Converging ITSM and SecOps to build stronger defenses
August 01 | 9 mins read
In June 2024, a leading software vendor for automotive dealerships was forced to shut down its core IT systems after falling victim to a ransomware attack. This left their 15,000 auto dealership clients scrambling to manage their sales, inventory, finances, and other operations. With no proper security defenses or disaster recovery mechanisms in place, the vendor was forced to take the last resort—paying millions in ransom to regain access to its data and systems.
Although it's still unclear how the ransomware group infiltrated the vendor's critical systems or why the recovery process took so long, a scenario of this magnitude can be attributed to many factors:
- Long overdue software updates combined with missing security patches could have resulted in vulnerabilities that the attackers exploited.
- Seemingly regular emails that were actually phishing attempts could have tricked employees into sharing credentials or downloading malware.
- Inadequate access controls and privilege management routines could have allowed the attackers to move laterally to gain control over critical systems.
- Poor visibility of infrastructure could have caused delays in assessing the extent of the breach and understanding the spread and magnitude of the attack.
- Lack of backup and recovery mechanisms could have stalled the restoration process.
These seemingly siloed issues ultimately point to two key shortcomings:
| 1. Delayed incident response strategies. | A result of disjointed efforts between IT security and IT service desk teams. |
| 2. Inadequate and weak security protocols. |
This highlights the need to have and to integrate two fundamental disciplines: ITSM and SecOps.
Why should you think about integrating ITSM and SecOps?
With growing digitalization, expanding attack surfaces, and the rapid adoption of AI, organizations face threats that evolve faster than they can adapt to.
For a long time, ITSM has excelled as an enabler for handling incidents, fulfilling service requests, and executing IT changes reliably, with a focus on productivity. However, the complexities of today's IT environments coupled with the evolution of cyberthreats demand more from the processes and frameworks that IT teams rely on, including ITSM.
The path forward calls for a more unified, holistic, and security-centric approach to service management—one that weaves security checks within everyday ITSM workflows to keep pace with today's threat landscape.
The gaps that ITSM can fill
Drawing from some of the factors we just outlined, like the exploitable vulnerabilities as a result of missing patches or credential misuse as a result of phishing attacks or lateral movements as a result of weak access controls, it's clear that these aren’t just security failures in isolation. They also point to the procedural gaps that IT service desk teams—with a helping hand from IT security teams—are well positioned to address.
But without a common framework to tie everything together, you'll again end up with fragmented processes and tool sets between these two teams. This is where security-first ITSM can step in to become a unifying connectivity layer that brings structure, accountability, and visibility across service desk and security teams. When security is infused within key ITSM processes, these teams can create a multi-pronged plan for not only detecting threats but also acting on them fast.
Let's explore some ways your IT service desk and security teams can come together to bolster their incident response strategies.
1. Rolling out patches at scale while also being equipped to handle any incidents they may trigger
One of the most common entry points for threat actors? Unpatched systems. Regularly installing patches and firmware upgrades can be your first line of defense against malicious actors.
While SecOps can take care of detecting the systems with missing security patches, ITSM can step in to take care of the coordination, roll out plans, and the governance aspects of the patch deployment process. And, if something does go wrong after a deployment, it can also help in the remediation process.
Here's how the security and IT teams can work in tandem:
| SecOps | ITSM |
|---|---|
| Stay updated on vendor advisories to be informed about potential security holes in the organization's software stack. | Ensure the systemic deployment of patches at scale with tightly coupled ITSM practices like change, release, and asset management. |
| Constantly monitor the organization's network to detect vulnerabilities that can be exploited. | Foster proper oversight and governance with multi-level approvals from relevant stakeholders. |
| Refer to patch compliance data to identify systems with missing security patches and prioritize patch deployments based on risk and business impact. | Mitigate risks by following and documenting detailed roll-out plans, contingency strategies, software license agreements, and checklists. |
| Provide IT teams with the list of vulnerable systems and also recommend deployment timelines. | Utilize incident management to track and immediately resolve issues arising from failed patches. |
| Validate that the patches deployed have successfully fixed vulnerabilities. | Monitor the health of assets post deployment by leveraging the CMDB to pull information on systems with the latest patches. |
2. Containing the fallout from phishing attacks with automated incident response workflows
According to IBM's Cost of a Data Breach Report 2024, phishing came in as the second most common cause of data breaches, accounting for 15% of cases.
