Oh couple couple friends of mine are working on a cyber range sim for a deeper you know blue teaming exercises there are so many new scenarios they're trying to play out for situ detection pre-pivot low and slow kinda attacks so today is all about fundamentals isn't it that would be correct that sounds like an interesting project yeah yeah really lots lots of lots of new vectors they're trying to sit out in a really fundamental really critical stuff we're gonna talk about today so just another couple seconds here I see a couple folks just coming on alright let's get started everyone thank you for your time thanks for joining our webinar today on ServiceNow suck-ups and the CMDB this mics are boasting chief technology officer at co vesic i'm joined by my colleague chris williams who is a security Solutions Architect Chris and I will be discussing the importance of security operations and its reliance on an accurate CMDB and the value that are well defined and maintained CMDB brings to an organization especially during high priority security operations engagements you know many of us have been there when it's red hot and you know fires going so this this webinar is really to address and help improve in those scenarios there's gonna be an opportunity later to ask questions via the chat feature of the webinar and we'll have some time towards the end to answer as many questions as time permits and this webinar is being recorded and so we'll send out a link to everyone attending so do keep an eye out for for that email how are you Chris good how are you yeah I mean do it quick intro yeah my name is Chris Williams I am this solution architect with Kovac been in the IT industry for 20-plus years in both private and public sectors the rover five years of service now experience I hold advanced degrees in computer science and business information technologies and I also hold multiple industry certifications Mike with that being said I'll turn it back over to you yeah thanks for that so today's webinar everyone will cover four main areas now we'll do a quick introduction of ServiceNow sec ops and why that matters we'll talk a little bit about Incident Response vulnerability response and we'll may refer to it as IR and VR security operations within without CMDB and a little bit about readiness next steps you know Chris as you know sac ops is a big topic right and and the CMDB has very broad ramifications inside this space so before we dive in this set the stage since we're not gonna boil the ocean such a big topic so for everyone we're specifically going to be dealing with kind of the two topics we just brought up the incident response and the IR which is typically the reactive security incident handling and the VR size vulnerability response which is typically the proactive security management dealing with identified vulnerabilities and so forth that can be defined as IO sees during threat hunting and potentially exploitable infrastructure yeah that is right Mike there has been you know an upswing and security breach over the last decade or so and as you can see you know these are just some of the major corporations out there that if you know had major breaches you know that we as consumers are using every day you know the most recent one was has been publicized publicized as door - food delivery service the impact of that breach is unknown at the moment but I'm sure we'll be hearing more a little bit about that as that story unfolds but right you know this fight right here you know also talks about you know the increase of breaches and you know it's just you know gonna get worse if we don't take action to it and you know if you look at the global cost of a data breach it's right around $140 for per compromised record and meantime to ID the breach is around 197 days and then the mean time to contain the breach of 69 days so I mean you're looking at almost a year to fix that that security breach and contain it and then remediated and you know how do we go about doing that we use threat intelligence to help an incident responders find those incidents of compromised IO sees for the ability for them to you know honey you know hunt for low lying attacks and vectors attack vectors and threats once that data is you know rounded up it's automatically you know since his threat feeds for relevant information when an IOC is connected to a certain security incident and you know that data gets sent off the third-party sources you know for additional analysis that the security and response team and in particular the analyst will be able to derive and you know try the context and the data from that information for that security incident so really what is that doing for you as an organization well you know only increase a better response time but also saves your organization valuable time across the business well how about IR Chris it's dive into that you know talk about a little bit about the core lifecycle and some of its kpi's sure you know there's there's a couple ways that IRS come in to you know the system in I'm sure everyone out there in the audience knows that you know they can come in manually they can come in automatically you know via a phone call or maybe a text message or you know maybe and I am over chat or it could come in through a self source self-service portal or automatically which is the other way through third-party tool integration with no code or Loco you know security incident response is is used to manage that lifecycle from end to end from initial analysis to containment you know eradication and recovery and that framework is based off NIST and sans so you know those are pretty standard out there in the industry and you know with the built-in third-party integrations in partner developed integrations that enables the automation and orchestration you know for a