Automation is increasingly being sought after by the Security Operations Center (SOC). This is driven by an ever-increasing gap in cybersecurity skills, which is exacerbated by the number of security data and alerts that need to be analyzed. To solve this problem, the SOC team is working on tools such as security coordination automation and remediation (SOAR) systems.
However, in the interaction with customers, we are very frustrated for the organization that launched SOAR. This frustration is largely due to SOAR’s inability to digest the amount of data and alerts generated by various sensors in the environment. Not to mention the relevance and decision-making skills needed to detect malicious behavior. When this happens, organizations will miss the benefits of automation, especially in incident remediation, which is the first thing SOAR has to solve.
The time, energy, and cost required to write such scripts for automatic incident remediation are very high, which exacerbates this frustration. In addition, the script must be maintained over time to keep up with the changing latest tactics, techniques and procedures (TTP). However, if SOAR cannot find the event or cannot monitor the data on a large scale (when necessary), then the script for automatic repair is of little value.
As we announced last fall, Respond Analyst is integrated with ServiceNow Security Operations. Through this integration, Respond can alleviate the burden of ServiceNow’s front-end alert monitoring, classification and scope division. Once the incident is identified and the false positive is discarded, the response analyzer only forwards the malicious incident that needs to be fixed. From there, ServiceNow Security Operations will automatically perform remedial actions to close the incident.
Unlock SOAR through extended detection and response (XDR)
Respond Analyst is Respond Software’s XDR engine, which enables organizations to unlock the true automation capabilities of their SOAR deployment by conducting pre-analysis and classification of events before they are delivered to the SOAR system. Respond Analyst is scalable, can handle millions of incidents, and upgrade actionable malicious incidents to SOAR to remediate and filter out false positives. However, unlike SOAR, Respond Analyst does not need to be coded, customized or maintained over time, so the time to realize value can be identified within a few hours. Making full use of “response analysts” through SOAR can reduce the dwell time of attacks, resolve security issues faster through additional automated functions, and enhance the collaboration capabilities of analysts.
Responsive analyst and ServiceNow integration
After creating a new event in the “Response Analyzer”, it will use the “account” specified in the integrated configuration settings to make API calls to ServiceNow and push all the fields mapped in the “Import Set” Web service. Security analysts do not need to manually open the case in ServiceNow and fill the case with relevant information. When an event is detected, Respond Analyst will automatically perform this operation, and when the scope of the new event is the event, it will continue to update the case in ServiceNow.
When a response incident is updated with new information, the response analyst will update the incident in ServiceNow.
The response analyst includes the ServiceNow case number and links back to the incident in the ServiceNow Security Operations console.
The link back to the “response” event is included in the data pushed to the ServiceNow event. If needed, these can be used to access event details and proactively close the event in the Response Analyzer.
On an ongoing basis, the responding analyst will request the status of the event in ServiceNow, and if the event in ServiceNow has been closed, the responding analyst will close its corresponding event. If the user has defined optional settings to return the *FEEDBACK* value, these settings will be used to close the event. If these events are not set, the event will end with an “uncertain” resolution in the “Response Analyst”.
If the user closes the event in the Respond Analyst UI, Respond will not close the event in ServiceNow, and will stop requesting the status of the event in ServiceNow.
summary
Respond Analyst investigates, scopes, categorizes and correlates incidents to improve the incident remediation capabilities of ServiceNow Security Operations. Through response analysis, security analysts can stop viewing the console throughout the day and start investigating incidents, thereby making better use of their time. The combination of Respond Analyst and ServiceNow Security Operations will shorten the duration of attack for customers who have or are considering using both solutions at the same time.
More information about Response Analyzer and SOAR:
Response Analyzer, an XDR Engine | ServiceNow Security Operations Integration
Is the response analyst a SOAR tool?
Incorporate automation into SOAR
In the post integrating Respond Analyst, the XDR engine with ServiceNow security operations first appeared on the Respond software.
***This is a blog written by Mike Reynolds-Respond Software’s Security Bloggers Network joint blog. Please read the original article at: https://respond-software.com/integrating-the-respond-analyst-an-xdr-engine-with-servicenow-security-operations/
#Integrate #response #analyzer #XDR #engine #ServiceNow #security #operations
Read More Source