ServiceNow is an enterprise IT cloud company that transforms IT by automating and managing IT across organizations. It has over 2300 customers and 2100 employees. Justin Dolly is the CISO of ServiceNow. Previously, ServiceNow's security tools were disparate and information was difficult to access. ServiceNow now collects over 400GB of data daily with Splunk, using it as their SIEM to provide threat identification, event correlation, and compliance reporting across the enterprise. Events detected by Splunk trigger actions that push data into ServiceNow, where a security team analyzes events and elevates potential incidents for investigation.

1. Copyright © 2014 Splunk Inc.
Justin Dolly
CISO
ServiceNow
ServiceNow + Splunk Integration

2. 2
ServiceNow Overview
ServiceNow is the enterprise IT cloud company. We transform IT by automating and
managing IT across the global enterprise. Organizations deploy our service to create a
single system of record for IT and automate manual tasks, standardize processes, and
consolidate legacy systems. Using our extensible platform, our customers create custom
applications and evolve the IT service model to service domains inside and outside the
enterprise
Founded in 2004
IPO in June 2012
2300+ customers
2100+ employees
2013= $470m revenue

3. 3
ServiceNow Overview
Single system of record for IT
Single Cloud Platform
Robust Suite of IT Applications
Custom Application Development
Enterprise Cloud Infrastructure
Lights-out, zero-touch automation
Powerful Business Intelligence Reporting
Accelerate time-to-value

4. 4
My Background and Role
Justin Dolly, VP & CISO at ServiceNow
Former CISO at VMware
Previously held security and technology leadership roles at
– Kaiser Permanente,
– CNET Networks / CBS Interactive,
– Macromedia
– Wells Fargo Bank

5. 5
Security Challenges
Most Security teams now have budget, staff & tools
Having many tools can be cumbersome & inefficient
Security teams typically work in a Silo
Our Situation, a year ago:
Log Analytics and Service Management were disparate systems
Need threat identification and event correlation
Information is there, but it’s difficult to access
Needed to address compliance and audit reporting needs

6. 6
Splunk @ ServiceNow Today
Collecting over 400GB/ day and growing
Enterprise Security is our SIEM collecting threat intelligence data and
providing actionable results
‘Single pane of glass’ view across enterprise for threat identification and
event correlation
Splunk alerts trigger script actions which push events into ServiceNow
via SOAP and XML
Events are analyzed by a dedicated Security Operations team

7. 7
Splunk @ ServiceNow Today
Syslog Events
• Network
• Firewall
• F5 LTM/ASM
• Wireless IDS Syslog Store and Forward
Splunk Indexers SplunkES
Search Head
Splunk
Search Head
ServiceNow Security Instance
Event Console

8. 8
Integration Overview
Custom built integration using the Splunk REST APIs and ServiceNow APIs
Splunk is periodically queried for security related events
Script actions push event data into ServiceNow instance events table
Business rules extract unique identifiers from the events table for de-
duplication and correlation
Security analyst reviews events in the ServiceNow console and elevates events
to incidents for investigation
New event data received is automatically associated to open incidents
Open incidents drive response activities and workflow across the organization

9. 9
What’s Next
We continue to grow quickly
Big Data analytics also grows in importance
Leveraging the new Splunk integration with ServiceNow Event
Management Console (newly released in Eureka)
Integration with ServiceNow Threat Intelligence Portal

10. 10
Top Takeaways
Embrace the mind-shift in Security
– Re-think the relationship between your systems, processes, and people
– The traditional tools won’t save you
Technology when done right is extremely liberating
– Applying threat intelligence and real-time analytics makes response activity faster
& more accurate
The only metric that matters is how quickly you respond to a security
event
– Don’t chase the information, let it come to you