Security Incident Response Overview and Data Visualization Flashcards

1
Q

The Overarching goal of Security Incident Response itself is?

A

Containment as soon as possible - by reducing the time required for security analysts to respond by getting the right information in front of the right eyes at the right time i.e;
-Collating and enriching incident information ; analyst shouldn’t have to search in different placers

  • Investigation and analysis ; Analyst should understand severity and business impact
  • Identifying which incidents require urgent attention ; business logic prioritizes work for analysts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security incident Response process is to increase speed of what?

A

Detection

Containment

Resolution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ServiceNow Security Incident Response Application closely follows that of a standard incident management process by 4 different ways
what are they?

A

Collate information from various sources - Both manual and automated

Analyze this information - make sense of waves of (possible disparate) information

Prioritize responses - Determine what should be done first, and why

Get information to the task worker - so they can begin working on it!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How many custom tables does Standard SIR, Professional SIR, and Enterprise receive with each service?

A

Standard SIR 5, Professional SIR 5, and Enterprise is 15

once bundled custom table limit is reached, providing access to additional custom tables requires a Now Platform App Engine subscription

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what does Standard SIR contain?

A

Security Incident Response

5 custom tables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does Enterprise Contain?

A
Security incident Response
Vulnerability Response
Vulnerability Solution Management
Predictive Intelligence
Threat Intelligence
Performance Analytics 
Event Management For Security Operations
Security Incident Response Integration Bundles
Configuration Compliance
15 custom tables
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does Professional SIR contain?

A
Security Incident Response
Predictive Intelligence
Threat Intelligence
Performance Analytics
Event Management for Security Operations
Security Incident Response Integration Bundles
5 custom tables

side note Configuration Compliance can be purchased independently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ServiceNow follows the basic guidelines of what organization’s lifecycle?

A

National Institute of Standards and Technology (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 4 phases of Incident Response Lifecycle?

A

Preparation -
Making sure the customer organization is appropriately trained with tools necessary to detect/respond to security incidents. Customers must define their business requirements (what they consider a security incident, their priorities, etc) for the implementation, and it is imperative they have already developed response plans with runbacks

Detection and Analysis -
Detection originates from tools such as firewalls, intrusion Detection systems, logs of email or web gateways. Analysis in mainly a manual process (security analysts working the incident

Containment, Eradication, and Recovery - Containment -
(e.g.: disconnect affected CI from the network) limits the impact of the security incident, preventing data loss for further malware contamination - Eradication seeks to fix the problem (e.g: patching, disinfecting, reimaging) based on the best course of action, usually guided by runbacks and established procedures recovery brings affected systems back into normal operation.

Post Incident Activity -
documentation of observations, along with action(s) taken to address the problem and proposed changes for future improvement. This information is saved as a Knowledge Article for future reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Fill in the blank
ServiceNow Security Operations Business Unit has specified a Security Incident Response Customer Journey Maturity model based on
___________, ___________, and ___________.

A

Modernize, Transform, and Innovate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Incident Response is created 1 of 2 ways. What are they?

A

Manual Incident Creation

Automatic Incident Creation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Incident Response Maturity Models are?

A

Manual Operations - Using spreadsheets for tracking and email/calls/texts for comms

Basic Operations

Automated Investigation

Orchestrated Remediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Who are the reporting Audiences?

A

Analysts - Need up-to-the-minute views, need clear prioritizations, need granularity/

Managers - Need aggregations for priority and workload, need drill-down to granularity, need time period views

CIO/CISO - Need High levels overviews, single lear indication of organizational health and function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the relationship according to the Schema map Security Incident table and Task?

A

Security Incident [ sn_si_incident] extends Service Order [sm_order] extends Task [task]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly