Situational Analysis

According to ESG research, over the past few years, most organizations have increased cybersecurity spending annually, and this trend will continue into 2022 (see Table 1). As part of this cybersecurity spending, many firms invested in personnel, training, technologies, and services for security operations. Despite these investments however, security operations remain fraught with numerous challenges such as (see Figure 1):
At the same time, while workers have begun to return to the office, many are doing so via a hybrid model that ESG research respondents expect to continue for at the least the next 24 months (see Figure 1).2 To support these changes, many businesses have prioritized network infrastructure updates, including the adoption of SD-WAN technologies. However, updating security strategies to better address these changing dynamics remains a work in progress for many organizations.
Table 1. Percentage of Organizations Increasing Cybersecurity Spending Annually
Year Percentage of Organizations Increasing or Planning on Increasing Cybersecurity Spending
2018 63%
2019 58%
2020 62%
2021 66%
2022 69%
• Monitoring security across the attack surface. Additional ESG research indicates that two-thirds (67%) of organizations say that their attack surface has grown over the past 2 years, often driven by third-party connections, remote worker support, and cloud computing adoption. This makes it difficult to gain adequate visibility across a growing volume of assets, accounts, vulnerabilities, and misconfigurations. Blind spots and monitoring challenges can only increase cyber-risk or result in damaging cyber-attacks that disrupt operations or exfiltrate sensitive information.
• Keeping up with the volume of security alerts. The addition of security point tools has led to high volume “alert storms” that quickly overwhelm Tier-1 security analysts, leading to a constant stream of threat escalation. Additionally, vulnerability scanners often report tens of thousands of software vulnerabilities, many with CVE scores of 7 or above. This leads to a situation where thousands of alerts and vulnerabilities must be triaged, prioritized, investigated, and remediated, but since few organizations have the processes or staff size to keep up, critical alerts and vulnerabilities are often ignored for days or weeks.
• Firefighting. Security operations teams spend a lot of time rotating from one emergency to another. This is often exacerbated by their reliance on point tools and manual processes. Regardless of the reasons, dealing with constant security emergencies can result in high costs, employee burnout, and limited progress on continuous security operations improvement. Finally, haphazard emergency response is inappropriate when dealing with a major security incident like a confidential data breach, ransomware attack, or public vulnerability disclosure. In these instances, organizations need formal procedures for collaboration workflows, evidence handling, and external communications, not chaotic reactions.
Figure 1. Top Five Security Analytics and Operations Challenges

Which of the following would you say are your organization’s primary challenges regarding security analytics and operations? (Percent of respondents, N=406, three responses accepted)

Source: Enterprise Strategy Group

It is worth noting that security operations challenges are also aggravated by the perpetual global cybersecurity skills shortage. According to research from ESG and ISSA, 57% of organizations claim they’ve been affected by the skills shortage with impacts including increased workloads, open jobs, and an inability to use security technologies to their full potential. Are things improving? No—44% of organizations believe the skills shortage has gotten worse over the past 2 years. Finally, SOCs are especially vulnerable to skills and staffing deficits, as 30% of organizations claim to have an acute shortage of security analysis and investigations skills.
Clearly, increasing security operations spending alone isn’t enough. Ongoing security operations challenges remain and pose a substantial risk to the business. Addressing this situation should be a high CISO and CIO priority.

