Don’t Let WannaCrypt make you WannaCry: Let Cask and ServiceNow® Save the Day

By now you may have heard of the latest ransomware attack WannaCrypt, which began its attack on Friday May 12, 2017.

Ransomware.jpg

As of right now the ransomware has been temporarily stopped when a security researcher, Marcus Hutchins, purchased the domain the ransomware was using. Even if we never see WannaCrypt again (which seems unlikely) we are going to see many other variants and flavors of ransomware. So if ransomware is not going away, and we can’t just simply unplug everything from the network, the solution would be to focus on how to stop our company and data from becoming the next victim.

Many security teams have the same problem, they have too much information and don’t know how to prioritize what is important and what is not. It doesn’t help that every day they get more and more security information dumped on them. When you don’t know what information to prioritize it can become easy to miss a critical patch that could eventually make you the next victim of a ransomware attack.

We have numerous security tools in place, but they all tend to have their own interface. There is a separate interface for vulnerability and another one for incident response. Don’t forget the plethora of emails that come in with threat intelligence information. With so many emails and interfaces it can become so easy to get overwhelmed. Then before you know it, a critical security vulnerability was never patched and it was the opening ransomware used to get in.

How Cask and ServiceNow® Can Help

If you haven’t heard of ServiceNow®, I will give you a quick overview of what ServiceNow® does. ServiceNow consolidates your on‑premises IT/IS tools to a modern, easy‑to‑use service management solution in the cloud. No infrastructure is required. Remember that these security tools have their own complex interface; with ServiceNow’s Security Operations modules you can consolidate them into one interface.

ServiceNow has three modules for Security Operations: Threat Intelligence, Incident Response, and Vulnerability Management. Now you can get all that information and data into one interface. Imagine how much time you could save by not having to spend time in various interfaces, and imagine how much time and energy you would save not having to reply to all those emails.

ServiceNow does much more than just offer you one interface. With ServiceNow you can create workflows to automate threat intelligence, incident response, and vulnerability management.

That is where Cask comes in, as a certified partner of ServiceNow, Cask’s Security team is an expert at implementing ServiceNow Security Operations Modules. We can get ServiceNow working for you in your environment by creating customized workflows. This is done by customizing each module to fit your specific environment. ServiceNow is great just out of the box, but it is so much better when it has been customized by the experts at Cask. Imagine how great it would be to have customized workflows for your environment. These workflows can take you from a reactive security approach to a proactive one.

With WannaCrypt it exploits vulnerability MS17-010, so without ServiceNow you would have to get the information from your threat intelligence, scan the network and see what assets have that vulnerability, then probably send an email to IT to remediate, and then IT will remediate sometime after 30 days or so. Then if you are like many other environments, IT doesn’t inform you whether they patched the vulnerability or not, so you find out at the next monthly vulnerability scan. Then, before you know it, you have been compromised by ransomware.

Let’s look at how ServiceNow and Cask can make this process better. With all information coming into ServiceNow you have just one interface to go to get information. Within ServiceNow you see that there is a ransomware threat that exploits MS17-010. You then can go to the Vulnerability Management module, initiate a scan, see what assets are missing that patch, and then assign IT to remediate. You can also set up a deadline and automatically be alerted when the vulnerability has been remediated or be alerted when the deadline has passed. With ServiceNow all the data can be easier prioritized and communication between Security and IT greatly improves. Next thing you know you can kick back because you just stopped your company from becoming another victim of ransomware.

Whether you have ServiceNow, are currently shopping, or don’t have ServiceNow at all, the security experts at Cask can help make your environment more secure. 

Topics: Security operations

Written by Brett DeHoag, Security and Risk Advisor

Brett DeHoag is a Security and Risk Advisor for Cask