All it takes is one click...

Any user in your organization accidentally clicking a malicious link in an email could compromise your entire network. If you have the Security Incident Response application of ServiceNow® Security Operations on your instance, you can track, analyze, contain, and eradicate threats like these.

In this installment of our NOWSupport best practices series list, we provide a quick primer on how this application works within the Now Platform®. Be sure to see our video at the end of this post for more details.

What's the most common security incident?

It's no coincidence that I introduced this post with a phishing scenario. Based on feedback, we've learned that phishing attacks are the number one concern of most security analysts. 

Don't miss our in-depth demo of thwarting a phishing attack in our video at the end of this post.

How does Security Incident Response work?

The security incident response process is defined by how you set up the application. Here's an example:

1. Integrate Security Products - When you integrate your existing security products with Security Incident Response, the application creates security incidents.
   
   
2. Automatically Prioritize Security Incidents - Incidents are prioritized based on your criteria and identification of affected systems via your Configuration Management Database (CMDB). 
   
   
3. Utilize Threat Intelligence - The application can also leverage data from your third-party threat intelligence sources to identify known threats by performing threat lookups (this capability requires the Threat Intelligence application).
   
   
4. Determine Response Action - The application determines a recommended response action and provides you with step-by-step remediation procedures based on previously-configured playbooks to guide you through the process (Playbooks require the Security Incident Response UI in London).
   
   
5. Remediate Threats Fast - The application then further leverages the Now Platform to orchestrate actions, or by creating Tasks, Problems or Changes for all affected users and systems.
   
   
6. Review Post Incident Reports - When you've remediated the threat, the application provides post incident reports for you to share with security and IT teams for insight into handling related incidents.

How do I get Security Incident Response on my instance? 

Depending on which release/patch your instance is on, you can install the Security Incident Response application and the new UI via a plugin or from the ServiceNow Store:

Security Incident Response application (subscription required):

• Releases prior to London patch 6 - Security Incident Response plugin (com.snc_security_incident)
• London patch 6+ - ServiceNow Store

Security Incident Response UI (Security Incident Response application required):

• Releases prior to London patch 3 - Security Incident Response UI plugin (com.app_secops_ui)
• London patch 3+ - ServiceNow Store

Threat Intelligence:

• Releases prior to London patch 6 - Threat Intelligence plugin (com.snc.threat.intelligence)
• London patch 6+ - ServiceNow Store

And now, check out our video below for more details, and to see a phishing attack demo:

For more information

Security Incident Response (product documentation) 

--

Behind the scenes here at ServiceNow, the Knowledge Management and Multimedia teams work closely with subject matter experts to disseminate critical information to our customers. We've found that certain topics come up frequently, in the form of best practices that can help you keep your ServiceNow instances running smoothly. This series targets those topics so that you and your organization can benefit from our collective expertise. If you have a best practices topic you'd like us to cover in this series, please let us know in the comments below.