ServiceNow Security Showdown: Gotta Catch 'Em All for Cyber Resilience! - Zscaler
Welcome, everyone!
Join us as we embark on a journey to explore how ServiceNow's security offerings are shaping resilient security operations, akin to navigating the digital landscape to proactively thwart threats and evade cyber adversaries, much like dodging Team Rocket in the Pokémon world. Today, we'll delve into one of the security response team's favorite tools: the out-of-the-box integration with Zscaler. In layman's terms, think of it as your gatekeeper controlling which URLs can roam freely or are blocked within your network.
Just like a Pokémon trainer traverses diverse terrains, employing Poké Balls to catch different Pokémon, a security analyst maneuvers through the vast digital expanse, identifying and blocking potentially harmful URLs to safeguard their network.
Our current use case revolves around empowering the security incident response team to swiftly block observables on Zscaler from security incident response tickets or observable records. But that's not all; this integration offers a plethora of other remarkable features.
(Courtesy: ServiceNow Docs):
Here's a rundown of key features within the Zscaler integration:
Reputation Lookup: Evaluate observables against Zscaler's global threat library, enabling you to gauge threats based on trends, origins, destinations, volume, and various categories.
Observables Management: Maintain observables in either a block list or an allow list on the Zscaler platform.
Sandbox Analysis: Access and review sandbox reports from Zscaler, analyzing files' behavior in a virtual environment to detect malicious activity.
Patient Zero Alerts: Receive security alerts triggered by "Patient Zero" events in Zscaler, signaling downloads of unknown malicious files.
URL Category Lists: Utilize multiple URL category lists for blocking or allowing specific types of URLs.
Integration with Now Platform: Tag security incidents to identify associated URL categories.
Expiration Management: Automatically expire or remove older entries from URL category lists to maintain efficiency.
Before Setup.
Understand types of list maintained. It has two types (usually) BLOCKLIST & ALLOWLIST. Blocklist is kind of the list we target for SIR perspective.
Clarify how many types of zscaler environment present in the network. It could be something like one blocklist for company employees and one for guest or could based on geographies. You can configure more than one server as well.
Currently you can have just one approval group for blocking as well as removing url from block list. No conditional based configuration available ootb.
Apart from there are certain requirements around role , credentials and api keys that can be found here: ServiceNow prerequisite, Zscaler Prerequisite
Setup:
Installing steps have been clearly mentioned here: We are writing stuffs that we found out after bit of struggle.
ServerName should be entered with precaution because its non editable and all the workflows, list etc. are configured with this name only.
Zscaler Api url make sure to enter https:// (not mentioned in docs)
Next steps is to configure the lists. Steps can be found here.
Key thing to notice here is the Expiration Period (days) field: Expiration period of the URL category list. 0 (by default) indicates that the URL category list entry never expires.
By changing this value, any observable that was added to this URL category is active for the number of days that you enter. You can enter a minimum value of 1
For example, if you set the expiration period to 30 days, the entries are removed from the category list after 30 days.
We set this to 0.
Basically whenever a Url is requested to be blocked from SIR or observable then it creates an entry on Zscaler Url Category List Entry table. And on that table the entire lifecycle is managed.
Additional Requirements:
Setup additional fields to log who initiated the block and removal of request on Entries table. Its captured in SIR notes but it should be there as a field value on entries table.
URL sanitization for notifications. So, Microsoft also blocks harmful links in emails. Its definitely a good thing but think about notifications about a URL needs your approval to be blocked or URL has been blocked does not contain URL. Hence, an emailscript to convert maliciousurl.com to maliciousurl[.]com
Reporting requirements along with seting up some KPI's. One is the number of records in Zscaler URL category list entries.
Add a fail reporting mechanism. Simply add a subflow in error handling of sublfow getting triggered and create an incident for the required team.
Good to have if ServiceNow provides them OOTB:
While ServiceNow provides robust functionalities, certain enhancements like raising requests for multiple blocklists simultaneously and condition-based approvals for category list setups would further streamline operations.
In conclusion, with ServiceNow's seamless integration with Zscaler, you're not just catching threats – you're building a fortress against cyber adversaries, ensuring your network remains resilient in the face of evolving security challenges. So, gear up, trainers! It's time to fortify your defenses and catch 'em all for cyber resilience!