Security Incident Response release notes

Security Incident Response product features in the Geneva release.

Security Incident Response (SIR) is a new product in the Geneva release.

SIR is part of the Security Operations Suite. Visibility into the state of an organization’s security is now achieved by leveraging many of the same workflow and reporting capabilities ServiceNow is known for. By implementing this National Institute of Standards and Technology (NIST)-compliant workflow in a security context, we can also free up the security analyst to spend more time finding advanced threats and less time on manual coordination and collaboration among the broader IT organization.

Activation information

The Security Incident Response plugin is available as a separate subscription.

Features

Vulnerability databases Vulnerability databases can be used to proactively prevent issues, and track down other systems that may also be vulnerable to attack.
Third-party Reporting and Tracking Systems A wide range of reporting and tracking systems can be used to detect trends and issues, and gauge your performance, while integrations allow you to use your preferred monitoring tools and link your security incidents to the related systems, users, and business services within your ServiceNow instance.
Security-related Roles and ACLs To protect your investigations and keep security incidents private, security incident response provides the means to restrict access to the system to specific security-related roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.
Security Analysis You can view incidents, changes, problems, and tasks on the affected CI. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the NIST database, or other third-party detection software. As security incidents are resolved, any incident can be used to create a security knowledge base article for future reference.

Further analysis can be performed using the Business Service Management (BSM) map to locate other affected systems or business services that may be infected.

Containment, Eradication, and Recovery As you monitor and analyze vulnerabilities, you can create and assign tasks to other departments. You can use the BSM map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth.
Post Incident Review (PIR) Significant incidents may require an incident resolution review. This can take on several forms. For example:
  • conduct a meeting to discuss the incident and gather responses
  • write and distribute incident resolution review questions designed for each category or priority of incident to those who worked on the incident
  • the incident manager can write the report and gather information on their own
An incident resolution review report can be automatically generated that includes:
  • a summary of what was done
  • the timeline
  • the type of security incident encountered
  • all related incidents, changes, problems, tasks
  • the details of the resolution
PIR Survey System An automated survey system for reviewing security incident resolution is available. It gathers the names of all users assigned to the security incident, and sends out a survey to gather data about the handling of this incident. This data can then be made available in a generated security incident review report that can be edited into a final draft.