Module 1: Security Incident Response Overview and Data Visualization

Question 1

What is the Overarching goal of Security Incident Response

Answer 1

Containment as soon as possible

Question 2

The objective of the SIR process is to increase the speed of what 3 things

Answer 2

1. Detection
2. Containment
3. Resolution

Question 3

What are the four levels of the Security Incident Response Maturity Model?

Answer 3

0 - Manual Operations

1 - Basic Operations

2 - Automated Investigations

3 - Orchestrated Remediation

Question 4

What occurs at level 0 (Manual Operations) of the SIR Maturity Model?

Answer 4

• Using spreadsheets for tracking and email/calls/texts for comms
• No centralized system for security response. This leads to limited visibility and long reponse times

Question 5

What occurs at level 1 (Basic Operations) of the SIR Maturity Model?

Answer 5

• Security Incident and Tracking in a system with basic SIEM ingestion
• Incident Response for core processes defined and documented but incidents progress manually (no automation)
• Email parsing or advanced phising import
• Users and groups for assignment defined
• Risk calculator set up for prioritization
• Basic dashboards (non-PA)
• Basic SLAs in place

Question 6

What occurs at level 2 (Automated Investigations) of the SIR Maturity Model?

Answer 6

• Security incidents are automatically enriched with threat intelligence data from third party sourcse
• Deduplication of alerts with Event Management
• SOC performance monitoring
• Top 3 playbooks implemented

Question 7

What occurs at level 3 (Remediate with Orchestration) of the SIR Maturity Model?

Answer 7

• Orchestration for sightings searches, EDR, and firewall in place
• Ability to rapidly build custom integrations and create new integration workflows
• Top 7 playbooks implemented
• Advanced threat intelligence program

Question 8

SIR Adoption Journey

Question 9

What are the three levels in the SIR Customer Journey Maturity Model as specified by the ServiceNow Security Operations Business Unit?

Answer 9

() are the value from each level

1. Modernize (Faster Security Response)
2. Transform (Improved Situational Awareness)
3. Innovate (Enterprise Protection)

Question 10

What are the six steps defined in each level of the SIR Customer Adoption Journey

The three levels are:

Modernize

Transform

Innovate

Answer 10

1. Inventory
2. Connect
3. Configure
4. Launch
5. Measure
6. Refine

Question 11

What are the four phases of the Incident Response Lifecycle which originate from NIST?

National Institute of Standards and Technology

Answer 11

1. Preparation
   
   1. Customer org is properly trained
   2. Customer has defined business requirements (define a Security Incident, Priorities, etc.)
   3. Have already developed response plans with runbooks
2. Detection and Analysis
   
   1. Detection originates from tools such as Firewalls, Intrusion Detection Systems, logs of email or web gateways
   2. Analysis is mainly a manual process (security analysts working the incident)
3. Containment, Eradication, and Recovery
   
   1. Containment limits impact (disconnet CI from network for example), preventing data lass or further contamination
   2. Eradication attempts to fix based on best course of action, usually guided by runbooks and established processes
   3. Recovery brings affected systems back into normal operation
4. Post Incident Activity
   
   1. Documentaion of observations along with actions taken and proposed future changes
   2. Saved as knowledge

Question 12

Though not defined in ITIL (hard to believe but that’s what it says), ServiceNow defines a Security Incident as what

Answer 12

An incident created to address an event that can be related to either a security threat or security vulnerability. These are often attributable to a human root cause

Question 13

What is included in basic Reporting:

Answer 13

• Provides real-time analysis of the current situation
• Many different (and familiar) graphs available baseline
• Several reports can be arranged on homepages such as the CISO Reporting Overview homepage
• Requires read access to the underlying table data

Question 14

What is included with Performance Analytics?

Answer 14

• Provides real-time analysis of historical data (scheduled job records previous data over time)
• Analytics features can also provide trend lines and future prediction with confidence intervals
• Several widgets can be arranged on dashboards, e.g. CISO Overview dashboard
• Requires read access to the underlying table data
• Indicators can compare current data against targets
• Triggers can fire against specific thresholds being met

Question 15

What are Indicators and what are the two main types

Answer 15

Indicators (sometimes known as business metrics) are statistics used to track and measure current conditions and forecast business trends

The two main types (these are generic and not just in PA) are:

Leading indicators which focus on the input required to achieve an objective

Lagging indicators which measure activity output

Question 16

How many reports are provided with the Security Incident application at baseline?

