thank you so much for joining us this morning uh we're ready to get started with our getting started with security operations live on service now webinar Sarah I'll just take back screen sharing from you here fantastic all right so welcome everyone to the getting started with security operations applications live on service now webinar I'm your host Julian azeret I lead outbound product management uh for attack surface applications here in the security Buu I'll be joined later on by my colleague Jamie Jackson who's a senior product success manager dedicated to making our security operations customers successful with our SE Ops products thanks for joining us today just a little bit of background on us both um we have a broader team supporting us throughout product management product success uh and expert services for our in-house implementation Services we have dedicated practices in each of these groups uh specifically for security operations applications uh today we just have representatives from product success and product management here with us now we aren't planning on covering any forward-looking statements in this presentation but just in case we do as a part of the Q&A or discussions this is our standard Safe Harbor notice and it does apply it's common that I make in this presentation we'll start out with just a bit of housekeeping we have saved time at the end of this webinar for Q&A uh please use the Q&A widget uh as a part of the zoom webinar to submit your questions uh along the way it should appear at the bottom of your screen if you use that Q&A widget we'll be able to best see those questions and cue them up for our Q&A time at the end this presentation will be recorded and we'll be sharing on the service now community so be sure to log into your community accounts and look for our post where this recording will be available now after this event you'll be prompted out to fill out a short survey about this webinar this really helps us um change these webinars and determine whether what we're showing you is effective and everything you need so please uh make sure to fill out that survey and thanks for your feedback all right so here's our planned agenda for today now most importantly we want you to come away from this with a clear idea of your next step towards your security operations implementation and some of the resources that can help you get there our goal here is to support you and provide you with all the relevant resources and help ensure you get a successful start with our products so we'll start by covering uh the what what are the security operations applications and the use cases they cover uh well then then cover why so that the value that you can expect to achieve with some of those uh applications in those use cases then finally I'll be joined by my colleague Jamie Jackson to talk about how to get there uh the security operations implementation journey we'll cover off on all the resources that you'll need to get started finally we'll have five 10 minutes at the end for question and answer so be sure to use that Q&A widget to submit your your comments and questions all right so let's get started in this first part we'll start I'll give you a quick overview of security operations applications highlight some of the key resources if you want your team to dive in deeper but I want to start this question or this section with a poll so for all of you out there listening what are you planning to implement as your first step in security operations applications are you starting off with security incident response vulnerability response um both are you unsure of what you're starting off with or if you're starting off with a different product in the Su op Suite which you'll see in a second here uh please tell us uh what you're starting out with in security operations leave this PO open for another 30 seconds to allow everyone a chance to respond fantastic thanks for responding to this poll uh this really helps us in product management understand what people commonly start out with and it looks like we have across the board some people starting out with SI R some with VR some starting with both and a few unsure which direction they'll be taking this first implementation hopefully today's session will help you get a handle on what's best for your organization to start with okay so now I'm going to give you a quick overview of our SE Ops product suite and the use cases that we cover with our applications now as many of you will know the security operations portfolio includes a suite of products that fit into these two broad areas on the one side we have the ability to respond to vulnerabilities across the entire Cyber attack surface this is what I'd referred to earlier as attack surface management the suite of products that I cover off on and this is largely achieved through our vulnerability Management Solutions this includes vulnerability response as well as application and container vulnerability response as you see this covers a range of areas which are all addressed through various different product offerings we even have a new addition in this area security poster control which you see on the bottom there in what I call the controls and intelligence layer now on the other side of the house we have the ability to respond to incidents across Enterprise security functions this is achieved through our Enterprise security case management solution my counterpart in this area is Tim Boswell who joins us today he leads outbound product management for Enterprise security case management um so this includes security incident response major security Incident Management uh data leak uh incident response and within that we also have our threat intelligence solution um we've just recently added a new product to this side of the house which you'll see on the bottom in our controls and intelligence l player that is threat intelligence security Center essentially our threat