Is your security organization struggling with communicating and leveraging other groups in your company? Incorporating IT Service Management (ITSM) technologies into your security playbooks could be the answer. In particular, ITSM ticketing systems have played a key role in synchronizing organizations and can play a major role in the IR process, both to ingest incident information from help desk tickets and to assign out tasks to IT operations, such as patching servers or re-imaging infected endpoints. The newly published integration between ServiceNow and Resilient allows SecOps teams to efficiently respond to incidents in real-time by improving the communication between security and IT operations.
This bi-directional integration aligns security and operations teams by synchronizing important incident information between the two platforms. To learn more about this new app and view documentation, visit the IBM App Exchange.
Included below is a description of some of the key features of this new integration to show how it can be put to use in your environment.
Before diving into some of the features, setting-up this integration involves downloading the zip file from the Resilient app page on the IBM App Exchange, and visiting the ServiceNow Store to download the integration. After this is done, the integration can be configured to best meet your IT and Security ops teams’ needs.
Utilizing Key Features:
Security incidents can involve actions from multiple teams that span various security tools. This integration can be used to effectively collaborate with an IT ops team by limiting access to full incident data, but still prioritize critical steps that need to be completed to respond.
The bi-directional integration between ServiceNow and Resilient allows for real-time updates between the Records in a ServiceNow Incident Table and Incidents in Resilient. This gives security teams and IT ops teams the separate visibility they need to effectively respond to incidents like a Malware attack:
As seen above, action can be taken within Resilient data tables to accomplish tasks in ServiceNow. Resilient can be used as the central location to take actions on Records within ServiceNow. As steps are being taken to disconnect or isolate malware-infected systems by an IT ops team or other operations team, a security analyst can automatically or manually update the status of the task on both platforms from one place. Functions are included in this app that create and close ServiceNow Records from a Resilient Incident, Task, or Data Table.
To get an idea of how the incident Record appears in the ServiceNow platform, a screenshot is included below:
IT ops teams now have visibility in ServiceNow into the malware Incident that was created in Resilient without having to worry about the full scope of the data. Categories like the description and notes have automatically been populated from Resilient, which eliminates time spent manually migrating incident information between the two platforms. This saves precious time for the teams involved during an investigation.
As the investigation into the malware Incident progresses, security teams can provide deeper context in Resilient without worrying about the automatic updates to the Record in ServiceNow. For example, if the suspicious email contains an attachment and it is added to a Resilient incident, it will synchronize with the related Record in ServiceNow. This integration contains functions that can automatically update a ServiceNow Record with attachments and comments from Resilient.
For reference, the IBM Resilient tab can be used in ServiceNow to navigate between the two platforms:
To visually represent series of actions that can be taken, an analyst can modify the workflow in the customization settings of the Resilient platform. This enables security teams to fully customize the response to various incident types based on their current procedures using a drag-and-drop feature set. An example of a workflow that shows the bi-directional communication between ServiceNow and Resilient is below:
To synchronize the ServiceNow and Resilient platform, and improve the efficiency of your security team, visit the IBM App Exchange to download the app. You can also view documentation, system requirements, and guides there. Please be sure to visit the Resilient Community Forums if you have any feedback.