Secureworks to ServiceNow - Bridging the Gap

secureworks to servicenow - bridging the gap

Written By: Contender Solutions

Author: Stephen Laseau, Practice Lead - SecOps and GRC at Contender Solutions

Secureworks, a subsidiary of Dell Technologies, is an MSSP that provides information security services to protect computers, networks, and information assets from bad actors. The Secureworks platform utilizes machine learning supported by human intelligence to identify and prevent threats quickly.

As an MSSP, Secureworks has many customers that utilize ServiceNow’s Security Incident Response (SIR) for managing events and incident response. To support these customers a plugin was developed that embedded a Secureworks module within ServiceNow to allow customers to interact with Secureworks alerts. 
Whereas this approach is sufficient for some customers, it does not take advantage of core SIR functionality such as risk scoring based on asset criticality, advanced assignment, workflow, or integrations required by advanced customers.

Contender SecOps Team Develops a REST Integration

In early 2020, the Contender Solutions SecOps team developed a REST integration that takes advantage of the considerable benefits of Secureworks while allowing the transfer of alerts to ServiceNow’s Security Incident Response application providing access to the vast automation and processing features.

The Secureworks integration provides coordinated alert management features such as

  • Consuming Secureworks alerts with low latency
  • Alert acknowledgment (transfers alert ownership to the customer)
  • Closing alerts within Secureworks once closed within ServiceNow
  • Closing security incident within ServiceNow if closed within Secureworks

The integration with Secureworks is managed from the ServiceNow platform. Every few minutes (configurable) a REST API call is sent to SecureWorks to obtain new and updated alerts.  Security incidents are created or updated at which time SIR automation kicks in.  This includes assigning to a triage team, pulling in threat intelligence, scoring risk based on multiple factors including the business criticality level of the at-risk asset, and execution of the workflow.

As analysts work on incidents, they can proactively demand updated data from Secureworks on the fly.  Additionally, other integrations can bring in critical information such as running processes and services. The result of this automation is a single pane of glass providing vast information for combatting malicious activity.  In the event the analyst needs to access the alert within Secureworks, a link is available directly on the security incident.

The result provides customers with the data and automation required to effectively respond to security threats in a rapid, efficient, and consistent manner ensuring the quickest time to containment.

Contact us to learn more about the Secureworks integration.