Instead of targeting your network, phishing attacks utilize manipulation that leads to human errors. For example, by tricking employees into clicking malicious links or downloading malware, attackers get a hold of the victim's credentials and from there, move laterally to do with it what they want.
While SecOps can take care of detecting phishing indicators and suspicious user activities, ITSM can trigger remediation actions through well-defined workflows for timely investigation and resolution to contain the impact swiftly.
Here's how the security and IT teams can work in tandem:
| SecOps | ITSM |
|---|---|
| Monitor and flag mass suspicious emails, unusual user behavior, login attempts, and other anomalies with UEBA and SIEM solutions. | Ingest alerts from SIEM tools, kick off security incident response playbooks, and cross reference IAM data to identify the sessions that the compromised user is active in and log them out of those sessions. |
| Set up alerts for phishing indicators like spoofed domains and malicious IPs and URLs. | Orchestrate incident response across IAM, PAM, and UEM apps to identify and disable compromised user accounts, isolate and shut down the compromised device, disable its USB ports, reset credentials, and revoke privileged access. |
| Raise security incidents to IT teams to initiate the resolution process. | Educate and train users via KB articles on how to spot phishing emails, report them, and also the steps to follow if they fall prey to an attack. |
3. Strengthening access governance and enhancing privilege management
Threat actors often try to exploit over-privileged accounts since they have direct access to the organization's most valuable assets. That's why you need to weave Zero Trust principles into your service request workflows and follow the principle of least privilege, where users are given access to only what they need and nothing more.
While SecOps can take care of enforcing security policies and detecting unusual access patterns and suspicious privilege escalation attempts, ITSM can help in streamlining access provisioning and deprovisioning and access approvals, ensuring that privileges are granted securely, tracked effectively, and revoked promptly.
Here's how the security and IT teams can work in tandem:
| SecOps | ITSM |
|---|---|
| Enforce policies to support the principle of least privilege and just-in-time access. | Receive, authorize, and administer access provisioning requests. |
| Monitor privileged sessions and record them for audit purposes. | Pilot governance with predefined workflows and multi-level approvals to ensure that access is granted only when authorized. |
| Detect anomalous user behavior and privilege escalation attempts and flag it to the IT team. | Automate privilege revocation during offboarding, role changes, or when the user's privileged session ends. |
| Notify IT teams to immediately trigger access revocation or modification workflows. | Transfer privileges to another privileged owner to prevent misuse of standing privileges by internal actors. |
| Update access privileges to the CIs to keep the CMDB up to date. |
4. Bridging infrastructure visibility gaps with an asset inventory and a CMDB as the single source of truth
Knowing the extent of a security breach, including how far the attack has spread, which systems are compromised, and which services are affected, is the first step in responding to one. This calls for increased visibility across both the IT service desk and security teams.
While SecOps brings in the tools and expertise to detect and analyze threats, ITSM can provide better context by maintaining a single source of truth of assets, relationships, and service impact through a reliable CMDB and asset inventory records.
Here's how the security and IT teams can work in tandem:
| SecOps | ITSM |
|---|---|
| Monitor and flag anomalies within the network, endpoints, and user activity via SIEM, UEBA, and threat intelligence tools. | Track, manage, and handle alerts and incidents reported by users or surfaced from monitoring integrations. |
| Monitor endpoint encryption status, active privileges, and software usage. | Prioritize and escalate breach-related incidents tied to affected assets. |
| Map out lateral movement paths to understand attack spread. | Maintain a network map of all systems and their connections with the CMDB as a single source of truth. |
| Record threat vectors, breach entry points, and indicators of compromise. | Assist in impact analysis by maintaining and leveraging service dependency maps in the CMDB. |
| Perform continuous security posture assessments through regular audits. | Collaborate on root cause analysis and resolution documentation post-incident resolution. |
Final thoughts
In today' threat landscape, achieving long-term resilience is becoming an elusive goal. However, one way to reach it is by building a cyber-resilient ITSM model embedded with a security-first approach. How you achieve this depends on how closely your IT and security teams work together. That's why you need to align your SecOps and ITSM strategies to help your organization gain the visibility and structure it needs to defend against cyberattacks and be prepared for whatever comes next.