Security Incident Response overview

Security Incident Response is often used with vulnerability databases to proactively prevent issues, and track down other systems that can also be vulnerable to attack. A wide range of reporting and tracking systems can be used to detect trends and issues, and gauge your performance. Integrations allow you to use your preferred monitoring tools and link your security incidents to the related systems, users, and business services within your ServiceNow instance.

To protect your investigations and keep security incidents private, Security Incident Response provides the means to restrict access to the system to specific security-related roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

Discovery

Security incidents can be logged or created in the following ways.
  • From Security Incident form
  • From events that are spawned internally, or created by external monitoring or vulnerability tracking systems via alert rules, or manually
  • From external monitoring or tracking systems directly
  • From the service catalog

Analysis

Depending on the selected view, you are using (default, NonIT Security, Security ITIL, and so on), the Security Incident form can show any combination of vulnerabilities, incidents, changes, problems, tasks on the affected CI and affected CI groups. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the National Institute of Standards and Technology (NIST) database, or other third-party detection software. As security incidents are resolved, any incident can be used to create a security knowledge base article for future reference.

Further analysis can be performed using the Business Service Management (BSM) map to locate other affected systems or business services that can be infected.

Containment, Eradication, and Recovery

As you monitor and analyze vulnerabilities, you can create and assign tasks to other departments. You can use the BSM map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth.

Review

After the incident is resolved, other steps can take place before closure. A post incident review can be performed. Creation of knowledge base articles can help with future similar incidents. Significant incidents can need a post-incident resolution review. This review can take on several forms. For example:
  • conduct a meeting to discuss the incident and gather responses
  • write and distribute incident resolution review questions designed for each category or priority of incident to those teams who worked on the incident
  • incident managers can write the report and gather information on their own
An incident resolution review report can be automatically generated that includes:
  • a summary of what was done
  • the timeline
  • the type of security incident encountered
  • all related incidents, changes, problems, tasks, CI groups
  • the details of the resolution
In addition, an automated security incident resolution review survey system is available. It gathers the names of all users assigned to the security incident, and sends out a customized survey to gather data about the handling of this incident. This data can then be made available in a generated security incident review report, which can be edited into a final draft. Similar data can be added to a knowledge base article to contain lessons learned and the steps to take to resolve similar issues in the future.

Security Incident Response Terminology

The following terms are used in Security Incident Response.
Term Definition
Active Any security incident not in the closed or cancelled state.
Administrator lockdown The ability to restrict Security Incident Response access to personnel with security-related roles and ACLs.
Inbound security requests Requests submitted for low-impact security demands, such as requesting a new electronic badge.
Post incident review A review of the origins and handling of a security incident. The final product is a post incident report, which documents all actions performed and the reasons for doing them.
Response tasks Tasks assigned to a security incident for tracking actions in response to the threat.
Security incident calculators Calculators used to update record values when pre-configured conditions are met.
Security incident treemaps Chart type that hierarchically displays security incident data in the form of nested rectangles.
Threat lookup A request submitted from the security incident catalog for scanning files, URLs, and IP addresses for malware.
Vulnerability scan A request initiated from the Security Incident form for scanning affected resources (servers, computers, and other configuration items) for vulnerabilities.