Improving Security Operations

Over the past 20 years, security operations centers (SOCs) grew up organically as emerging threats were addressed with new types of security monitoring or threat detection technologies. Unfortunately, this has created a situation where security operations performance depends upon an army of disconnected point tools, manual processes, and the “tribal knowledge” of the SOC team. This led to a situation where SOCs can’t scale to keep up with a growing attack surface and threat landscape.
CISOs recognize and want to address these deficiencies. Beyond spending increases, SOC teams have several defined objectives in security operations areas like threat detection and response. Security professionals report that their organizations are setting goals for (see Figure 2):
• Improving detection of advanced threats. This means moving beyond basic correlation rules, signatures, and alert triage. To enhance detection of advanced threats, SOC teams need a deep understanding of the tactics, techniques, and procedures (TTPs) commonly used by cyber-adversaries. Many firms are addressing this requirement by embracing and operationalizing the MITRE ATT&CK framework. For example, 81% of security professionals claim that the MITRE ATT&CK framework has become an increasingly important component of their organization’s security hygiene and posture management. In this way, MITRE ATT&CK is used for threat prevention as well as detection and response.
• Increasing automation of remediation tasks. Between manual processes and the cybersecurity skills shortage, SOC team productivity needs vast improvement. This calls for creating the right workflows across security and IT to prioritize and remediate cyber-risks like blocking IoCs, patching software vulnerabilities, and addressing coverage gaps. Security process automation tends to start by automating mundane and repetitive tasks (e.g., looking up IP addresses, finding a file hash on VirusTotal, enriching alerts with threat intelligence, etc.) and then moving on to end-to-end process automation across security and IT operations.
• Improve mean time to respond to threats. Beyond threat detection, organizations need to minimize damages from cyber-attacks by improving the efficiency of the incident response actions. Many SOC teams are addressing this by automating IR workflows like blocking indicators of compromise (IoCs), quarantining systems, or disabling user accounts as soon as a credible cyber-threat is detected. In this case, process automation is complemented through technology integration and orchestration across security controls like endpoint security software, firewalls, network proxies, CASB, malware sandboxes, etc. Additionally, CISOs want to institute best practices for those major security incidents that could greatly impact business operations. In this case, organizations want to develop virtual war room capabilities, including a dedicated workspace for major security incident response, collaborative workflows and communications tools, evidence collection and handling procedures, status reports, and summary metrics.
Figure 2. Top Six Threat Detection and Response Goals

When thinking about your organization’s overall threat detection and response program goals, what would you say are your top areas of focus for improving your organization’s overall security? (Percent of respondents, N=388, three responses accepted)