Answer 16

Around 30

Question 17

What is the CISO (Chief Information Security Officer) dashboard and what are it’s features?

Answer 17

This is the overview of trends in SIR

Includes KPIs accross Risk, Vulnerability, Policy Compliance, Configuration Compliance, Security Incident, and Orchestration

Average time to Identify, Contain, and Eradicate (driven from metrics and automatically created and available on base install)

Shows GEO mapping based on CI correlation

Question 18

What tables are commonly used as report sources for SIR?

Answer 18

• Security Incident [sn_si_incident]
• Security Incident Audit Log [sn_si_audit_log]
• Task [task]

Note: Security Incident [sn_si_incident], is an extension of Service Order [sm_order], which itself extends from Task [task]

Question 19

What type of information is displayed on the Security Incident Explorer homepage?

What are the differences between the above and Security Incident Overview?

Question 20

What is the goal of any implementation consultant and what are the four steps to achieve said goal

Answer 20

Customer Satisfaction through a successful deployment

1. Understand customer value from a business perspective
2. Educate customers regarding platform capabilities and features (and how these can support their business outcomes)
3. Agree to project requirements with success criteria in terms of expected outcomes of value for the customer
4. Transform these into actionable project tasks then prepare for execution - perform and test the changes

Question 21

What are the examples of “What Security is NOT”

Answer 21

• Just IT-related issues
• Simply a tool set
• Something that slows productivity
• Frustrating and unnecessary
• Antivirus and firewall

Question 22

What are some of the names for a dedicated Security Incident Team?

Answer 22

Computer Emergency Response Team (CERT)

Computer Security Incident Respose Team (CSIRT)

Security Incident Response Team (SIRT)

Question 23

What are the Roles Associated with Security Incident Response and their functions?

Answer 23

• Platform Admin
  
  • This role can be broken out if needed to allow a seperation of duties with Security Incident Admin
• Security Incident Admin [sn_si.admin]
  
  • Full control over all Security Incident Response Data. Also configures territories and skills as needed
  • Security roles are only assignable by a user with the sn_si.admin role
• Security Manager [sn_si.manager]
  
  • Has the same access as security agents, with the additional ability to adjust business criticality calculators and view the manager dashboard
• Security Incident Analyst [sn_si.analyst]
  
  • Creates and updates security incidents, requests, and tasks, as well as problems, changes, and outages related to their incident
• Security Basic [sn_si.basic]
  
  • The underlying role for basic security access
  • Creates and updates security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents
• Read [sn_si.read]
  
  • Has read-only access to security incidents, typically for reporting/monitoring purposes
• External [sn_si.external]
  
  • Role for external users to view work tasks assigned to them
  • Note: Users with just the external role can view tasks but not the security incident record related to them
• CISO [sn_si.ciso]
  
  • Has both read and write access to Security Incidents
  • the sn_si.ciso role inherits the sn_si.basic role by default
• Knowledge Admin [sn_si.knowledge_admin]
  
  • Manages the Security Incident Knowledge base, both content and configuration
• Integration User [sn_si.integration_user]
  
  • Permits external tools to create/amend security incident records

Question 24

What roles are automatically inherited by Security Admin?

Answer 24

• Knowledge Admin
  
  • SI Read
• Security Manager
  
  • SI Basic
• Security Analyst
  
  • SI Basic

Question 25

What roles are automatically inherited by SI Basic?

Answer 25

• SI Read
• Security Common Write
• Threat Intel: Read, Observable Read/Write
• Task Editor

Question 26

What roles are automatically inherited by CISO?

Answer 26

• SI Basic
• PA Viewer
• SI Read

Question 27

What roles are automatically inherited by SI Read

Answer 27

• Security Common Read
• Threat Observable Read

Question 28

Describe the benefits of ServiceNow Security Incident Response to your customers

Question 29

Explain the different SIR Dashboards and Reports in the SN platform by the following categories:

Data Visualization

Dashboards and Reporting

Performance Analytics