ServiceNow, Inc. (NOW) Earnings Call Transcript & Summary

Hello, everyone. Welcome to the webinar Know Which Assets Are at Risk and Which are Protected. Thank you for joining this webinar. This is Gopi Krishna Boyinapalli. I'm from product management team and security operations, BU at ServiceNow. Today, I'll be walking through a new product that we have launched Security Posture Control. I would start with the problem we are trying to address with this product. So on the agenda, we're going to talk about the problems faced by information security teams today and a bit of introduction to ServiceNow Security Operations, our product portfolio, where Security Posture Control fit in. And then I'll also cover a few details about Security Posture Control, how is it solving some of the problems that we're going to talk about; and also show a demo of the product with Demo. And finally, we'll open it up for any Q&A. Starting with the problems faced by cybersecurity teams, today, lack of visibility into enterprise assets or [ engine ] lack of visibility into the overall attack surface is a huge problem. If you look at these numbers, less than 1% of organizations have more than 95% visibility of all their enterprise assets. Having 95% visibility into the assets might sound like a good metric. But in reality, not having visibility into those 5% of assets could eventually lead to data breaches, causing huge costs for the enterprises in terms of leaked information are recovering from data breaches, et cetera. So it's important to get visibility into 100% of your enterprise assets, be it on-prem or cloud. As we can see here, very few organizations have complete visibility of their assets. And secondly, many of these organizations do not know how much of their attack surface is actually secured or protected. What we mean by that is, if we know the enterprise assets that we own as an enterprise on on-prem or in cloud, many of these organizations do not know whether all these assets or devices are protected with the right set of security controls or right set of security tools, are all the vulnerabilities or misconfigurations being resolved actively on these assets? Are there any critical combinations that we need to pay attention to? So organizations do not have visibility into how much of their attack surface is actually secured or protected. So that is also another problem. So from cybersecurity team's perspective, what is it that they're actually looking for? From their perspective, first of all, they would like to know what assets do they own as an enterprise, getting visibility into everything that they own, there should not be any unknown or unmanaged devices on the network which could leave certain gaps in their attack surface that can be leveraged by their adversaries. Once they have the visibility into the enterprise asset inventory, the next question would be, what kind of security risk are present on devices? Do all these devices have the right set of security tools installed on them or are any of them unmanaged or unknown or rogue devices on the network? Do any of them have unauthorized or unsanctioned software installed on them? Are there any risky combinations involving vulnerabilities, misconfigurations and/or Internet exposure? Getting visibility into any of these security risks present on those devices is going to be critical. And then also understanding mitigation controls, for example, if it is a server, is it running behind the web application firewall? Or is it end-user laptop device? Does it have endpoint protection agent configured properly to block any exploits in runtime? Getting visibility into those mitigation controls is also going to be critical. Our results are going to be useful in prioritizing the security issues that you want to focus on. And finally, that leads us to the last question, how do I use all this information, be it security risks or mitigation controls on my devices, to determine what are the top critical assets we would like to focus on from a remediation perspective for remediating vulnerabilities, misconfigurations or any kind of security issues? So today, to get answers for all these questions, cybersecurity teams, in many organizations, are relying on inefficient manual processes, either through spreadsheet exports,or other manual methods, to see the data from various tools, security or IT tools, and derive conclusions about the current security tool coverage status of their assets and any security gaps present on those assets. In some cases, organizations are also using third-party point solutions that provides this visibility, but these third-party solutions come with their own problems. These third-party solutions tend to manage their own database of assets or their own configuration management database, which is a problem in itself because you are forced to synchronize the third-party solution CMDB with CMDB from a platform like ServiceNow and make sure that any issues are [ alerts ] on these third-party solutions are also imported into ServiceNow for automating the response workflows for these [ alerts ]. So that forces these customers, our organizations to build integrations with these third-party point solutions, which is really a huge overhead in itself. So that's where Security Posture Control tries to answer some of these questions or solve these issues. Before we go into the details of how ServiceNow Security Posture Control can help with these problems, a short poll for you all today. How are you getting insights into security tool coverage of your asset today? How do you know all these devices that you own have the right set of security tools installed on them, be it [ on-prem ] protection agent or vulnerability scanner? How do you get visibility into that? The options are using manual spreadsheet exports to understand the coverage or using a third-party solution or are using a custom homegrown solution or you're not monitoring security tool coverage proactively today, that is not a problem you are focusing on. So I believe I leave it to you to answer this poll question. Looking forward to the answers here. And if you have any questions during today's webinar, please do submit them by our Q&A panel. If we don't answer your question [ slide ], we'll answer them after the webinar. And you can also access certain resources in the related content panel at the bottom of your screen. And we'd appreciate, finally, if