intelligence platform built within service now so we'll start off with a a high level view of security incident response workflows in the now platform with our security incident response product which you'll hear people refer to as sir we unlock Automation and workflows that enable us to respond to incidents faster and this is is a highlevel view of that process that we take so first we integrate with your various security and seam tools so that you have one Central system of action to view and prioritize the alerts that you get from them along with that native connection to your cmdb within service now allowing you to understand the business service context and prioritize those security incidents accordingly uh next we also have the ability to integrate with threat intelligence tools which helps to enrich those incidents and better organize and orchestrate response actions direct those responses right from within sir so this includes orchestrations back out with things like uh your firewall management uh system or your endpoint protection Tool uh to orchestrate those actions as a part of your playbook responses um we finally once an incident is complet completed and you know ready for closure we have an automated POS incident uh workflow process that allows you to configure the post incident reports uh to be automatically generated from uh the relevant information from that sir and filled out by the analyst who handled the incident now on the other side of the house uh I'll give you a high level overview of the vulnerability response workflows in the service now platform so on the attack surface management side we have vulnerability response and configuration compliance uh both of which follow this same general business process and that gives you that visibility prioritization and automation of vulnerabilities and misconfigurations across the entire Enterprise so this starts with integrating uh with your vulnerability scanners and your secure configuration scanners your application security testing scanners uh or even your Cloud security tools um we bring in vulnerability finding information from those tools uh and uh you can set up vulnerability calculators in assignment ruls to enable automatic RIS scoring and grouping of those vulnerabilities into remediation tasks as well as automated assignments to the right teams across security and it in addition we layer on top of that solution recommendations and Patch orchestrations by uh integrating with uh with third party information uh for solutions from say red hat or Microsoft uh and out with other tools like HCL bigfix and secm uh for Pat recommendations and orchestration we have workflows for reassignment when those automated assignment rules don't put it to the right person uh we can use machine learning to reassign vulnerabilities uh and people can request exceptions and deferrals which can connect with our integrated riskmanagement solution through the policy and compliance management now lastly once uh vulnerability has been resolved within service now automated rescans can confirm whether those vulnerabilities have been remediated in truth and uh close them out with confirmation from the scanner all right so here's some highlights of resources that I'm going to go over in a bit more detail that will get you started down your path first up product documentation this is where you'll find the latest product information and release notes most interestingly as well as other helpful content like setup guides and instructions on uh learning about entitlements and so forth we'll be sharing these links with you in the chat so you should consider product documentation your go-to resource for detailed information about all service Now Products apps features and releases next up our community YouTube channel there are lots of videos across YouTube and these particular channels are a great resource if you want to view the latest and greatest demo videos especially for security operations and any other live on service now content so we'll have a couple links to specific YouTube channels for you to check out that we'll Post in the chat that go directly to our security operations and live on service now playlists third our now learning platform this is where you can uh you and your team can access uh the courses that you have available through your learning credits uh these are virtual on demand or instructor-led courses and this is where you can obtain all the certifications relevant to uh the the products that you work with in servic now so we have regularly updated SE Ops fundamentals courses we also have certified implementation specialist courses for sir and VR as well as the relevant learning paths for each of those we created a post in the service now community that includes a comprehensive list uh with links to the recommended training courses for seops we'll share a link to that post in the chat that's a great resource for you to get started on on what coures might be directly relevant to you in your journey with SE Ops products now next up our security operations community so this is our seops portion of the service now community site and this is something that we use as a central hub for SE Ops users around the world it's kind of like a service now user group that's always on so this is where you can share resources and best practices post questions and get solutions from service now experts like like myself we also regularly post articles and blogs about the product and upcoming webinars like this one so we recommend that you and your team subscribe to the security operations uh Forum within the community to get those updates uh we also post things like our quickart guides for VR and Sir those are really helpful for you to reference at this stage in your journey so we'll post links to the community and those quick guide articles in the chat right now now finally but probably most importantly especially if you're in a