Understanding Security Incident Response

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding Security Incident Response

    Security Incident Response (SIR) in ServiceNow Yokohama release enables organizations to manage the entire lifecycle of security incidents—from initial detection through containment, eradication, and recovery. It provides comprehensive visibility into incident response activities via analytic dashboards and reporting, helping teams identify trends and bottlenecks.

    Show full answer Show less

    SIR integrates with third-party cybersecurity tools and offers automation and orchestration capabilities to enhance the efficiency and accuracy of incident handling. Access to security incidents and related data is tightly controlled using role-based permissions and ACLs to protect sensitive investigations.

    Security Incident Response Process

    • Discovery: Security incidents can be logged manually, generated internally, or created via integrations with external monitoring, alerting, or vulnerability tracking systems. Incidents may also be submitted through the service catalog.
    • Analysis: The Security Incident form adapts to various views (e.g., default, Non-IT Security, Security ITIL) showing related vulnerabilities, incidents, changes, problems, and tasks on affected Configuration Items (CIs). The system can cross-reference the NIST database or third-party detection tools to identify malware and other vulnerabilities. Business service maps assist in identifying impacted systems for deeper analysis.
    • Containment, Eradication, and Recovery: Tasks can be assigned to different teams for remediation. Business service maps facilitate creating tasks, changes, and problems across all affected systems, supporting coordinated response efforts including communications and bridge calls.
    • Review: After resolution, post-incident reviews can be conducted to evaluate the response. This may include meetings, surveys, and automatically generated reports summarizing timelines, incident types, related records, and resolution details. Lessons learned can be documented in knowledge base articles to improve future responses.

    Security and Access Control

    SIR restricts system access to users with specific security roles to maintain confidentiality. Non-security administrators are blocked unless explicitly granted access. Even when impersonating users with SIR admin roles, IT System Administrators cannot access security incidents, profile info, or navigation modules related to SIR, nor change passwords of those users.

    Key Terminology

    • Active: Security incidents that are not closed or cancelled.
    • Administrator Lockdown: Mechanism to restrict SIR access to authorized security personnel only.
    • Inbound Security Requests: Low-impact security demand submissions like badge requests.
    • Response Tasks: Assigned tasks tracking response actions to threats.
    • Security Incident Treemaps: Visual charts displaying hierarchical security incident data.
    • Threat Lookup: Requests for scanning files, URLs, or IPs for malware via the security incident catalog.
    • Vulnerability Scan: Scans initiated from incidents to identify vulnerabilities on affected resources.

    Practical Benefits for ServiceNow Customers

    • Streamlines security incident management with structured workflows from detection to resolution.
    • Leverages analytics and reporting to improve incident response processes and identify improvement areas.
    • Integrates with external security tools to automate threat detection and response activities.
    • Protects sensitive security data through role-based access controls.
    • Supports continuous improvement via post-incident reviews and knowledge base creation.
    • Enables assignment and tracking of response tasks across multiple teams and systems.

    With Security Incident Response (SIR), manage the life cycle of your security incidents from initial analysis to containment, eradication, and recovery. Security Incident Response enables you to get a comprehensive understanding of incident response procedures performed by your analysts, and understand trends and bottlenecks in those procedures with analytic-driven dashboards and reporting.

    Watch this video to learn about the SIR process, using Security Incident Response to thwart attacks and viewing security activity in the Security Incident Response Explorer.

    Built in integrations with third-party cyber security solutions and partner-developed integrations from the ServiceNow Store enable security automation and orchestration for efficient and accurate incident response.

    To protect your investigations and keep security incidents private, Security Incident Response provides the means to restrict access to the system to specific security-related roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.
    Note:
    IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Security Incident Response, an admin cannot access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Security Incident Response.

    Security Incident Response information flow

    Security Incident Response employs the following flow of information, from integration through investigation, and then on to resolution and review.

    Note:
    This is an interactive infographic, so you can try clicking on any of the icons or steps in the image to learn about that process or task.
    Security Incident Response flow of informationClick this image to learn about SIR integrationsClick this image to learn about Security Incident CreationClick this image to learn about Threat IntelligenceClick this image to learn about SIR WorkspaceClick this image to learn about MITRE Attack featuresClick this image to learn about Post-incident review activities

    Discovery

    Security incidents can be logged or created in the following ways.
    • From the Security Incident form
    • From events that are spawned internally, or created by external monitoring or vulnerability tracking systems via alert rules, or manually
    • From external monitoring or tracking systems
    • From the service catalog

    Analysis

    Depending on the selected view, you are using (default, Non-IT Security, Security ITIL, and so on), the Security Incident form can show any combination of vulnerabilities, incidents, changes, problems, tasks on the affected CI and affected CI groups. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the National Institute of Standards and Technology (NIST) database, or other third-party detection software. As security incidents are resolved, you can use any incident to create a security knowledge base article for future reference.

    Perform further analysis using a business service map to locate other affected systems or business services that can be infected.

    Containment, Eradication, and Recovery

    As you monitor and analyze vulnerabilities, you can create and assign tasks to other departments. You can use a business service map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth.

    Review

    After the incident is resolved, other steps can take place before closure. You can perform a post incident review. Creating knowledge base articles can help with future similar incidents. Significant incidents may require a post-incident resolution review. This review can take several forms. For example:
    • Conduct a meeting to discuss the incident and gather responses.
    • Write and distribute to those teams who worked on an incident a list of resolution review questions designed for each category or priority of incident.
    • Incident managers can write the report and gather information on their own.
    An incident resolution review report can be automatically generated that includes:
    1. a summary of what was done
    2. the time line
    3. the type of security incident encountered
    4. all related incidents, changes, problems, tasks, CI groups
    5. the details of the resolution
    In addition, an automated security incident resolution review survey system is available. It gathers the names of all users assigned to a security incident, and sends out a customized survey to gather data about the handling of the incident. This data can then be made available in a generated security incident review report, which you can edit into a final draft. Similar data can be added to a knowledge base article to contain lessons learned and the steps to take to resolve similar issues in the future.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Security Incident Response Terminology

    The following terms are used in Security Incident Response.
    Term Definition
    Active Any security incident not in the closed or cancelled state.
    Administrator lockdown The ability to restrict Security Incident Response access to personnel with security-related roles and ACLs.
    Inbound security requests Requests submitted for low-impact security demands, such as requesting a new electronic badge.
    Manage post incident activities A review of the origins and handling of a security incident. The final product is a post incident report, which documents all actions performed and the reasons for doing them.
    Response tasks Tasks assigned to a security incident for tracking actions in response to the threat.
    Understanding security incident calculators Calculators used to update record values when pre-configured conditions are met.
    Security incident treemaps Chart type that hierarchically shows security incident data in the form of nested rectangles.
    Threat lookup A request submitted from the security incident catalog for scanning files, URLs, and IP addresses for malware.
    Vulnerability scan A request initiated from the Security Incident form for scanning affected resources (servers, computers, and other configuration items) for vulnerabilities.