you could also submit a survey at the end of the webinar. Again, looking forward to the poll results to see how many of you are using a third body solution or a custom homegrown solution or even manual methods. I'm guessing, majority of you might say either custom solution or manual methods, but it would be interesting to see the results. All right. I think, yes, I think we have the results. Now please do -- if you haven't submitted your answer, please do submit your answer once you answer the poll. We'll just give it a few more seconds, and then we'll go to the next slide. All right. Thank you for answering this poll question. I appreciate it. Now let's understand what is the portfolio from Security Operations at ServiceNow? And where does Security Posture Control fits in? And how does it solve some of the problems or issues that we talked about? So ServiceNow's Security Operations product portfolio can be divided into 2 categories. On one end of the spectrum, we have products, and it is in the attack surface management problem. With these products, you'll be able to manage and respond to vulnerabilities in your infrastructure, vulnerabilities found in your applications or container workloads, or misconfigurations in your servers or cloud infrastructure. On the other end of the spectrum, we have a set of products or a series of products helping you respond to these security incidents or different types of incidents. It could be a phishing incident or it could be a major security incident or it could be a data loss prevention incident. And we also have a few features in place to let you use the [ tracking ] diligence data as part of your security incident investigation. Now, Security Posture Control tries to address on the attack surface management side. It provides additional visibility into any security hygiene and posture gaps in your assets. So the way Security Posture Controls solves this problem means by connecting with various security and IT tools that you own as an enterprise. It could be your endpoint production tools or vulnerability scanners like Qualys, Rapid7, Tenable or it could be your [ active directory ] or cloud provider, it could be IT tools, the configuration in [ cache ] management tool like SCCM from Microsoft, for example. Whatever; is the set of tools that you are using, security and IT tools, Security Posture Control can connect with all these tools using APIs, gather or collect asset data and software data, along with the security or IT tool configuration data, and process this data insights about the assets. And when you use or installed Security Posture Control, when you connect Security Posture Control with various sources of these assets, you would get a holistic assessment of security posture for any given asset and the asset security posture assessment includes insights related to secondary tools coverage on those assets. Do those assets have critical security tools like endpoint protection agent running on them? Is the right version of agent running on those devices? Is the agent active? Or is the agent not active? And is that configured properly? For example, if it's [ CrowdStrike ], what kind of device policies are enforced on the device? And is the divide itself, is it managed device or unmanaged device? And what kind of software does that device have or any critical combinations on the device, including vulnerabilities, security tool coverage issue and/or Internet exposure? And just to talk a little bit about more how the security tool coverage works, as we mentioned earlier, the first step for you would be to enable API access for various security and IT tools. So ServiceNow offers what we call a Service Graph Connectors. These are applications are available on ServiceNow store. So depending on the tool that you are using today, there is a Service Graph Connector application available for various tools on ServiceNow store already. You'll have to download that application, enable a pay access for those tools. And as soon as you do that, the Service Graph Connectors will start [ populating ] asset data and software data into CMDB or software asset management tables, depending on whether you are using ServiceNow Software Asset Management. And in this process, our CMDB, your configuration management database, will also get enriched and matured with the right set of asset data. And once the asset data is [ populated ] in CMDB, Security Posture Control will [ query ] this asset data from CMDB along with the security tool configuration data that is stored separately from CMDB to understand the coverage of various security tools on how they are configured on these devices. To give you an example, here is an example where -- and I said that is reported by different sources or different Service Graph Connectors like Cisco, Active Directory and [ LogicMonitor ], is not reported or not seen by CrowdStrike Service Graph Connector. So that means this device is missing CrowdStrike agent because CrowdStrike does not recognize this device. This is a very simple example of identifying the security tool coverage gaps. But with Security Posture Control, you can be really granular, define policies to look for specific class of devices. For example, Windows 10 desktop devices are specific types of devices with certain host name patents. And devices running are not running a specific version of these agents? Are devices reported or not reported by a combination of various security and IT tools? And we'll see some of that as part of the demo in the next few minutes. And Security Posture Control does not stop with providing visibility. This is not a visibility-only product. Once we identify any security gaps, be it missing security tools are critical combinations with vulnerabilities, Security Posture Control publishes all these findings into a module called Configuration Compliance within ServiceNow that allows security teams to automate the remediation workflow for these security issues. So as an information security analyst, you can automatically assign these issues to the right teams, be it IT ops team, or application teams, based on the type of security issue that was identified or based on the device where the security show was identified; group those issues into remediation of tasks, set remediation targets for remediation owners, manage exceptions when remediation owners request for exceptions, define who should approve those exceptions