more efficient accident or more efficient and accurate incident response with that being said you know security instant response also enables you to you know provide an understanding of the instrument response procedures by your but you know by your analysts over time so what you're seeing is you're getting some visualization so that the organization can understand you know those trends that are happening and those and the bottlenecks where the procedures may be failing or they're just not quite tuned correctly I mean that can be variety you know via an analytic driven reporting dashboard and KPIs you know also known as key performance indicators which we will discuss later so I was talking about you know the manual you know process you know right here is a Service Catalog and this this would provide the end user is an ability to create their self-service tickets you know report phishing attempts or you know even create their own ticket and then you know once that's completed you know also you also have the automatic as well coming in through third-party integration this is really a list view after security answers are created and you know provides the you know the priority you know the risk score and most importantly it provides the configuration item yes the actual system that is in the CMDB that has that security ANSI tied to it and then once you drill down into a security incident you have a more user-friendly workflow for the analyst to be able to go in and you know provide work notes you know go through their run books you know and you know things like that that helped him you know expedite this the containment and eradication in recover portion of the process and this is just an example of an automatic incident creation and this is an inbound email from a sim from ArcSight and this is really just a configuration these what's these inbound emails come in and you configure them based off the criteria that you that you fill that's relevant and that you have some correlation to those incidents will be created once emails and they're captured and they're categorized and incidents are created based off the configuration for these so you know like I mentioned earlier the third-party tools that are out there ServiceNow has a lot of partners out there and this is the plugins that you know this is just a glimpse of all the third-party integrations that are out there you know yes Blanc McAfee hewlett-packard Check Point Palo Alto and that's just to name a few of those great how about VR Chris same same question talk about the lifecycle bit yeah you know if our ability responds to you know basically you know provides you the same visibility and view as a security incident response it provides that list view and it provides a comprehensive view of all the vulnerabilities affecting that service item at that service for configuration item as well as the current state of all vulnerabilities affecting the organization this right here is just a view of you know all your all of your vulnerability items but you can actually create vulnerability groups as well to condense this down to certain so if you have a certain CDE and it's affecting all these configuration items you can create those and roll them up to a vulnerability group so you you can also do that as well within you know within ServiceNow and you know just just to name a few I mean if you guys can see the audience can see from the screen you know there's a couple different vulnerability tools that we have implemented in here you know some of the popular ones like tenable rapid7 Qualis you know any provides you to analyze your existing infrastructure and it's and you know those vulnerability tools are pulling from this you know national vulnerability database and you know once you drill down you also have the capability of drilling down into that vulnerability item and you know getting a more detailed view of you know what it is what's going on when it happened you know you can create a security asset from this view you can you know close defer it if it wasn't really in a vulnerability per se but this is just a more user friendly workspace just like it is in security incident response you know Kristin every screen that you shared with us so far there's been a associated CI an asset or a target how does the CMDB play into these life cycles well it really plays the number-one thing is it helps to resolve security incident vulnerabilities fast and that's due to the fact that the CMDB the way I look at it is you know really the foundation of the platform think about it you can't build a house without a foundation right so you have to have that foundation there that has all your assets and all your known assets and your in your infrastructure and your CMDB because you're only as good as your data and it's like the old saying goes garbage in garbage out right it also helps you you know utilize KPIs in a way of measuring the success or failure of the business goal as you can see here average time to contain you know that helps reduce your MTTR your meantime to remediation so just a you know a quick example of how this actually plays the kpi's play into this you have a marketing team and you know they have a goal to you know increase their web traffic traffic by maybe 30 40 percent over the next year in asset you know that that is a specific targeted goal right security operations you know they may have similar goals but you know they're less finite because security operations base is more of there's off of you know positive negative trends over time rather than achieving a specific target like a marketing department so you know this is a security incident dashboard that you know with KPIs and you know my you know a lot of the security operations it focuses around the analysis of data and the identification of patterns of