Exploring Security Operations

  • Release version: Washingtondc
  • Updated February 6, 2025
  • 4 minutes to read

    • Protect your assets and enterprise environment with ServiceNow Security Operations applications and the power of the ServiceNow AI Platform®. Connect your security and IT teams to help you prioritize and resolve threats based on the impact they pose to your organization.

    Security Operations overview

    The Security Operations suite of applications helps you protect your assets by improving your overall security posture. For example, by integrating applications such as Security Incident Response, Vulnerability Response, and Security Posture Control with your existing security tools, your Security Operation Center (SOC) analysts, managers, and IT teams can:
    • Respond to rapidly evolving cyber and security threats
    • Identify, prioritize, and remediate vulnerabilities
    • View your complete asset inventory
    • Determine your overall security tool coverage

    Security Operations applications for workflows

    The Security Operations applications fall under two broad categories for Security Operations workflows:
    • Attack surface management- Applications and tools that help you anticipate, understand, and close your vulnerabilities.
    • Enterprise security case management - Applications and tools that help you move quickly to respond to critical incidents.
    Figure 1. Security workflows
    The Security Operations applications and workflows organized by category.

    The two categories of Security Operations applications and the use cases they help you address in your enterprise environment.

    Benefits of the Security Operations applications

    View Security Operations applications and data with next-generation user interfaces (workspaces). With workspaces, the security analysts, Security Operation Center (SOC) managers, and remediation specialists in your organization can monitor and manage the following types of workflows from one location:
    • The life cycle of security incidents from an initial analysis to containment, eradication, and recovery.
    • The vulnerabilities that they care the most about so they can decide strategically which vulnerabilities they send to IT teams to fix.
    • Key insights and key use cases for security tool coverage and asset hygiene that report and monitor imported information about your assets.

    Attack surface management applications

    Table 1. Applications that help you anticipate threats and identify vulnerabilities
    Application Description Users
    Security Posture Control

    Gain insights into how well security tools are deployed and covering your assets based on an asset inventory and imported data. Service graph connectors and ServiceNow products such as Hardware Asset Management (HAM) and ITOM Discovery are supported for data imports.

    Audits based on policies help you prioritize the remediation of high-risk combinations such as internet exposure and known vulnerabilities. Create custom policies and insights to monitor the compliance of assets with your internal security tool configuration standards.
    • CISO
    • Information security analyst
    • Security operations manager
    • IT Operations engineer
    • Service owner (remediation owner persona)
    Vulnerability Response
    Third-party vulnerability scanners and assessment tools help you identify the risks vulnerabilities pose the following types of assets:
    • Infrastructure (host)
    • Container
    • Applications
    • Software bill of materials

    Vulnerabilities that are identified by these tools translate as risks to the security and IT teams responsible for maintaining and securing an organization’s assets.
    • CISO
    • Information security analyst
    • Security operations manager
    • IT Operations engineer
    • Service owner (remediation owner persona)
    Configuration Compliance

    Verify your compliance with security or corporate policies.

    Identify, prioritize, and remediate non-compliant configuration items with test results obtained from third-party Secure Configuration Assessment (SCA) integrations.
    • CISO
    • Information security analyst
    • Security operations manager
    • IT Operations engineer
    • Service owner (remediation owner persona)

    Enterprise security case management applications

    Table 2. Applications that help you respond to critical security breaches and incidents
    Application Description Users
    Security Incident Response

    Simplify the process of identifying critical incidents by applying powerful workflow and automation tools that speed up remediation.

    Integrate your existing Security Information and Event Manager (SIEM) tools with Security Incident Response and Security Operations applications to import threat data from various sources and automatically create prioritized security incidents.
    • CISO
    • Information security analyst
    • Security operations manager
    • Threat intelligence analyst
    Major Security Incident Management

    The major security incident management capabilities work with the existing security incident response product capabilities. This includes an ability for a security analyst to escalate a standard security incident to a major security incident, so that the new product capabilities are available to support the remediation process.

    Track the progress of Major Security Incident (MSI) from discovery to analysis. Propose solutions, promote, and link security incidents, and closure.
    • CISO
    • Information security analyst
    • Security operations manager
    • IT Operations engineer
    • Service owner (remediation owner persona)
    • General council
    Data Loss Prevention Incident Response The Data Loss Prevention Incident Response (DLP IR) permits you to review and manage the remediation workflow of DLP incidents from multiple sources, such as endpoint, network, email, and cloud.

    With the DLP application, you can identify, respond, and protect your data loss channels.
    • CISO
    • Information security analyst
    • Security operations manager
    Threat Intelligence

    Allows incident response teams to automate threat lookups, searches, and correlation. The integration with MITRE ATT&CK permits you to measure and understand detection and mitigation coverage and assists with threat hunting.
    • CISO
    • Information security analyst
    • Security operations manager
    • Threat intelligence analyst
    Threat Intelligence Security Center (TISC) Aggregate, curate, and manage threat intelligence from multiple sources and conduct threat intelligence case management. Track campaigns, operationalize threat intelligence, and respond to actionable intelligence.
    • CISO
    • Information security analyst
    • Security operations manager
    • Threat intelligence analyst

    Troubleshoot and get help