and also define risk score for these security issues based on business application and application service context from ServiceNow configuration management database. So what Security Posture Control offering is offering here is an end-to-end solution. It's not just providing visibility, but it's also providing tools for security teams to automate the remediation of some of these security gaps. Another quick poll question for all of you. How about you managing the remediation of security tool coverage issues today? In case you are monitoring the security tool coverage through manual methods or using a custom tool or using a third-party solution, how are you remediating those issues today? How are you following up with the remediation teams to make sure that these issues are resolved? So the options are manually following up with IT ops team to install these tools or using ServiceNow ITSM, maybe if you're using a third-party solution, you are creating ITSM incidents to track these issues or using automated scripts to install these agents or restart the agents or using a combination of manual methods and scripts to install the required tools. Would be interesting to see how many of you are using automated scripts and ServiceNow ITSM. We hear a lot of customers using ServiceNow ITSM to track certain issues like this. So it would be interesting to see the results. Again, a reminder, if you have any questions during this webinar, you can submit them via Q&A. And if we don't answer your questions live, we'll definitely get back to you after the webinar. And you can also download resources in the related [ content ] panel. And we'd also appreciate if you could please submit the survey at the end of the webinar. All right. Please don't forget to click on Submit when you answer your poll question giving it a few seconds before we get on to the next sections. All right. Thank you all for responding to the poll question. I appreciate it. Another quick poll question before we go into the next section, which is a demo of the product. Are you following the change request approval process before installing the agents? In case you are using automated scripts or using ITSM incidents or manually following up with various teams, how are you incorporating the change request approval process into remediating some of these issues? The answers or options are yes, for all types of devices and assets; change approval is required only for servers, not for end-user devices; we are not following change management process at all today, we're just directly deploying the agents or remediating the issues. Would be interesting to see how many of you would answer not following change process at all. What we hear from customers is that many of them do not require change approval if it's an end-user laptop kind of a device. But typically for servers, they do go through the change approval process. Very curious to know what you are all following in terms of change request. All right. Again, please don't forget to click on Submit when you are submitting your answers. All right. So giving it a few more seconds before we close the poll. All right. Great. Fantastic. Thank you all for submitting your answers. Let's move on. One more slide before I go into the demo and show you how Security Posture Control product works. We talked about how Security Posture Control naturally leverages configuration management database to provide visibility into some of the critical insights and also provides end-to-end solution, providing visibility into security gaps as well as providing tools for automating the response workflows for those security gaps. Another advantage that you would get by using Security Posture Control is the platform advantage from ServiceNow. Any insights from Security Posture Control or any issues that are identified with the Security Posture Control can be mapped to control objectives in integrated risk management. If you are using ServiceNow integrated risk management, it's very easy to map some of the policies from Security Posture Control with the various control objectives and different security benchmark frameworks. So that when Security Posture Control identifies violation of these policies in any of the devices in your enterprise, the status of the control objective or the compliance status of these control objectives would be changed immediately based on the policy violation status reported by Security Posture Control. What that means is complaints managers would get immediate visibility into overall compliance of various security benchmark frameworks based on findings reported by Security Posture Control. And this is possible through in-built integration between security, cost control and integrated risk management. You don't need to build any custom integration. All you have to do is to create some mappings between Security Posture Control policies and control objectives in integrated risk management. Again, this is another unique feature, which is also an advantage. If you are using Security Posture Control versus a third-party solution per se, if you're using a third-party solution, again, you'll have to build a custom integration to pull in those alerts and then [ lap ] to the control objectives. This is all made possible because of the common platform that's always new users. Every asset that we process for identifying any of the security gaps is based -- or restored in configuration management database. That is the single source of growth, based on which various products in ServiceNow operate. All right. So now, it's time for seeing a demo of the product. I would love to show a quick glimpse into this product, how this works. So let me share my screen here. When you log in as an information security analyst, you can see an overview of all the assets being monitored by Security Posture Control, on-prem and cloud, how many issues are found by criticality? And what are the top 5 sources of these assets? Are Service Graph Connectors reporting these assets? And what are some of the key insights generated by Security Pressure Control, insights will lead to your endpoint protection coverage? How many devices do you have that do not have an endpoint protection agent running on them? How many unmanaged devices do you see in your enterprise? Unmanaged devices could refer to devices missing configurational patch management agent like SCCM or devices missing endpoint management solutions