trans like I you know I just mentioned you know this is this is true in both technical functions of security operations you know while you're looking for attack patterns and trends of malicious activity but you're also looking at strategic functions of security operations you know that's helping you identify program gaps making long-term program decisions and you know also providing the metrics metric and analysis of well-thought-out kpi's can you know once that's in place it provides a positive impact on both attack tactical and strategic functions within ServiceNow or not we've not sort of said well within security operations so good KPI is serve as you know really a really good program enabler for security and it drives and creates a driver for continuous improvement across the board so looking at a vulnerability response dashboard you get the same type of view as well and we all know that you know the threat threat landscape out there is just really dynamic right now there are new things coming out all the time and you know you really have to stay on top of your game to be you know reactive and proactive really all at the same time and it is really imperative to have an effective security operations program which provides the you know the actual information that you need to make those decisions you know that can be based and you know there's one real response dashboards provide that view so what am I trying to say here I'm trying to say that the kpi's or they will help you ensure that you know your security operations program you know continues to remain effective and that any process or technology gaps or addressed appropriately and you know one of the methodologies for KPI is I like to like to use is the acronym smart and you know there's a lot of them out there but smart really actually you know drills down into the specifics of you know what is specific what is measurable what is actionable and what is relevant and time-based so going back to some of the understanding of the business impact based off KPIs and your security incidents and your vulnerability incidents you know service now you know leverages that CMDB that assists with mapping threats and vulnerabilities to business services and the mapping enables the prioritization and you know risk scoring based on business impact ensuring that the the security teams are you know they're really just focused on what is most critical to the business but also you know in addition to that you know the business surface maps show the dependencies of the affected systems you know that helps to minimize change requests down times which in turn which in return you know also lowers your mtrs you're mean time to restore service and you know because security operations is part of the now platform and you know while you're using the seat you know you to them the CMDB I mean it's just not part you know it's just not owned by the security and IT departments it's also owned by the organization as I mentioned earlier you mean you have the capability to go in there do yourself service report fishing you know that all of that information is critical to the ITN security team in helping them to remediate issues within the CMDB a lot quicker so you get that whole listing you get a holistic approach to it right you know Chris we've worked in or looked at many environments that you know don't have a ServiceNow type consolidated CMP maybe share let's talk a little bit about typical scenario of how SEC ops is handled in those kinds of environments without it you know and maybe consider things that are effective or ineffective in that scenario sure thing you know with that particular scenario if you don't have a CMDB I would consider that a very ineffective approach to security and you know the reason why I say that is because it ends up being you know a very manual and messy process and you know yeah it's way too many arts and context coming in you're still using manual tools your site your your security teams and IT teams are siloed off you know and everybody you know in the audience it's probably you know if you've been around long enough you know what it was like starting back out in the day and there was really no consolidation of anything no single source of record of anything because really just emails being passed around floated around and sticky notes or post-it notes whatnot you know and someone some organizations still working off that you know spreadsheets reports disparate systems with no single source of record to help manage their assets that's that's just not very you know efficient in my opinion you know the spreadsheets in reports you know they're often owned by the IT department you know then they're you know shuffled around to different folks within the IT department and maybe you know some of the you know business business units stakeholders or whatnot and then they're posted to a website an internal website you know they email it around they have left on someone's desk or you know the data is just not shared with the with the security team so basically you have no single pane of glass and transparency does not exist across the organization so let's think about this for a second how are you to know what devices you even own or have connected to your network and to be proactive to read or reactive to a window breach occurs so let me provide you a quick scenario you have these components you have McAfee Red Hat's Blanc micro focus for Scout RabbitMQ for metric and you have RSA our tour where all the data gets reported up to this to to this to the RSA system from all these tools when the system is actually functioning those are a lot of tools yeah so you know the problem with this architecture is that you know one you have no single pane of glass to look at a holistic point of view of your entire security operations