Source: Enterprise Strategy Group

On to the SOC Modernization

The security operations objectives described previously can’t be achieved with SOCs based on point tools and manual processes. Rather, today’s SOCs must be updated to address attack surface growth and the dangerous threat landscape. This evolution is often referred to as SOC modernization.
SOC modernization goals typically include:
• Decreasing and hardening the attack surface. While security operations discussions often focus on threat detection and response, security modernization objectives include threat prevention through risk-based vulnerability management. With SOC modernization, security teams pull data from vulnerability scanners, correlate vulnerabilities with cyber-adversary exploits, categorize vulnerabilities based on criticality and asset value, and share lists of patching priorities with IT operations. Modern SOCs also integrate security, IT asset management, and IT operations systems to monitor the vulnerability management lifecycle across discovery, ticketing, case management, and patching. By reducing the attack surface, SOC modernization can decrease cyber-risk, making it more difficult for cyber-adversaries.
• Improving the accuracy and fidelity of security alerts. Typically, this is done by augmenting threat detection technologies like signatures, heuristics, and correlation rules with artificial intelligence (AI) and machine learning (ML) algorithms. This can include “nested algorithms” where the results of one algorithm are put through others to improve threat detection precision. The goal here is to reduce the alert triage workload while providing substantial evidence for streamlining security investigations.
• Automating tasks and workflows, enabling security operations agility. SOC modernization includes automating basic security operations tasks, delegating incidents to the right groups, managing audit trails, and orchestrating remediation workflows with integration into security controls and IT infrastructure. Task and workflow automation can help organizations reduce mean time to detect (MTTD) and mean time to respond (MTTR) while bolstering SOC productivity.
• Formalizing and automating major security incident response processes across the organization. To minimize damages associated with a major security incident, SOC modernization includes steps for formalizing and organizing incident response. This demands a fusion center that manages IR holistically throughout an incident lifecycle and encompasses all technical and non-technical participants in the IR process (i.e., security, IT, HR, legal, line of business managers, executives, etc.). These teams need a dedicated workspace integrated with modern collaboration tools, forensic artifact collection/storage, role-based dashboards, data filtering/searching, incident escalation management, etc.
• Aligning security operations with the MITRE ATT&CK framework to adopt a threat-informed defense. Created in 2013, the MITRE ATT&CK framework is a community-based matrix of the tactics, techniques, and procedures (TTPs) used as part of cyber-attacks by numerous threat actors. It also acts as a common language, describing attacks, security controls, and threat actors. With SOC modernization, organizations can use the MITRE ATT&CK framework to understand how internal security events map to adversary TTPs and cyber-attack campaigns. This knowledge can help red and blue teams adopt an “intent-based” perspective for tracking attacks, finding weaknesses in their defenses, and prioritizing remediation actions based on cyber-risks.
SOC modernization also includes technical requirements like:
• A cloud-native architecture built for scale and integration. This provides flexibility and scale by using modern software infrastructure like containers, serverless functions, and APIs.
• End-to-end visibility. Modern SOCs must be able to monitor all activity across hybrid IT infrastructure, including endpoints, networks, data centers, cloud workloads, and SaaS applications. Additionally, security visibility should also include identity context to monitor for credential theft, account takeover, and insider attacks.
• A common workspace. Rather than pivot from one tool to another, SOC analysts across all tiers need a common workspace. This is especially crucial for major security incident response activities that demand collaboration and cooperation from business, technical, and legal teams.
• Threat intelligence operationalization. This includes threat intelligence collection, processes, data management, and analysis. Threat intelligence must also be available in a machine-readable format to automate remediation actions.
SOC Modernization and ServiceNow
While ServiceNow is most often associated with IT service management, its security products, services, and integration partners can help anchor a SOC modernization project. For example, ServiceNow can be used for:
• Hardening the attack surface. Organizations can improve attack surface and cyber-risk management using ServiceNow Vulnerability Response (VR), Incident Response (IR), IT Asset Management (ITAM), IT Operations Management (ITOM), and Integrated Risk Management (IRM). These technologies combine to provide risk-based vulnerability management and remediation actions across infrastructure, applications, cloud workloads, OT, and services. In this way, ServiceNow can help organizations maintain secure asset configurations across the attack surface while promoting collaboration across security and IT to mitigate cyber-risk.
• Improve security operations processes. ServiceNow built its business by enabling business agility through workflow automation. To do the same for SOC modernization, ServiceNow’s portfolio includes VR/IR, IRM, and privacy. These technologies can help SOC teams automate and orchestrate case management and other security operations processes, increasing productivity, efficiency, and scale.
• Automate IR. Using ServiceNow IR, VR, ITAM, ITOM, and IRM ServiceNow can manage major security incidents like ransomware and data breaches. For example, organizations can use ServiceNow to establish virtual “war rooms” where teams can coordinate IR actions, establish collaboration workflows via chat and conference integration, manage evidence, coordinate technical/non-technical tasks, and report progress and overall IR metrics.
SOC modernization certainly extends beyond the purview of any single vendor. Accordingly, ServiceNow partners include other security technology leaders like Anomali, Chronicle, Cisco, CrowdStrike, Fortinet, IBM, Microsoft, Okta, Palo Alto Networks, Recorded Future, Splunk, Tenable Networks, and many more. These partnerships include security technologies like threat intelligence platforms (TIPs), security information and event management (SIEM), eXtended detection and response (XDR), vulnerability management, and identity and access management (IAM). Through these integrations, ServiceNow and partners can deliver on SOC modernization goals like decreasing the attack surface, improving threat detection, and accelerating incident response.
On a final note, CISOs must remember what security evangelist Bruce Schneier once stated: “Security is a process, not a product.” This axiom truly applies here, as SOC modernization must be built on a foundation of process automation for cyber-risk management, threat detection, and incident response.

The Bigger Truth

Organizations clearly understand that current security defenses, strategies, and operations need improvement, and they are willing to increase cybersecurity budgets year after year to address new requirements. Unfortunately, they still face many challenges and inefficiencies toward security operations.
Given the ESG data presented in this white paper, CISOs must aim higher than making incremental security operations improvements, as tactical changes can’t address pressing needs for scale, automation, and improved analytics—necessary countermeasures for the volume and insidious threat landscape.
Rather than status quo solutions, SOC modernization seeks to transform security operations with capabilities for hardening the attack surface, improving analytics, automating workflows, and enhancing collaboration. In the past, SOC modernization was more of a concept than reality, but this is no longer the case. Cloud-native technology, open APIs, data science advances, and workflow automation technology innovation are driving SOC modernization projects with the potential for vast improvements in security efficacy, operational efficiency, and staff productivity.
As outlined above, SOC modernization projects should be bold and comprehensive with goals like hardening the attack surface, improving threat detection, automating incident response, and creating a unified workspace for all security operations activities—especially major security incident management.
With its focus on process automation and collaboration, ServiceNow can play a pivotal role in a SOC modernization project. CISOs looking to build a heterogeneous modern SOC that promotes collaboration across security, IT, and the business may be well served by seeing how ServiceNow can help them achieve these goals.

This ESG White Paper was commissioned by ServiceNow and is distributed under license from ESG.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.