Security Incident Response Overview and Data Visualization Flashcards
The Overarching goal of Security Incident Response itself is?
Containment as soon as possible - by reducing the time required for security analysts to respond by getting the right information in front of the right eyes at the right time i.e;
-Collating and enriching incident information ; analyst shouldn’t have to search in different placers
- Investigation and analysis ; Analyst should understand severity and business impact
- Identifying which incidents require urgent attention ; business logic prioritizes work for analysts
Security incident Response process is to increase speed of what?
Detection
Containment
Resolution
ServiceNow Security Incident Response Application closely follows that of a standard incident management process by 4 different ways
what are they?
Collate information from various sources - Both manual and automated
Analyze this information - make sense of waves of (possible disparate) information
Prioritize responses - Determine what should be done first, and why
Get information to the task worker - so they can begin working on it!
How many custom tables does Standard SIR, Professional SIR, and Enterprise receive with each service?
Standard SIR 5, Professional SIR 5, and Enterprise is 15
once bundled custom table limit is reached, providing access to additional custom tables requires a Now Platform App Engine subscription
what does Standard SIR contain?
Security Incident Response
5 custom tables
What does Enterprise Contain?
Security incident Response Vulnerability Response Vulnerability Solution Management Predictive Intelligence Threat Intelligence Performance Analytics Event Management For Security Operations Security Incident Response Integration Bundles Configuration Compliance 15 custom tables
What does Professional SIR contain?
Security Incident Response Predictive Intelligence Threat Intelligence Performance Analytics Event Management for Security Operations Security Incident Response Integration Bundles 5 custom tables
side note Configuration Compliance can be purchased independently
ServiceNow follows the basic guidelines of what organization’s lifecycle?
National Institute of Standards and Technology (NIST)
What are the 4 phases of Incident Response Lifecycle?
Preparation -
Making sure the customer organization is appropriately trained with tools necessary to detect/respond to security incidents. Customers must define their business requirements (what they consider a security incident, their priorities, etc) for the implementation, and it is imperative they have already developed response plans with runbacks
Detection and Analysis -
Detection originates from tools such as firewalls, intrusion Detection systems, logs of email or web gateways. Analysis in mainly a manual process (security analysts working the incident
Containment, Eradication, and Recovery - Containment -
(e.g.: disconnect affected CI from the network) limits the impact of the security incident, preventing data loss for further malware contamination - Eradication seeks to fix the problem (e.g: patching, disinfecting, reimaging) based on the best course of action, usually guided by runbacks and established procedures recovery brings affected systems back into normal operation.
Post Incident Activity -
documentation of observations, along with action(s) taken to address the problem and proposed changes for future improvement. This information is saved as a Knowledge Article for future reference
Fill in the blank
ServiceNow Security Operations Business Unit has specified a Security Incident Response Customer Journey Maturity model based on
___________, ___________, and ___________.
Modernize, Transform, and Innovate.
Security Incident Response is created 1 of 2 ways. What are they?
Manual Incident Creation
Automatic Incident Creation
Security Incident Response Maturity Models are?
Manual Operations - Using spreadsheets for tracking and email/calls/texts for comms
Basic Operations
Automated Investigation
Orchestrated Remediation
Who are the reporting Audiences?
Analysts - Need up-to-the-minute views, need clear prioritizations, need granularity/
Managers - Need aggregations for priority and workload, need drill-down to granularity, need time period views
CIO/CISO - Need High levels overviews, single lear indication of organizational health and function
What is the relationship according to the Schema map Security Incident table and Task?
Security Incident [ sn_si_incident] extends Service Order [sm_order] extends Task [task]