Some would liken the ServiceNow Security team to a silent, but highly skilled group of warriors working continuously to protect our customers and our services. To deliver that we have to ensure our company, people, and assets are secure.
The fact is that our Security team is much more than that. They work tirelessly behind the scenes to constantly enrich ServiceNow’s security posture. This includes continuously automating many of our tools and processes so they can focus on the security threats that truly matter.
One example is phishing threats. We’re all familiar with those emails that try to lure us into clicking on links that will spread malware or inadvertently compromise a system. Since phishing affects everyone within a company, most organizations deal with this by setting up an email address for employees to forward suspicious emails. The email triggers security to review them. Inherent delays in the process mean greater risks.
Chris Peake, global senior director for information security at ServiceNow, says, “We had to make it easier for our employees to report what they believe might be a suspicious email and simultaneously make it easier for our security analysts to process the reported phishing events.”
The Security security team added a button in both the desktop and mobile versions of Outlook. Now when employees see a suspicious email, they can click the button in Outlook. An incident is automatically generated and sent directly into ServiceNow Security Incident Response for security analysis.
The result was higher reporting among employees because of the simplicity and ease. During Q419, we sent more than 19,000 simulated phishing emails, with workflow automation (via ServiceNow Security Incident Response). We sent 30% more emails this year compared to Q4 2018. With more emails, we were able to raise awareness and increase employee preparedness for real-world phishing attacks. We saw no impact on our response team because automation eliminates the manual triage.
The improvements didn’t stop there. Security also began automating the process to wipe phishing emails on the Exchange server, a manual task previously done by security analysts. “As a result, we were able to improve analyst efficiency; enabling us to increase the number of phishing tests that we sent out to our employees,” Peake says. “That keeps internal awareness high and helps us be more prepared for the real-world attacks.”
Another headache for security analysts is password updates. Employees are required to regularly reset their passwords, but inevitably they forget the new passwords.
“It’s a huge resource burden for the security team,” says Peake. “When we see someone trying to log into an account multiple times in a row, that can either be somebody who forgot their password or an outsider trying to brute force attack an account. But each event had to be investigated.”
After multiple failed login attempts, employees now receive an email that asks if they’re responsible for this suspicious-looking activity. They can reply yes or no. This small step helps security analysts spend their time on real threats.
Automation lowers attrition
By using the Now Platform®, our security team can also respond more quickly to customers.
“I lead the team that handles customer-facing security, ensuring our customers have the information that they need,” Peake says. Ongoing conversations between the ServiceNow field security team and customers are part of the ongoing human element of security work—sharing ideas, comparing threats, and identifying emerging trends.
If a new security requirement or threat emerges during these chats, Peake encourages the field security team to initiate a service ticket from their phone or laptop at that moment. “This isn’t a distraction from the job, but integral to doing it well. We can show our customers how fast and easy it can be to protect their environments with a few clicks,” says Peake.
“As many of their manual tasks are automated, security analysts have found that they are happier at work because they are working on real threats, not scrambling between systems to manually fix issues,” Peake noted. “Our folks are enjoying what they do. Right after we automated our security capabilities, we didn’t have any attrition because analysts were working on the most valuable and interesting part of our jobs—stopping threats.”
Now, Peake adds, he faces a different problem: Talent is getting snapped up by our customers “because they need the expertise to improve their own security operations using our products.”
For some companies this might sound like an unfortunate turn of events, but Peake doesn’t look at it that way. ServiceNow’s security products and expertise are being diffused worldwide, and he sees that as a net win for both the company and the industry.
“What’s good for cloud security is good for all of us,” adds Peake.
© 2020 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.