Let’s talk about ITSM and security. According to the UK’s Department for Culture, Media, and Sport, 39% of UK businesses identified that they had seen a cyber attack in 2022. These security attacks range from phishing attacks and denial of service, to ransomware attacks and data breaches. Responding to these security incidents requires a married approach across your IT service management (ITSM), security, and other teams.
But what makes a security incident process successful? How can these ITSM and security teams respond more efficiently? Why are new moves like cloud migrations making this harder?
What makes a #security incident process successful? How can teams respond more efficiently? This article explores. #infosec #ITSM Click To TweetTo answer these questions, we must look at the whole process of managing security and IT services together. Rather than treating these areas separately, ITSM and security teams must collaborate and prioritize.
What’s the priority?
If there is one thing that both ITSM and security teams are familiar with, it is triaging issues. Both security and ITSM typically have a steady stream of new alerts, messages, requests, and issues to deal with, and both teams must prioritize those neverending lists to fix what’s most important or most dangerous first. However, what might be the top priority from a security perspective is not necessarily the same for those with an ITSM perspective.
The first step to improving cross-team (ITSM and security) security incident response is to simply talk to your colleagues about your prioritization processes and find out how they work (in both similar and different manners). Afterward, the teams can hopefully improve their triage processes by reducing the number of vulnerabilities and alerts to focus on based on shared feedback. Depending on how sensitive or young your organization’s cybersecurity approach is, you may find that there were a lot of false positives or threats that were not actually that dangerous for your organization. At this point, you should be able to tune your alert settings to reduce the noise and leave more time for those alerts that represent real threats.
This article looks at the whole process of managing #security & IT services together. Rather than treating these areas separately, teams must collaborate and prioritize. #infosec #ITSM Click To TweetITSM and Security: Context is everything
One of the biggest challenges for ITSM and security teams is getting on the same page regarding a perceived issue. This need relies on understanding the context around a threat or a potential issue, which may vary depending on who is looking at it. To make this easier, improve the details and contextual information you share with other teams.
From a security perspective, this involves sharing more than just a CVE (common vulnerabilities and exposures) entry and its CVSS (Common Vulnerability Scoring System) score. While this information is useful, it may not mean anything to other teams in your organization. Providing additional background details related to active exploitation or how the issue relates to your organization’s IT infrastructure can help other teams pinpoint exactly where that vulnerability may run in your organization’s environment for immediate action.
From an ITSM perspective, looking at security and risk changes is part of the overall service delivery that an organization requires. Providing IT security teams with information on how change requests will work in practice can help them prioritize security while the change is implemented effectively. At the same time, the ITSM team should communicate with the rest of the organization on how any changes will affect services and availability. Furthermore, an ITSM team should also clearly express the security risks to the organization if changes are not implemented.
72% of containers run for less than five minutes, so relying on traditional scanning to flag an issue here is ineffective. Here's what you should do instead. #infosec #security #ITSM Click To TweetHidden vulnerabilities
There is one issue with providing this data due to how IT systems and applications are built today. These days, applications are commonly put together from microservices, or small components that go into a larger service, and these typically run in software containers. These containers are held in repositories that store the images until needed. If a security issue exists in one of these containers, it can lay dormant until the container is restarted.
In this case, detecting a vulnerability is hard for ITSM and security personnel, as the vulnerability will only be exploitable for as long as that container image exists in runtime. The Sysdig 2023 Cloud-Native Security and Usage Report noted that 72% of containers run for less than five minutes, so relying on traditional scanning to flag an issue here is ineffective. Instead, you have to look at what is happening at runtime to first spot potential issues and then fix them. This method can reduce your number of vulnerabilities to fix by up to 95%, enabling teams to prioritize those issues that truly matter first. Another good thing about this method of vulnerability prioritization is that once you fix an issue in a container image, it remains corrected in all the images created after. If you know to look at runtime, a fix at the root of the issue can stop multiple issues.
ITSM and Security: Security still relies on people, but automation can help
To improve IT security and incident management, helping your ITSM and security teams work together more effectively is more important than any one technology or tool, because IT security still relies on people. By looking at and improving how work is handed between teams, you can make collaboration easier and keep everyone working toward the same goals.
Looking at mitigation controls can provide some good examples of this in action. Rather than looking at IT security issues as they come up, you can use a framework like MITRE’s ATT&CK Mitigations to improve your overall IT security approach. A framework like this is implemented based only on your environment and processes, so you can reduce or remove the most common attack techniques seen in your organization, leaving you more time to focus on other priorities. Understanding how your IT security team uses these mitigation techniques can help your ITSM team see where IT security work is ongoing and if they can deploy mitigations to remove issues too.
'To improve IT #security & incident mgmt, helping your teams work together more effectively is more important than any one technology or tool, because IT security still relies on people.' #infosec #ITSM Click To TweetYou can automate some processes and workflows to make things easier for your ITSM and security teams. Automating a remediation workflow can make things faster and easier when new IT security issues arise. Generative artificial intelligence (AI) and Large Language Models can provide ready-made processes that anyone can follow and improve team workflows. The key is that any AI used should provide natural language responses and guidance that is simple for anyone to follow, whether they are experienced in IT security or not.
An automation approach should be aimed at making your ITSM and security teams’ lives easier and making junior staff as comfortable as your more experienced employees. For collaborative efforts, it should take some of the time-sensitive elements like sharing data and writing reports and reduce the time taken to deliver that information to those who need it. In essence, automation for IT security and ITSM should help your teams get more done and understand context faster.
Conclusion
IT security is an organizational priority, no matter the team. Any incident, from a false alarm to a critical threat, requires an immediate response these days and often involves one or both of the IT security and ITSM teams. Improving cross-team communication and collaboration between these ITSM and security teams and others regarding incident response, threat, and environmental changes will deliver better results for the entire organization.
Further Reading
If you enjoyed this article, then here are some other articles you may find useful:
Crystal Morin
Crystal is a cybersecurity strategist at Sysdig tasked with bridging the gap between business and security through cloud and container-focused webinars and papers for everyone from executives to technical practitioners. She was originally a threat research engineer on the Sysdig Threat Research Team, where Crystal spent her time discovering and analyzing cyber threat actors who took advantage of the cloud. Crystal started her career as a linguist and intelligence analyst in the United States Air Force. Before joining Sysdig, she spent four years as a contractor for Booz Allen Hamilton, researching and reporting on terrorism and cyber threats. Crystal was responsible for helping to develop and mature Booz Allen’s cyber threat intelligence community and threat-hunting capabilities.
