Copyright © 2014 Splunk Inc.

Justin DollyCISO

ServiceNowServiceNow + Splunk Integration

2

ServiceNow OverviewServiceNow is the enterprise IT cloud company. We transform IT by automating and managing IT across the global enterprise. Organizations deploy our service to create a single system of record for IT and automate manual tasks, standardize processes, and consolidate legacy systems. Using our extensible platform, our customers create custom applications and evolve the IT service model to service domains inside and outside the enterprise

Founded in 2004

IPO in June 2012

2300+ customers

2100+ employees

2013= $470m revenue

3

ServiceNow OverviewSingle system of record for ITSingle Cloud PlatformRobust Suite of IT ApplicationsCustom Application DevelopmentEnterprise Cloud InfrastructureLights-out, zero-touch automationPowerful Business Intelligence ReportingAccelerate time-to-value

4

My Background and RoleJustin Dolly, VP & CISO at ServiceNowFormer CISO at VMwarePreviously held security and technology leadership roles at – Kaiser Permanente, – CNET Networks / CBS Interactive, – Macromedia – Wells Fargo Bank

5

Security ChallengesMost Security teams now have budget, staff & toolsHaving many tools can be cumbersome & inefficientSecurity teams typically work in a Silo

Our Situation, a year ago:Log Analytics and Service Management were disparate systemsNeed threat identification and event correlationInformation is there, but it’s difficult to accessNeeded to address compliance and audit reporting needs

6

Splunk @ ServiceNow TodayCollecting over 400GB/ day and growingEnterprise Security is our SIEM collecting threat intelligence data and providing actionable results‘Single pane of glass’ view across enterprise for threat identification and event correlationSplunk alerts trigger script actions which push events into ServiceNow via SOAP and XMLEvents are analyzed by a dedicated Security Operations team

7

Splunk @ ServiceNow TodaySyslog Events

• Network• Firewall• F5 LTM/ASM• Wireless IDS Syslog Store and Forward

Splunk Indexers SplunkESSearch Head

SplunkSearch Head

ServiceNow Security Instance

Event Console

8

Integration OverviewCustom built integration using the Splunk REST APIs and ServiceNow APIs

Splunk is periodically queried for security related events

Script actions push event data into ServiceNow instance events table

Business rules extract unique identifiers from the events table for de-duplication and correlation

Security analyst reviews events in the ServiceNow console and elevates events to incidents for investigation

New event data received is automatically associated to open incidents

Open incidents drive response activities and workflow across the organization

9

What’s NextWe continue to grow quicklyBig Data analytics also grows in importanceLeveraging the new Splunk integration with ServiceNow Event Management Console (newly released in Eureka)Integration with ServiceNow Threat Intelligence Portal

10

Top TakeawaysEmbrace the mind-shift in Security– Re-think the relationship between your systems, processes, and people– The traditional tools won’t save you

Technology when done right is extremely liberating– Applying threat intelligence and real-time analytics makes response activity faster

& more accurate

The only metric that matters is how quickly you respond to a security event– Don’t chase the information, let it come to you