technical role in your organization your responsibilities with respect to service now uh the service now developer site this is our our developer ecosystem which is great resource for your more technical team members um but it's open to all levels of individuals now this includes detailed technical documentation about things like our JavaScript apis and it's where you and your team can sign up for our free developer program where you can collaborate with other service now developers get access to personal developer instances you can use as a Sandbox to download service now applications for free and experiment with the service now platform so I'll also point out that uh under the connect menu that you see here this is also where we have our our developer share that's where you can and find utilities that other developers uh post uh to the developer site for people like you to join uh I even have myself posted uh an application in there well a little bit of configuration that you can use to use machine learning in automated assignment rules for vulnerability response that's a really valuable resource to accelerate your implementation of service now we'll be posting a link to that uh developer site in the chat and a direct link to where you can get a personal developer instance all right so next up I want to spend some time on why you should begin implementing security operations if you haven't already and what kind of value you can expect to see by getting started with each of our uh key use cases across the product Suite but first we'll start off this section with a poll so I'm really Keen to hear uh from everybody regardless of what you think your first steps are with uh the security operations products uh what's your top desired business outcome so is it maybe accelerating your response to security incidents making incident response analysts labes more efficient is it accelerating response to critical vulnerabilities getting a handle on the worst parts of your attack surface um is it reducing the effort uh that it takes to resolve a security incident or perhaps reducing the exposure of your attack surface or if you have another goal you can select that option and please share with us I'm personally very keen to hear so we'll leave this question open for just another 20 seconds for everybody to respond this in conjunction with the previous question helps us get a better handle on sort of irrespective of what product you're you're going forward with first what's the main value that you expect to get out of this so that we can better craft our journey through these security operations products all right looks like most people have answered so we can go ahead and close this poll uh another broad spread across all of the responses although I'm very keen to dig into the uh one respondent who has another use case here fantastic all right so irrespective of which of those options You' picked generally we can expect our customers to achieve all of those things depending on your priorities right our customers have been able to achieve these results that you see on the screen here within just six months of going live this is the key metrics that we use as a North star for our products uh from the Telemetry that we collect so to highlight a few of these results we find analysts closing almost two times the number of security in on average after just six months of usage we also see people cutting the meantime to remediate a vulnerability in half after just six months of usage and our best-in-class customers are achieving even greater results so if you look at a sort of Pop subset of those numbers get much larger so these are the types of results which we think you can achieve we want to help you achieve with these products now we at service now uh we're customer zero for both of our first security operations products VR and Sir these products came from actually internal needs so we moved from manual labor intensive processes responding to passwords for ax back in you know 2012 um to respond to vulnerabilities using vulnerability response uh leading to over 99% accuracy assigning vulner abilities exceptionally High SLA attainment and an 85% gain in productivity really great results internally with vulnerability response similarly with security incident response our internal security team has gained immense value moving from manual processes uh to being able to prioritize alerts and automate processes uh leading to over 800,000 in Staffing cost savings and thousands of hours saved so again we are active users of our products and security operations it's crucial to our our our business and we continue to implement new functionality as you know we in the Buu releases it we work uh in lock step with our internal security teams to meet their needs and sort of pass th that value on to you as customers so to get these results yourself uh setting your vision and your desired outcomes is a critical first step in your implementation um these are just some examples of the types of outcomes that uh we see customers choosing to prioritize in their security operations implementations and uh some of the metrics that you can use uh to track those outcomes many customers initially select one or two of these outcomes that relate to their key challenges to prioritize uh for their first implementation and to be able to select appropriate metrics to measure their progress the there are a number of resources on now create and these include information on outcomes and metrics like you see here that you can reference and also uh there's a post on the community that summarizes all of this so we'll be putting a link to that Community Post in the chat and I recommend you uh work with your implementation partner uh to get those resources on now create that's lever is of part of your implementation so as you explore the value that you can get out of your security operations applications and create a vision for your