ServiceNow comes at security operations based upon its customers, experience, and products in ITSM. This gives the company a unique opportunity to bring security and IT operations together to improve communications and collaboration. Given this, Sean was a perfect person to talk with about SOAPA since a software architecture built for integration can help facilitate this objective.
In part 2 of our video, Sean and I discuss:
- The purpose of a security operations architecture like SOAPA. Sean comments that large customers already have a myriad of security operations tools so their primary question for ServiceNow is, "how are you going to use integration to simplify my environment?" SOAPA’s value here is obvious.
- How ServiceNow approaches SOAPA. ServiceNow is a major IT player but it is relatively new to security. Sean mentions that ServiceNow customers have a multi-vendor security infrastructure, so third-party integration is critical for the company’s success. It provides a capabilities framework, APIs, and developer support to make this happen.
- Lessons learned. When he started at ServiceNow, Sean was surprised by the lack of process maturity in security where customers were spending an inordinate amount of time on basic operational tasks. ServiceNow’s role is to provide CISOs with tools so they can structure and measure security processes.
Sean thinks that SOAPA has the potential to benefit ServiceNow and enterprise customers. SOAPA can ease the integration burden for vendors and help customers get more value from multi-vendor security operations solutions—a win-win.
Many thanks to Sean for participating in the ESG SOAPA video series. More soon!
Jon: I'm back with Sean Convery, GM of the Security Division of ServiceNow. Welcome back, Sean.
Sean: Thank, Jon. I appreciate you reminding me to wear my pink shirt.
Jon: Yeah, we're kind of in sync here, although mine's darker than yours. Let's talk about SOAPA though. We have kind of talked around SOAPA in the first part of the video. SOAPA's an integrated architecture, and the key there is two words, integration and architecture. Are your customers asking for integration and are they building an architecture?
Sean: What they're saying to us, at least, is they've got, in some cases, north of a hundred security vendors. And so their bar to introduce somebody else to the equation is how are you going to simplify things as opposed to how are you going to create another integration challenge for me? So they're absolutely looking for a heterogenous approach to the problem where you can integrate the technology from multiple systems into a common way of approaching the process and your own response.
Jon: And how does that work if I've got some on-premises equipment, on-premises analytics or operations tools and you're a cloud-based tool? How does that work? How do those plug in together?
Sean: Yeah, architecturally, we have something called a MID Server, which is a basically…think of it as an on-prem gateway.
Sean: Exactly, that gets you access to the information that you need and then funnels it up through the cloud.
Jon: And tell me about some of those integration points. I mean, because you… Again, you're unique in that you're integrating with IT operations tools and security operations tools, so what are the unique kind of mixes that you see?
Sean: Well, there's two ways of thinking about this. The first is one of our most obvious integrations is to the rest of the ServiceNow platform, right, so back to the vulnerability conversation we're having. You know, not only can the CIO and CISO have an agreed upon approach, but unlike most security teams, when security opens a case or a ticket with IT from ServiceNow, you can actually have an SLA that stays within the system. So if it's again, back to our four-day example, right, you can actually see, you know, I'm 80% in compliance with the four-day SLA and you can sort of measure that over time. That's really the biggest original integration is into the platform. But outside of that, we've got lots of integrations into, you know, obviously, the SIM providers is an obvious place for us to integrate because they're giving us a lot of alert data. The vulnerability scanning vendors are giving us great feeds and we take both of those feeds and enrich that with the business understanding of our assets. And then we have a whole set of additional integrations based on, you know, customer demand, whether it's Slack or tying in to other specific threat intelligence feeds or other enforcement feeds like Palo Alto Networks.
Jon: Okay. Are there challenges with those integrations? I mean, are you going kind of point-to-point integration with each of these vendors or are you, because you're a pretty big vendor, do you have some standards that you can kind of push on the market?
Sean: Yeah, we're not pushing standards on the market in terms of how they need to integrate with us. What we've actually done is realize that, you know, we're new in town when it comes to security, so we've built a capabilities framework which you can think of as almost an abstraction layer that's inside the ServiceNow Security Operations product, so that you can actually tie in multiple SIM vendors, for example, because we have a lot of people, that they're using Elasticsearch and Splunk, for example, so you wanna pull them both in, and then the rest of the product doesn't need to understand the nuances of Splunk versus Elastic. They just make a single call to this, you know, log integration API and that can be fulfilled across multiple systems. So it gives vendors, or it gives customers a lot of flexibility on which vendors they want to choose, because it doesn't…as you swap them out, you don't have to change your runbooks, you don't have to change your process, you don't have to change your automation.
Jon: What surprised you? Because you've been in security for a long time, you went to ServiceNow, ServiceNow is now entering security, so what surprised you in that whole…in what customers are doing in the integration part?
Sean: I think the most surprising thing was just how immature the average customer is in their process. I was, frankly, shocked. You know, I knew that as an industry, we've been sort of paying lip service to this idea of how important system administration is and good security analytics and everything else. But you know, we start unpacking these problems and I talked to a Fortune 100 customer that said they spent 40% of their IR time just trying to figure out who owns the IP address that has been attacked. And that's terrible for a couple of reasons. First, it's 40% of a mutli-hour journey is a long time, sometimes multiple days, but if at the end of that journey you find out that the attack is irrelevant, because it was against a lab system or it was Linux attack against a Windows infrastructure, then that's just entirely wasted.
Jon: Yeah, I'm surprised. I've had a lot of conversations with customers around these topics, around automation and orchestration. And even companies, like household companies, lots of security resources have said to me, "I wish somebody would come in and tell me if I'm doing things right." Are you finding that to be true?
Sean: We are. We're seeing a lot of customers that are saying look, our state of the art is still Excel. I was just meeting with a customer yesterday that, you know, like step one for them is let's just get them out of Excel, into something that provides some stateful understanding of where you are with your vulnerabilities, where you are with your incidents, so you can measure. I think the bar in terms of the impact that a customer can have by deploying something like this is huge, because it's a transformational shift forward. If you think about IT, they went through this evolution many, many years ago as they went to a more modern service desk approach and use technologies like ServiceNow to do that. I think security stands to benefit from all of that investment and workflow and system of action and all the approaches that we've been espousing as a company for a dozen years now, to make a leap forward to catch up to where IT is now. So it's actually a much more dramatic shift than the shift IT is seeing over the last several years.
Jon: Last question, what do you see for the future, for this SOAPA concept? You think it has legs? Do you think that we can get the industry to play or even does it benefit ServiceNow?
Sean: I mean, it absolutely benefits ServiceNow. So I think the entire foundation of our approach is a multi-vendor approach. And so I have had a front-row seat during my time at Cisco to sort of look at the focus on more of a homogeneous stack of security technology. I've seen that play out. And I think even among the players that you'd most naturally associate with a stack of technology, whether it's a Symantec or a McAfee or a Cisco, yeah, the larger players, even they seem to be, if not overtly acknowledging, they're talking more and more about how important it is to integrate the technologies from multiple vendors. I just don't see another way forward without embracing a heterogenous model as the only viable approach to real security operations.
Jon: Yeah, that's my point too is the alternative is Symantec has its model, McAfee has its model, IBM, Cisco, etc., and it just doesn't scale. That doesn't benefit customers.
Sean: Absolutely. And it also, in many cases, locks them into a particular approach. So even if a particular vendor supports multiple vendors, if they, at their core, have their own technology, it's always gonna be, "We work with everybody, but we work best with our own stuff."
Jon: Yeah. Sean, I could talk to you all day, but videos kind of come and go. We are at the end, so thanks again for participating and we look forward to other videos soon.
Sean: My pleasure, Jon.