SplunkLive! Customer Presentation--ServiceNow
Download as PPTX, PDF•4 likes•3,986 views
ServiceNow is an enterprise IT cloud company that transforms IT by automating and managing IT across organizations. It has over 2300 customers and 2100 employees. Justin Dolly is the CISO of ServiceNow. Previously, ServiceNow's security tools were disparate and information was difficult to access. ServiceNow now collects over 400GB of data daily with Splunk, using it as their SIEM to provide threat identification, event correlation, and compliance reporting across the enterprise. Events detected by Splunk trigger actions that push data into ServiceNow, where a security team analyzes events and elevates potential incidents for investigation.
SplunkLive! Customer Presentation--ServiceNow
- 1. Copyright © 2014 Splunk Inc. Justin Dolly CISO ServiceNow ServiceNow + Splunk Integration
- 2. 2 ServiceNow Overview ServiceNow is the enterprise IT cloud company. We transform IT by automating and managing IT across the global enterprise. Organizations deploy our service to create a single system of record for IT and automate manual tasks, standardize processes, and consolidate legacy systems. Using our extensible platform, our customers create custom applications and evolve the IT service model to service domains inside and outside the enterprise Founded in 2004 IPO in June 2012 2300+ customers 2100+ employees 2013= $470m revenue
- 3. 3 ServiceNow Overview Single system of record for IT Single Cloud Platform Robust Suite of IT Applications Custom Application Development Enterprise Cloud Infrastructure Lights-out, zero-touch automation Powerful Business Intelligence Reporting Accelerate time-to-value
- 4. 4 My Background and Role Justin Dolly, VP & CISO at ServiceNow Former CISO at VMware Previously held security and technology leadership roles at – Kaiser Permanente, – CNET Networks / CBS Interactive, – Macromedia – Wells Fargo Bank
- 5. 5 Security Challenges Most Security teams now have budget, staff & tools Having many tools can be cumbersome & inefficient Security teams typically work in a Silo Our Situation, a year ago: Log Analytics and Service Management were disparate systems Need threat identification and event correlation Information is there, but it’s difficult to access Needed to address compliance and audit reporting needs
- 6. 6 Splunk @ ServiceNow Today Collecting over 400GB/ day and growing Enterprise Security is our SIEM collecting threat intelligence data and providing actionable results ‘Single pane of glass’ view across enterprise for threat identification and event correlation Splunk alerts trigger script actions which push events into ServiceNow via SOAP and XML Events are analyzed by a dedicated Security Operations team
- 7. 7 Splunk @ ServiceNow Today Syslog Events • Network • Firewall • F5 LTM/ASM • Wireless IDS Syslog Store and Forward Splunk Indexers SplunkES Search Head Splunk Search Head ServiceNow Security Instance Event Console
- 8. 8 Integration Overview Custom built integration using the Splunk REST APIs and ServiceNow APIs Splunk is periodically queried for security related events Script actions push event data into ServiceNow instance events table Business rules extract unique identifiers from the events table for de- duplication and correlation Security analyst reviews events in the ServiceNow console and elevates events to incidents for investigation New event data received is automatically associated to open incidents Open incidents drive response activities and workflow across the organization
- 9. 9 What’s Next We continue to grow quickly Big Data analytics also grows in importance Leveraging the new Splunk integration with ServiceNow Event Management Console (newly released in Eureka) Integration with ServiceNow Threat Intelligence Portal
- 10. 10 Top Takeaways Embrace the mind-shift in Security – Re-think the relationship between your systems, processes, and people – The traditional tools won’t save you Technology when done right is extremely liberating – Applying threat intelligence and real-time analytics makes response activity faster & more accurate The only metric that matters is how quickly you respond to a security event – Don’t chase the information, let it come to you
Editor's Notes
- #6: Required manual creation of incidents based on Splunk events and alerts Excessive time and effort to duplicate information Needed incident management capabilities to track workflow through closure.
- #7: Ability to push Splunk events into ServiceNow as either an incident OR as an incident / event in the latest Eureka release Ability to pull in any info from ServiceNow and correlate that with info from any other sources within Splunk
- #9: New events associated to open incidents; unrelated events that are automatically assigned in error can be split out by the security analyst into separate incidents to be tracked and handled separately