organization here's some resources that we want to highlight that you can lean on uh to create those outcomes so first our customer success Center this is really your One-Stop shop to search across all service now resources finding leading practices resources tools and calculators events services and learn more about the now value methodology which is our framework to uh Envision create and validate value from your service now products and Champion your success next up uh the value calculator so this is a resource that you'll find in the customer success Center uh but it's worth calling out at a top level here because this is a quick and easy way to see the annual business value that you can achieve using your service Now Products it allows you to calculate the value of multiple Solutions at a time or you can use the link uh that we'll post uh to see just Security operation Solutions so what if you have service now impact um service now impact is a value acceleration Solution that's designed to maximize the value that you get out of your investment with service now uh will post a link in the chat uh to uh the service now corporate domain uh the impact page there are a number of different packages with varying offerings within uh the impact experience and this shows a bit more detail around the possible offerings that you might have access to if your organization has service now impact uh this is the total package that you see on the screen here with the full range of offerings including things like a designated Squad of personel service now value recommendations additional technical support special discounts on training and expert Services if you're interested in more information about service now impact you can reach out to your account executive or customer success manager but this can be a huge Bevy of additional resources uh on your implementation Journey so it's it's worth checking with your uh platform team whether you have an engage with service now impact okay so getting into the next section I'm going to be handing it off to Jamie from our product success group Jim's going to provide a bit more context on the security operations implementation Journey how you go about starting that implementation journey and achieving some of the outcomes that we've been talking about today so Jamie are you with me thank you Julian and he mentioned my name is Jamie Jackson I'm part part of the product success team for the security operations sweet um and we're going to have one more Poll for you guys or maybe two uh but i' like to see where you guys are at in your implementation whether you're planning to implement this year or you're doing it right now no plans just yet you just bought the product or anything else so we can kind of understand um where everyone is wonderful so it looks like we got a lot of folks either implementing now or no plans to implement um or other I'll give that just a little bit longer we'll leave the poll open for another 20 seconds or so give more people a chance to respond great partially implemented inherited an implementation from previous admin starting to operationalize it so you might have it implemented but it's not actually uh being leveraged yet or used to its full extent all right looks like we have most of most of the participants responding all right wonderful all right so let's go ahead and move to the next slide all right so your implementation options you have three kind of four implementation options but probably a lot of you guys are aware of um we at service now have an expert services so once you have purchased the product and you have licensing for it you can also um reach out to your account representative and inquire about our expert services that will do the implementation for you um you can leverage an implementation partner whether you're working with one right now um you already have one that you work with in uh on a regular basis and they're going to be doing now your SE SE Ops implementation or you can have a little bit of both where you have um a co- delivery where you have an implementation partner that's leveraging some of our expert services for assistance this is important or I would say where I've seen it the most and Julian probably can provide some extra context is if you have an implementation partner and they've done itsm they've done your itom or any other type of Integrations implementations but they don't have any SE Ops experience and there's nobody certified um but you want to leverage them you might want to reach out to our expert Services some for some advisory support to make sure that you're getting um folks that actually have done those implementations it's very important obviously we've seen if any of the implementations have failed or had issues with it a lot of the times it's because they're were working with folks that just weren't qualified to um implement the products themselves or alternatively you can do the um self- implementation where there are a ton of resources and artifacts available for you on now create to learn it um it's not recommended this way obviously leveraging an our export services or implementation partner would be ideal but sometimes that's just not the case and it can't be done um just would highly recommend self uh if you're going to do a self mentation a lot of training prior gather all those now create documents and um see if you can reach out to somebody that has implementation experience would be ideal all right next slide okay where you're at um and it looked like some folks are doing VR S they have S and they're going to do VR or vice versa that's typically where everybody starts um whether it's vulnerability response or security incident response is are our two core application within the suite uh one or the other or both done in parallel uh these are typically the foundation in addition to that after you've done security incident and VR um the next couple ones we've seen