or CMDB so you have no you have many multiple points of failure due to all these despair systems and on top of that you have very inaccurate data to report off of because you don't know what's right or wrong coming in from all these disparate systems so then you have to reconcile the data that you are bringing in and then there's no way to track incidents against a breach asset unless you go into another two ie Splunk for scout or McAfee and you know in the audience knows you know probably knows that you know McAfee actually requires an agent to be installed on every single pass your network and you know ServiceNow does not require that with discovery so you know one other thing and I'll leave this right here you know there's a resources resource constraints and lack of skill set and was with ServiceNow with the security operations and you know you have multiple points of integration points that work seamlessly you know that will integrate all your other systems into one single pane of glass and you know creates a single source of record for you to have you know really that transparency into all your systems and then it also provides you the ability to manage some of these third-party integrations I'm not saying by any means that you're not ever going to touch these other tools because you eventually do have to touch them because they need they need you know they lead loving care to in terms of you know maintenance and upkeep but you know on an average and you know a lot of these organizations out there you know they may have 70 plus or minus security tools that are in there in their environment and that is a lot of tools to manage and you know the goal the goal of this it should be that the entire organization you know and I'm going back to the CMDB portion of it is that you know the entire organization should be assisting in managing this in DB you know you know this is what I would call that holistic approach to security operations and CMDB better together mmm is there a CMDB approach that's a little bit better than others or more advantageous to security uh yeah with security operations at CMDB you the organization will have the ability to to be more efficient when you know at protecting defending and lowering their MTTR it will also provide that insight that a lot of the upper management are looking for from the dashboards based off the KPIs you know it also provides the you know the ability to quickly contain the breech and you know damage restored would be directly related to the maturity of the CMDB service model so what I'm saying here is that you know the more mature your CMDB asset management processes are the more effective your security measures will be and we all know that you know the CMDB is not going to prevent a vulnerability or is it going to prevent a security incident but you know it does provide a good infrastructure model that will help define monitoring tools that can prevent exploits and you know security operations will provide that model for you that will allow organizations to contain and mediate far more quickly the sec up suite also you know really consists of these applications threat intelligence vulnerability response and security incident response and you know it's all built on the dial platform that works in conjunction with other platform functionality so it's a very feature-rich feature-rich set of tools that you get once you implement ServiceNow security operations and CMDB so you know I won't spend a lot of time on this slide right here but I will say you know that 40% of the burden here is it's caused by you know tracking down assets root cause analysis not knowing which CI is causing the major problem or even maybe even escalating to the wrong support team so that's why it's important to have a well configured CMDB to save that 40% when you're going on going out to efforts so integration with CMDB also allows for the security staff to understand that you know the affected configuration item what the configuration item is and the most importantly who owns it what it does and its importance to the business so an in-form is a really an informed decision giving concerning how they prioritized the response to security incidents the integration with IT and security it is important because investigating addressing these security issues often often involves IT and security teams well once they often it really does involve the IT security teams so those tasks can actually be passed back and forth from security staff to the IT staff within the same system which again you know go back to providing provides the transparency and the visibility in that single pane of glass and that makes it more significantly more efficient you know for security security response because it improves the communication it raises the visibility and you know it reduces your mean time to four mean time to resolve security issues Chris you know as uh security practitioners you know we you know how busy we all are and this can seem like a wish list item you know getting a CMDB in place and having these efficiencies versus have it be a critical priority how do how do we help well you know Kovac has a couple of new offerings right now we have a security operations ready assessment we have a CMDB health check assessment and what we do is we come in and we speak to the key stakeholders you know and also those involved in day-to-day operations and you know that's used to address process concerns and technology concerns and they will make recommendations on a solution that is best architected to fit the organization's needs and you know their expected outcomes the sake of assessment is a really a two-week engagement the assessment you know will come in and do the evaluation of this existing processes and we'll address your security posture and infrastructure you