Skip to content

6 Key Insights into ServiceNow’s Washington DC Release for SecOps

6 Key Insights into ServiceNow’s Washington DC Release for SecOps

In today’s fast-paced digital world, the significance of cybersecurity cannot be overstated. With the continuous evolution of the business environment, the intricacy of cyber threats only amplifies. The ServiceNow Washington DC release steps up to confront these challenges head-on by introducing a range of advanced features that address these complexities strategically.

Security Posture Control

Security Posture Control (SPC) is a comprehensive framework which enables IT and cyber security teams to manage and optimise an organisation’s security posture. Nowadays, security teams analyse and manage a huge amount of data and it is not uncommon for some assets to slip through the cracks — lacking endpoint protection, being poorly managed, or becoming exposed to the internet. For these security gaps, ServiceNow introduced the SPC tool which can discover not only infrastructure assets but also cloud assets.

Leveraging Service Graph Connectors, the SPC evaluates asset security by interfacing with various IT and security tools. It detects security gaps, such as a workstation without endpoint protection, through targeted data queries. SPC automatically triggers a remediation workflow in ServiceNow to address this gap. The task of installing endpoint protection is assigned to the relevant team. This streamlined process enhances the organisation’s security posture efficiently.

Security Posture Control, Source: ServiceNow

Vulnerability Emergency Response

Vulnerability Emergency Response (VER) serves as a unified command centre for managing vulnerability crises, integrating seamlessly with SecOps products. By harnessing the power of Major Security Incident Management and Asset Exposure Assessment, VER delves deep into the lifecycle of critical events, offering a comprehensive overview from detection to resolution. In this dedicated workspace, vulnerability event managers have a simplified, yet powerful platform at their fingertips. Here, they can effortlessly oversee the status of critical vulnerabilities, prioritise risks based on their severity, and collaborate extensively with teams across the organisation. This streamlined approach significantly reduces response time to a minimum.

A screenshot of a computer

Description automatically generated
Vulnerability Emergency Response, Source: ServiceNow

New Cybersecurity Executive Dashboard

In addition to the existing CISO dashboard, which is more operational, ServiceNow has introduced the Cybersecurity Executive Dashboard to level up the stats business-wise. The new dashboard provides a centralised view of security status where executives can benchmark security and risk metrics, enabling them to report successes, support budget planning effectively and more.

By installing a separate plugin for this workspace dashboard the executives gain wide visibility into the organisation’s vulnerabilities, configuration compliance, security incidents, and employee readiness. Moreover, it allows business unit-specific risk assessments, setting targets or integrating with third-party tools for phishing simulation data. Opting into ServiceNow Benchmarks further enriches the dashboard with KPIs, trends, and comparative insights relative to industry averages of the peers

Cybersecurity Executive Dashboard, Source: ServiceNow

Threat Intelligence Security Center, brand new full-blown application

Great news from ServiceNow! Let it be known that Threat Intelligence Security Center (TISC), launched into Controlled Go-To-Market mode on February 1st, 2024. A carefully crafted workspace with a plethora of new features enables threat hunters and analysts to collaborate, share intelligence, and take action against threats. Make no mistake, this is a completely new tool in your toolset, the solution further empowers your war room with deduplication capability for disparate threat feeds or enrich them with your own tailored Threat Score Calculator or internal intelligence coming from SIR, VR, or CMDB  to make full circle.

With a feature called Threat Analyst Workbench, your cyberthreat intelligence professionals will harness platform power by utilising Case management. Case tasks can be assigned to analysts, threat hunters, or security incident response teams. MITRE ATT&CK framework integration can be utilised to tag cases with relevant tactics, techniques, and procedures. In essence, this Workbench brings an integrated capability to the table and transforms scattered threat data into a strategic asset, enhancing the precision and speed of security operations.

MITRE Att&kc Heatmap, Source: ServiceNow
Threat Intelligence Security Center, Source: ServiceNow

Make conference calls directly from the workspace

ServiceNow has further expanded its capabilities and can now facilitate seamless conference calls directly from the Major Security Incident Management (MSIM). This feature enables team members, customers, and other stakeholders to join discussions that expedite the resolution of security incidents. Security Managers can initiate calls using Microsoft Teams, Cisco Webex, or Zoom to streamline the remediation workflow. After successful integration with a third-party provider, the feature is available from the Major Security Incident Management Workspace. Selecting MSI from the list generates participant recommendations to smooth the process further. Calls and meetings can then be captured and archived for future reference.

Major Security Incident Management, Source: ServiceNow

New playbooks

As per usual, ServiceNow enhances SIR with new playbooks. The Washington DC release continues with this tradition with ten new playbooks featuring:

  • Playbook for Okta User Login Failures from Multiple IPs – Triggers an alert when login failure occurs for ServiceNow user IDs from more than three Non-ServiceNow IP ranges in a 1-hour duration.
  • Playbook for Successful VPN Attempts from the Service Accounts – Service accounts aren’t supposed to have login events from a VPN, and such events could be indicators of either brute force or possible exposure of the account’s credentials.
  • Playbook for T1003 – Defense Evasion – Mimikatz DCShadow – DCShadow is a feature in Mimikatz that simulates the behavior of a Domain Controller to inject its own data, bypassing most of the standard security controls.

ServiceNow is extending an already adept list of available playbooks like Automated Phishing Response, Malware Outbreak Response, insider threat playbooks, or Denial of Service (DoS) Attack workflow. All of which are convenient and easy to deploy.

——

Do not hesitate and contact us with any questions and/or desire to implement any of the above-mentioned features.

ServiceNow Washington DC release: Key Updates for SecOps

Get key insights into the ServiceNow Washington DC release for SecOps at our free webinar. In just 30 minutes, you’ll gain an overview of the most important changes for your organisation.