come online uh especially within VR is the application vulnerability response where it's imple um integrating with your check marks or your SCC scans stat scans and um importing those as application type vulnerabilities in addition addition to that um with application vulnerability response you have a pentest workflow uh that you can import your pentest findings you can actually request a pin test from the product itself and go through that process and again or you can Implement with another product to if you're having some sort of third party do your pent test findings have those imple or imported into application vulnerability response and they will be treated like um vits or vulnerable items called application vulnerable items in this product itself that's specifically one because most folks are doing some sort of pin testing even if they're not doing any type ofat scans um they want to at least have those pin test results you have an A workflow and everything that you'll need to handle those in application vulnerability response in addition to that just for your knowledge VR um application VR is actually installed with vulnerability response for those who have are starting to implement it you probably see application VR they're installed together um so it's not a whole separate application but it's usually implemented separately and then lastly uh configuration compliance is your compliance scans whether you're having those scans come in from tenable or whatever scanning compliance that you're doing those uh this product in particular integrates with GRC service now if you are leveraging that to map to control objectives and benchmarks and so on and so forth so those will come in as test results vulnerability response um obviously just implements or integrates and pulls in your CBE data this is your configuration or scan compliance scanning um data as well comes in as test results and then beyond that as as you start to mature and and go further and this isn't a this isn't mandatory that you follow this you can do Cloud security VR CC before any of these other ones as well this is just the useru route that we see onto threat intelligence major security incident response and then um eventually really good patch orchestration and security incident response orchestration uh can be done as well as you start to uh get ACC custom and and integrate it with these products all right next slide so one of the things in particular if you're in the middle of implementing vulnerability response or you're starting to um I've done a number of I've done about 15 implementations for vulnerability response and one of the most important things is to kind of really self-analyze where you are from a maturity standpoint at this time and have some expectations on what the initial phase is going to be like I know everybody wants to go from walk to you know black belt but that's usually not the case if you're just currently sending out spreadsheets um maybe the first step in the process is just to get some sort of automated assignment so I can get out of the email uh back and forth and go through that and I can have some simple priorization by using just the cbss score and then I'll have all obviously importing all the vulnerabilities so I have improved visibility and fantastic reporting that comes out of the box uh where you're at currently is probably going to uh determine where you're going to move at least in the initial phase and I would also recommend identifying a phased approach into this don't try and go from zero to three right off the bat even though it's ideal and everybody wants to be there but have some realistic expectations on what the first phase we first three to six months are going to look like what we're going to actually have done and then we can move on to um vulnerability response I can integrate with change I have a change ticket with all of mine I can have actually um the deferral process the false positive um approval workflow I don't have to do that all at once I can do this in chunks and you can Implement those workflows and processes As you move along determining what based on your priorization of what is what is the major pain points right now that you need to address in addition to that unfort fortunately or for unfortunately the cmdb plays a huge role in your maturity process for vulnerability response which those that are implementing are probably realizing it uh from a business context perspective we can use cbss scoring for all day long but that doesn't give us really any business context into where the asset is and actually the legitimate risk score whether it's internet facing or it's behind compensating controls when you have that data in the cmdb um you will be able to leverage it in vulnerability response so your cmdb maturity is going to determine how far you can get with VR as well I've seen um the CMD vulnerability response really forces the hand in maturing the cmdb so it's it's great in that aspect but just know that it's dependent um pretty heavily on it as well from uh risk scoring and all the context that you need to um establish assignment and all that kind of good stuff all right next slide and mature from security instant response what are we how are we doing it right now and how I always like to start security incident response implementations identifying where you're going to have security incidents actually um be generated from we know the the obvious one is our Sims or any type of other alert U capability security tool that can create security incidents but you have a security incident catalog that this is going to come up with you have the ability to escalate an incident to a security incident um you have ability to convert a security request to a security incident you have the ability to set up inbound email and fishing campaigns and all that kind of stuff and to include just simply creating new one as well so where you're at and where