Author: Stephen Laseau, Practice Lead - SecOps and GRC at Contender Solutions
As an MSSP, Secureworks has many customers that utilize ServiceNow’s Security Incident Response (SIR) for managing events and incident response. To support these customers a plugin was developed that embedded a Secureworks module within ServiceNow to allow customers to interact with Secureworks alerts.
Contender SecOps Team Develops a REST Integration
In early 2020, the Contender Solutions SecOps team developed a REST integration that takes advantage of the considerable benefits of Secureworks while allowing the transfer of alerts to ServiceNow’s Security Incident Response application providing access to the vast automation and processing features.
The Secureworks integration provides coordinated alert management features such as
- Consuming Secureworks alerts with low latency
- Alert acknowledgment (transfers alert ownership to the customer)
- Closing alerts within Secureworks once closed within ServiceNow
- Closing security incident within ServiceNow if closed within Secureworks
The integration with Secureworks is managed from the ServiceNow platform. Every few minutes (configurable) a REST API call is sent to SecureWorks to obtain new and updated alerts. Security incidents are created or updated at which time SIR automation kicks in. This includes assigning to a triage team, pulling in threat intelligence, scoring risk based on multiple factors including the business criticality level of the at-risk asset, and execution of the workflow.
As analysts work on incidents, they can proactively demand updated data from Secureworks on the fly. Additionally, other integrations can bring in critical information such as running processes and services. The result of this automation is a single pane of glass providing vast information for combatting malicious activity. In the event the analyst needs to access the alert within Secureworks, a link is available directly on the security incident.
The result provides customers with the data and automation required to effectively respond to security threats in a rapid, efficient, and consistent manner ensuring the quickest time to containment.