Closing the incident response gap: Q&A with Sean Convery of ServiceNow

Having your network breached is inevitable. The question is how fast can you detect the incident and respond.

Closing the incident response gap: Q&A with Sean Convery of ServiceNow

A decade ago, security meant a big firewall at a single ingress point. All devices and applications were under IT’s tight control, so they did not create significant security risks. 

Today, everything has changed. The rise of cloud computing, BYOD, shadow IT, WiFi devices, software defined everything and other trends have blown up the tightly controlled model and created a rather chaotic system. 

Adding to the challenge is that attackers are getting smarter and targeting IoT systems and end users directly, which often bypasses the security technology. This is why some security experts say there are two types of organizations, those that have been breached and know about it and those that have been breached and don’t know about it. 

In other words, getting breached is inevitable. The question is how fast can the breach be found. In the way are a bunch of manual processes, inadequate tools and departmental silos that cause unnecessary delay. The average time to find a breach today is over 200 days. Surely there must be a better way. 

Earlier this year at the RSA conference, ServiceNow launched its Security Operations product that can significantly cut down on the lag time between a security incident and response. To help understand the problem and how the solution works, I interviewed Sean Convery, vice president and general manager of ServiceNow’s Security Business Unit. 


Sean Convery, ServiceNow

ServiceNow is a $1 billion organization that started by helping IT modernize help desks and now automates many work tasks on its platform with service portals and other tools. It accomplishes this by focusing more on automating tasks and workflows instead of just sending more emails and text messages. The company took the platform and best practices and has now built it out for SecOps teams. 

Zeus: Why is the process of security response so hard to do?

Sean: Security response is a mess right now. Most companies have numerous vendors that can aggregate data and alerts, but there’s no methodology from there. This tends to be a very ad hoc process done with paper documents, home grown databases, and spreadsheets. These need to instead be live workflows.

Zeus: Can you quantify the problem?

Sean: A recent study from Enterprise Strategy Group (ESG) surveyed 180 security officers and offered some interesting insights into the challenges facing rapid security response. For example, the top challenge regarding this topic is coordinating between security and IT teams. This underscores the manual nature of the process where tickets are ping-ponged between different groups. Another interesting data point is that 9 out of the 10 respondents said incident response effectiveness is limited by the burden of manual processes. The Ponemon Institute found that it takes enterprises an average of 206 days to spot a breach and then 69 days to contain it. That certainly illustrates the magnitude of the problem. 

Zeus: Can you describe the new solution from ServiceNow?

Sean: The new product is a cloud service that is an extension of our leading automation and orchestration platform to transform the way organizations respond to threats. ServiceNow Security Operations gives both security and IT a single platform to respond to incidents. The product not only bridges the gap between IT and security but dramatically cuts down incident response time by eliminating manual processes and replacing them with automated ones. It’s a turnkey solution specifically designed to improve the incident response process.

Zeus: Can you give me an example of how the service works?

Sean: I’ll give you an actual customer example. A large financial services organization, I’ll call them “company,” has a big problem with phishing. They set up an email,, where users can send suspected emails to that alias for the security teams to inspect. In theory, this is a good idea, but the problem is they get thousands of emails. Each email requires a security analyst to open the email and investigate whether it’s a real phishing email. This process is extremely tedious and wastes hundreds of man-hours. With Security Operations, each email is processed as a security incident. The URL inside the email is automatically extracted and then searched on a number of intelligence services. If it comes back as a “no” (not phishing) then it automates sending an email to the user that it’s ok to click on the link.

If it comes back as a “yes” (is phishing) then the platform checks with the firewall to see if it’s already blocked. If it’s confirmed as phishing and not blocked, then SecOps can take action to block it. At the end of the process, the incident can be closed, with an email sent to the user thanking them. 

Our automation capabilities significantly improves the “signal to noise” ratio with respect to security response and lets SecOps and IT operations focus on strategic issues instead of filling out spreadsheets and doing redundant tasks. 

Zeus: How do your customers measure success with Security Operations?

Sean: Providing quantitative or even qualitative benefits of security products has historically been difficult, if not impossible but that’s one reason why customers love our product. Security metrics mostly focus on trying to define how secure the business is by talking about the millions of events they capture. But this doesn’t define secure, it just means there’s lots of activity. Our metrics focus on mean time to identification (MTTI) and mean time to remediation (MTTR) and plot that over time to see how things are improving. Business leaders can then quickly understand that their investment is having a direct impact on threat response.

The second big piece of value is post-incident documentation. This is another area that’s historically tedious because all the manual, ad hoc processes need to be collated at the end of the incident to document what was done. We automate post-incident review documentation so organizations have a consistent read-only record they can leverage with their audit team or to feed back into their own knowledge base.

Lastly, being able to show incident counts or vulnerabilities on critical services is another way to quantify the value. For example, consider a critical service that is currently showing 40 vulnerabilities. If this number is trending upwards over time, that’s a problem requiring a change in resourcing.

The industry has been focused on prevention for decades, but Security Operations shows measurement. Being able to look at the constant attacks creates better results and improvement to let security teams be more consistent and proactive. 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10