security incidents are going to be generated from is really the first step in identifying what what's your stages of maturity if you already have a SIM and you're working you have orchestration in place with another tool and you're going to Leverage that in conjunction with service now your um stages of maturity might you know start automatically at number two so where you're at obviously is going to determine your maturity and your stage level security and some response in particular has to be done in a phase approach or should be done in a phase approach just because it can do so much um I'm not sure Julian the number of Integrations we have at this point with all the different security tools if you go to store. servic now.com and just type in the vendor that you want to integrate with um there's a number of them now for security and and that's continuing to increase all the time it's enough that I don't know the exact number myself so yes right but that's a always a question we get asked like what what what are the Integrations available just go on that store and see if you have crowd strike or whatever other tools you want to integrate with in addition to maybe your sim that you want to start doing an orchestration and then in addition to that um your playbooks we have a number of playbooks that come out of the box but um do you have playbooks in place but you want to get those better or you want to you know groom those and and be able to Leverage The workflows in service now is another question I would ask so this is going to be totally relative to where you're at currently in an organization as far as how your maturity um continues to rise all right next question I mean next slide sorry I'm not going to go through this I know this slide's very very busy and they'll be available to you after there this is some examples of that you know Foundation crawl walk run what you can actually Implement specifically on each of these um for vulnerability response in particular you know it's just identifying we're going to do this this and this this is a way to actually capture those requirements or your scope for your first implementation or your initial phase of the implementation and go from there it's really a road map built for you or at least something that you can leverage to build one out so again I'm not going to highlight this but there's links involved as well probably going to some of the places that Julian even provided but um this is a great way or great Foundation to build out your road mapap for the products themselves and these are the story themes so how to get vulnerability response off the ground on the initial um initial phase these are some of the stuff that you can do um so in the stories or requirements you're building out uh you can kind of group these together into these different themes or however you're you're managing that story devel development um some of the first things that obviously have to happen install these supporting applications and roles and responsibilities that's going to be core setup for any application and service now not just VR and sir and SEC Ops um and then the integration setup so you're going to obviously integrate with your scanners but there everybody knows about the scanner but we there's multiple other Integrations available there's the MVD integration obviously that we need but there's cisa Kev there's the Microsoft and red hat Solutions which I would deem even on the initial phase to implement because it gives you the ability to group vulnerabilities by patches and assign them out um with the patching in group because that's really what a lot of times what your remediation team wants they want a task and I want to know the patch that I have to use to uh get these remediated and then on on to CI matching and cmdb VR in particular as I mentioned is heavily dependent on the cmdb the implementation should be working with the configuration management team if you have one um if you don't there's some roles and responsibilities need to be defined to make sure that is in place because we're going to have assets that are coming in and there's going to be unmatched ones and what are we going to do from a Reconciliation standpoint to get those um reclassified in the right place in the cmdb so that they can be assigned effectively and and so on and so forth big one right here this is Phase One um which again the people that are doing it are probably realizing it it's very very important that uh that's part of the initial implementation and then risk scoring in assignment rules again risk scoring the calculators in vulnerability response are highly highly configurable um you can almost do anything you want with them there's a couple that come out of the box where you can just use severity or CVSs but you can also use you know Kev you can use any type of other um Intel Intel feeds I think we have a couple recorded future you can use any type of other attributes that you want to set up your risk scores the typical one to start with obviously is going to be your severity or CVSs um but you can expand upon that with internet facing and whatever other type of logic you want to use for those risk scores and then the assignment rules is essentially who who do these get assigned to who's doing the patching for these who's doing the remediation activities this is where we ideally we can Leverage The cmdb to um assign it to support groups or whoever it is or if we can't um if we have application related vulnerabilities maybe we need to use classification rules to identify if it's an application related vulnerability and assign it to the correct team in addition to that you can obviously um not obviously but you can script it out script out these assignment rules if you need to get up to the application owners which I've seen quite a bit as well that can be done it's not um you know click here click there but you can dot walk up it through a script