know and after the assessment is complete and assessment findings report will be delivered to the customer and this is just an example of what it may or may it may like back in the customers hands great so we're right on schedule in terms of our webinar Chris I'm going to open it up to the audience if you have any questions or additional questions we did get some questions during the session and I'll take the first one Chris can you clarify some of the sec ops KPIs that are really important and are affected by a strong it's a CMDB basically yeah so there are myriad of of KPIs that are involved in sec ops and each of them do um I would say divided and its own in its own spaces so basically there's a business perspective on it there's a you know IR and V are specific ones but right off the top of my head kind of in the course of our conversations I would say you know there are quantitative and qualitative KPIs things like ratio of closures by priority closures by attack category or vector you know your time to acknowledge and incident management time to acknowledge time to respond in triage especially triage where you're looking at you know your IRS ability to be able to identify which acid which CIS are affected that's really critical and then on the VR side number of vulnerabilities or a number of vulnerability items my risk rating is really critical right you know how fast are you able to address the vulnerabilities are in your environment and that that is also impacted by having or not having a strong si MTP there's another question here we have an IDs or IPS and other edge appliances in our pipeline should all the data flow to service now for single pane of glass seems excessive or should they be worked at each response respective systems I'm sorry let me read it again so I think the question here Chris is that the person has other like we talked about lots of other tools should that data flow directly into service now for single pane of glass view or should it be worked at each of the systems that are reporting it for them for I would have all the data being reporting into service now and the reason why I say that is you want all your your historic data and your current data to do you know do trending and analysis and to help you know make your process he's better but yes the data all the data from those systems should be coming into service now all right there's a another question here and I'll probably take two more guys so is there a way to segment security related assets in the CMDB so only the SEC ops our security teams have visibility to them and not the overall ITSM group yes there is a way to do that in this based off roles and groups that's functionality under user administration that they have certain asset you know access to certain items based off you know their their roles within that group and how the the see has have been assigned to the owners so the the manager or security incident you know like this for an example if you have an analyst manager a security analyst manager you know that you know those are the triaging as Mike mentioned earlier they would have or she would have that particular role that would be able to you know assign those tickets out to someone else and only you know only those individuals be able to see those tickets unless they're shared with other individuals mmm all right and let's make this the last one here it's a follow up to the to that previous which team owns making sure that the security CIS are kept up-to-date in the CMDB that's a good question that would be at the actual security team in the IT team that would be both of those teams were constant you know working in parallel together yeah I think I think we know with a platform like ServiceNow where you have that broader visible and can actually share you know authoritative sources of record you basically get that teaming effect right and frankly everybody should be involved in security not just the security team but I understand the question I think it's more around there's some sensitivity to some of these assets so you know in a very traditional sense firewalls are dealt with by firewall teams and so forth right and you don't want people looking at accounting systems or HR systems or anything like that either so you know they have to be a son to appropriate people that you know have that that that privilege were that role within ServiceNow right that makes sense a couple things a little bit about Kovac just just for everybody a co Vestas premier consulting firm you know we really focus on practical solutions to help our clients realize value from these technology investments you know we want our clients to succeed which means they can rapidly scale grow their business and also improve their own customers experiences we're proud of our team of over 250 senior level consultants averaging uh I would say over 15 years of professional consulting and IT experience and you know with nearly 200 ServiceNow related projects we've achieved a great CSAT rating of the nine point seven and have over 90 percent repeat business and we you know we really thrive at these high stakes engagements and just to just close off our our webinar here you know I we do have some additional webinars ebooks and white papers on our library resource page we also have some upcoming events that we're sponsoring the next couple of months if you live in the Dallas rally or DC area do check us out in these events and stop by the Quebec booth and say hi and of course you know always find our upcoming events and webinars hosted on our website I think that's it for our time today Chris and let's conclude the session I really appreciate everyone and thank you for attending and remember to keep an eye out for that upcoming webinars as well as a recording of this one everybody you all have a great day