hello and welcome today we'll be looking at how service now helps security incident response teams tackle their work far more efficiently and effectively than ever before we'll start with the big picture and then dive into the key elements of the solution it's typical to see a 40 to 60% reduction in time to resolve security incidents when converting from more manual and disperate handling processes thanks to Integrations and automation when results like these are achieved our customers can use dashboards like this one to report upon their status first we'll be assuming the role of the ceso Andrew ly the security operations efficiency dashboard is one of several included with security incident response here we can see big picture Trends and break them down by aspects such as analyst efficiency and group efficiency and here on the detection and response Effectiveness tab we can see true detections versus false positives or by incident Source or what business risks exist over time here on the incident risk score analysis tab or perhaps by incident stage here on the security incident stage analysis tab for example mean time to analyze contain eradicate recover or review incidents are automatically tracked and displayed here users can also create their own reports and dashboards too our customers appreciate the ability to build dashboards for their teams and Leadership this custom dashboard is a great example of what can be rapidly built using our goey based report engine and drag and drop dashboards one of the advantages that service now has is the ability to bring together data from many groups to provide holistic insights across the board in addition to building custom dashboards for your organization along with several out-of-the-box dashboards now with the Cyber Security executive dashboard cesos and their teams have a central hub for their organization security strategy this ciso has set specific targets to achieve on crucial metrics that can be tracked here centrally key operational and security posture related performance metrics are displayed below empowering leaders to track Trends and set Targets this provides a comprehensive snapshot of the organization security posture with real-time data metrics and Trends across attack surface reduction and security operations the now platform is fully integrated with the miter attack framework for threat intelligence which can provide valuable insights that Security Professionals need to get work done better every day miter attack can assist Security leaders in managing Security Programs by helping them understand how the various defensive systems are performing and identify where there may be any gaps the miter attack heat map and Navigator can provide immediate visibility into patterns where the department is seeing any concentration of incidents or is dealing with any relevant vulnerabilities it also provides a quick visual of the current security posture for detecting and defending against each of these attack techniques all of this helps the ciso understand where Investments of time and resources are most needed here we've set a filter group to show how the heat map and Navigator functions and the changes that occur as we set those filters watch the Heat Map change as we do so this is an extremely valuable resource when it comes to thwarting the attack patterns that impact and threaten the organization the most such as those from advanced persistent threat groups like apt29 during the solar winds breach you can see as we add in this final data point of the known adversary group it draws in all the known techniques of this AP the ceso can drill down into each of these but moreover this shows the current organizational posture and defense against this known AP so you can see that we're getting everything in one place but you may be asking yourself how did we get here it all starts with Integrations there are outof thee boox Integrations with security sensors and Sim platforms such as Azure Sentinel Q radar arite logarithm Splunk and Splunk Enterprise security threat intelligence platforms are also very helpful for security incident handling saving analysts time with automated threat lookups customers can request these Integrations for their instances right from the store here once installed these applications can be configured inside your service now instance some simply require API Keys such as showed in here while others have more options like setting a schedule or adding filters to the data we want fishing emails come in a variety of different forms and often they include a malicious attachment analysts can now submit malicious attachments for in-depth malware analysis using the crowdstrike Falcon sandbox integration the integration allows for both manual and automated submissions as well as a variety of other settings this provides the possibility for the sandbox submission results to be completed during the triage process and ready when the analyst first opens the security incident let's see how the platform helps incident handlers get work done faster and more effectively every day here we are in the security incident response workspace and acting as incident Handler Adam long from here the analyst sees incidents that are assigned to them or their team with customizable filters they're able to quickly navigate the pool and review automated triage details let's look at a recent incident that has been created automatically the analyst opens it in a new tab they can keep multiple incidents open at a time if they need need to multitask while automations run looks like this is a fishing report from Robert Smith in the old days the analyst used to have to watch an inbox and do all of this triage threat analysis and risk calculation manually but now when they log in all of that leg work has been done for them employees can simply hit a report fish button in their email client or forward in a suspicious email and service now will do all of that work automatically in the overview tab the analyst has the most pertinent information related to the incident the analyst has access to a wide range of information at their fingertips showing the business impact by asset and user what threat intelligence that has been acquired in relation to the incident by finding and by type if there are any response tasks in place for the incident and related security incidents that are either similar or children the analyst can also see all the information that is stored in the security incident table by looking at the details tab here with the invest a tab the analyst can dig into any of the details in the security incident such as who is affected by it in this case it is Robert Smith the first person to report this fishing email the analyst also benefits from D duplication in this case the email has been reported by several individuals seen here lastly we can see the number of configuration items that have also been targeted by this fishing email next the analyst takes a look at the email that was reported and sees a familiar pattern these Co themed fishing emails have been coming in a lot lately par observables end up here along with whether or not they are deemed malicious from threat lookups that have already run upon creation of the incident the analyst does not need to be an expert in dozens of products to leverage all of their organization threat sources here we see the Playbook pane the analyst can see where they are in their team security automation playbook for fishing Response Security incident response comes with dozens of flows like this one and these are configurable via a cand style graphical editor and process automation designer and flow designer when tasks are created they end up in the Playbook we can see where automated lookups were executed and completed again steps and any detailed guidance here are completely configurable making it easier than ever to architect and use security playbooks we also have the ability to add more than one playbook for example if during the investigation we discover this fishing email resulted in a malware infection we can also add the malware Playbook while still completing the required fishing Playbook the analyst can add it manually or it can be added automatically the playbooks can trigger other playbooks if we want the threat intelligence orchestration we discussed has taken place and the person who reported the fishing incident was automatically contacted via email to thank them for their submission sometimes this kind of work is less predictable so of course any of the automated steps we show can also to be done manually in the UI now that these first automated steps have been completed the analyst only needs to review and confirm the findings once they do the Playbook will take care of the rest finding and deleting the malicious emails across all users's inboxes performing firewall blocks for fishing URLs and searching Sim and log platforms for any other potential victims the analyst agrees with the automated analysis so they complete the task to fire the second half of the Playbook off while these steps are being automated in the background let's quickly peek at how they're done manually to perform a firewall block we pick an IP or URL check the box next to it select block request and hit run then choose which vendor or list to request the block with this works the same way with sighting search to find any matching logs and can search for matching emails and delete them like this if you have an asset in play then there are more automation options for example the analyst can add one to the incident and isolate that host from the network if needed forensic evidence can also be retrieved automatically from devices such as information about network communications this is in addition to Simply having any of available cmdb information for context heading back to the Playbook tab we can see that the automated steps have run in the background to complete the firewall block and quarantine the only thing left for the analyst to do now is complete the post incident review here they can close out the incident and complete any assessments or po incident reports today we've looked at how service now is helping security incident handlers by providing a single system of record and action automating manual tasks orchestrating security processes improving prioritization with integrated threat analysis and business impact triage enhancing collaboration between security and it and providing big picture analytics necessary to track and improve kpis thanks for watching