and then your remediation Target rules or your slas um based on the risk rating or risk score you'll configure those task rules are the grouping logic as I mentioned um prior you can group them by solution or by patch uh whatever logic you want um is again another mandatory step really in the initial phase change management and exception management those are two things that we've seen people or folks um push out to phase two maybe you're not going to leverage change uh the out the box change integration right away or maybe you um aren't going to use the exception process right away maybe not usually that's actually configured to some extent but uh you can push that out and not even have exceptions go but there's workflows that are um already in place to support that you can modify as necessary and then on to configurate uh notifications and the dashboards and configur um dashboards and reports sorry next slide so same with security andc response and I'm going to zoom through this one just I know we're running out of time so same process uh again this is a great road map to leverage um for to building one out and individual items that you guys can have as requirements or themes during your initial phase that you can focus on what you're prioritizing as far as what we need to implement instead of just everything at all at the same time so next slide all right security instant response there's a lot to do in security instant response uh core setup being the obvious with sir and um the Integrations available as well as the groups sir is access or it's locked down out of the box pretty heavily you can actually even kick out the platform administrators so they don't have access to uh any of the sir tickets either and you can use security tags there's TLP there's a number of different ways to um limit access uh into sir uh that probably is one of the main components of of implementing it in the initial phase because everybody has concerns about who can see what in in security instance for obvious reasons and then our integration setup again go to that store. servicenow.com see which Integrations you're going to actually leverage you don't even have to do Integrations on the initial phase it's not necessary there's as I mentioned before there's a number of different ways to create security instance um that don't even involved in integration with a Sim or any other type of security aler alert Tool uh there are cmdb matching so for instance if you integrate with splan it'll import a Ci or an asset and it'll actually try and match it to one in your cmdb as well so it will come into play uh when that happens and then your process definitions how are you actually working security incidents all the way uh State fill open meaning analyze escalate or can't even remember M the top my head but going through that process in those different states you can actually um configure that to however you want it whether you're using nist or Sands and then record creation which is what I mentioned prior there again there's a number of ways to create security instance it's not just the Sim you can do it from a service catalog inbound email if um you want to if if you have a security alert tool that's not available in the store yet but it can send email you can send out you can set up the inbound email to parse those out and create security incidents as well uh again email ingestion for your fishing that might be a Playbook that you start out with uh scoring same same concept around VR there's it's highly highly configurable around this uh scoring for security incident uh you can leverage it however you or configure it however you want and then have slas based on the risk scores and so on and so forth uh one of the big things I want to highlight is the uh obviously the workspace and the assignment but the playbooks themselves so again there are playbooks um that are available for security inent out of the box there's some that you can leverage or at least use to some extent and modify as necessary and there's also a knowledge base that comes with security instant responses is really where you would house those playbooks um so identifying which playbooks you're going to start with uh the first three to five uh that you're going to implement right off the bat it would be imperative and then building out those workflows as necessary uh po incident review that's one that I've seen not you can on the initial phase depending on um if that's needed you can have post inocent reviews for certain types of security incidents uh not all of them or whatever it may be but that's again highly configurable it's just in the assessment engine and service now so you can have whatever questions you want and there is a template and questions that come out of the box that you can leverage and then on to slas reporting and dashboards next slide all right resource highlights there's the Partner Finder um on service now uh this is where you can go in there and actually look for your partners you can look to see filter by the product line which is is highly highly important again having experienced partners with security incident response or any of the SEC op Suite if you're going to implement would be imperative I would also highly recommend you make sure that they are certified in sir VR and that they have experience in implementations um that's one thing I would make mandatory right off the get-go next slide and then our expert Services again you can come back to service now after you've through the uh the sales process of buying the licenses we have an excellent expert services that will do the implementation for you uh but that link right there will guide you and obviously you can reach your account representative at any time and and then now create if you are even if you're not doing self- implementation uh go to now create because it has every single thing you need from an implementation standpoint in fact as a partner your partners or probably following this Logic on how they're actually doing the implementation there are even stories on there story templates that actually um have some recommendations on what requirements would be there's process gu process Workshop it's a plethora of artifacts available to you this is a very very important reg website I learned tons of stuff from this now create when I was first learning six years ago um VR and S so highly highly recommend um bookmarking that one and leveraging it during your implementation next slide and then the summary of key choices again you guys will have this available to you uh I know we've given you a ton of links because there's a ton of information out there uh but the ones in particular Partner Finder now create and then the training are going to be um are going to be extremely important during your initial implementation all right thank you so much Jamie for that overview of how to uh how to achieve the Val that we've been talking about today um so next I'd like to invite you all to our first annual in-person event exclusively for security operations customers so the purpose of this event which we're calling the connect security Symposium that is for customers to share knowledge and best practices with you know technical and business focus content we'll have Keynotes from both our leading security operations customers as well as our product leaders internal Ser service now I'll be there it's in Santa Clara from September 25th or 24th through 25th and you can scan this QR code to learn more and register so today's session has been a part of the live on service now curated event series is to connect you with service now experts and peers that can help you deploy your products and get to Value faster so we hope you join us again at another webinar or 360 exchange event uh you can see the schedule for these sorts of events by scanning the QR code here or just use the link uh which we'll Post in the chat so we'd encourage you to keep an eye out for future events uh register for them for example we have a security operations office hours session coming up it's an open Forum to get your questions answered by the product management team like myself and other subject matter experts like Jamie so add to that Julian real quick um we are going to be starting a security incidence response webinar Series so if you recall those themes all those different boxes we're essentially going to have some snippet webinars on how to actually Implement each of those um that'll be starting I think in a couple weeks so keep an eye on out for that sorry about that fantastic thank you Jimmy no no worries at all yes so we have a series of best practices and roadmap webinars that are regularly posted in the community as well so we'll share a link to those in the chat keep an eye out on the community we generally post links to these webinars there all right so we now just have two minutes for Q&A um if you haven't already please submit your question via the Q&A widget there's a couple that have come in while I was talking that I'd like to highlight and that may be all we have time for but if we don't have time to answer your question in the session today uh we'll get back to you with a response through the community uh so the couple questions that I'd like to bring up uh that have already been asked are first off can security incident response and vulnerability response integrate with service now scoped apps for inventory or cmdb type data uh like for example uh new Volo for CMM iot devices so generally the short answer is yes uh but the the value comes into who you're integrating with and what data comes in with that integration so use that service now store to search for uh your tools that you'd like to integrate with generally has some information on the landing page for each Store app about uh what use cases that integration fulfills and what type of data it brings in uh and what application it brings that data into now the cmdb is one example of you have an integration that puts something in the cmdb generally uh that's going to be used by vulnerability response uh when we go to match devices that are coming in from your vulnerability scanner right so if it's an integration putting something in cmdb yes you can consider that interoperable with both sir and VR that'll be leveraging that cmdb data so it's fantastic question um the next question that I just wanted to make sure to voice over for the broader audience uh so participant asks for security incident response what's the difference between the new UI and the sir workspace um now this is one case where I I'll have to apologize in advance but um generally the new UI is actually an older UI that was built many years ago um sort of to address our customers needs for a better user experience from the base platform uh but before service now as a whole had released our own proprietary uh user experience development framework which we call the next experience so don't use the new UI um the sir workspace was released on uh service now's NE next experience framework and that is what new customers should be adopting uh as you go through your first implementation of security incident response it's that security incident response workpace uh that you'll want to use and that uh is you'll find under the workspaces menu alongside all your other next experience workspaces it uses the next experience user experience framework and you know you can use UI Builder uh to configure that that workspace just like any other workspace a good question to get clarified all right I think that is all we have time for today so again if you have any last questions definitely submit them in Q&A we'll get back to you on them but I want to thank you all for joining us today a reminder do take a minute to complete the survey that will appear once we close the webinar and we look forward to seeing you in the next one thanks all for coming