like Intune. Vulnerability scan coverage, any devices missed out by your vulnerability assessment tools that you need to pay attention to and any critical combinations of assets with vulnerabilities and [ machine ] security tools like endpoint protection, et cetera. All these insights are powered by sort of out-of-the-box policies. So if you go in here, look at the list of all the policies supported by a Security Posture Control, so we're going to filter for out-of-the-box policies, you can see there is a set of policies [ shipped ] by ServiceNow by default, looking for assets missing critical security tools like endpoint protection, looking for combinations of vulnerabilities and missing security tools. In case of cloud assets, we are also looking for internet exposure of the cloud assets in combination with either missing security tools and/or critical vulnerabilities. Taking a look at one of these policies, asset missing endpoint protection, Security Posture Control identifies missing security tool or coverage gaps by comparing the asset data reported by various sources. For example, in this case, this policy is looking for assets not reported or seen by endpoint protection tools, but seen or reported by various other types of tools, including infrastructure monitoring, [ active ] directory, et cetera. You can also create your own custom policies with -- in this case, the sample of Windows 10 AD devices, missing CrowdStrike's latest version. Essentially, you are looking for any devices reported by active directory or present in active directory of your own industry in Windows 10 devices. And you're also looking for the agent version of the CrowdStrike that's running on those devices, whether it's the latest version or not. You can create insights -- findings from these policies to automate the response workflows or you can also, alternatively, create your own insights. For example, you can do a new insight and create different types of widgets comparison chart, match count, match percentage. Or you want to see how policy match is trending for your enterprise assets, how many assets are matching a given policy over a period of time? How is it trending? You can create a policy match trend chart. In this stage, we already have a set of insights created and published. When you publish these insights, you can see those insights in custom insights dashboard. This is a very quick demo of what you can accomplish with the Security Posture Control, if you are interested in learning more, please do let us [Audio Gap]. Moving on, one more poll question. Are you interested in learning further about the solution? Please do let us know. Yes, I'm interested. No, we were already using another solution and happy with it. And no, this is not our focus at this point. I'd be surprised to see many answers for number 3 as we understand from our customers, this is one of the major pain points that our customers are trying to deal with. Would love to see what your response is for this question. Again, final reminder, if you have any questions, please do submit them on Q&A panel. If we don't answer in this webinar, we'll definitely get back to you after the webinar. And you can also access resources in the related content panel at the bottom of your screen. And finally, we'd also appreciate if you could submit the survey at the end of the webinar. We are looking for your feedback always. I would appreciate any feedback you could provide. All right. Giving it a few more seconds before we close up the poll. Please don't forget to submit. If you haven't done it already, submit your answers on the poll question. All right. Thank you. All right. So that's all I had for today's presentation. We'd be happy to answer any questions you have, please do submit your questions in Q&A. Happy to answer those questions. All right. We have a few questions coming in now.

I see a question here about connector support. If multiple connectors report the same asset, will it result in any duplicated records? So yes, any Service Graph Connector or API connector that you enable, when it reach the asset data from the source, it's going to push the asset record into CMDB. In that process, we have something called Identification and Reconciliation Engine, IRE. The IRE engine would take care of comparing the incoming asset record data with already-existing assets in your CMDB and make sure that no duplicate records are created. For example, we see CrowdStrike Connector reporting an asset with a given host name and we see Qualys also reporting the same host name, probably additional attributes such as MAC address. When Qualys reports that asset, IRE would know that this asset is already present, it was already created by CrowdStrike in CMDB. So it is going to update the same asset record, with additional data coming in from Qualys. So we have the reconciliation engine in place to make sure there are no duplicate records. All right. So there are more questions. Yes. Do I need to have a mature and complete CMDB before I can use this product? Even if you think that your CMDB is not 100% mature, it is absolutely not a problem to start using this product because when you -- one of the prerequisite for SPC, our Security Posture Control, is to enable API connection with various sorts of asset data, be it your security tools or IT tools. In that process when you enable the Service Graph Connectors, these connectors will populate your CMDB. And in that process, your CMDB will also get enriched and more mature. So it's absolutely okay to not have a perfect CMDB in place before using this product. Okay. Great questions. So let's see if we have more. We have a question here about a custom connector. Is it possible to build a custom API connector with our own data source and use it? The answer is yes. We have a guidance or a guide available for building Service Graph Connectors. You can build a Service Graph Connector easily. Given that ServiceNow is an extensible platform, you can easily build a custom connector with your own data source. And there is a series of steps that are available, that are documented, that you can follow to register that connected with Security Posture Control. So once you build the connector, it's only about configuring that connector with Security Posture Control, so that Security Posture Control will start reading asset data from that connected source as well. Let's see if there are more. Yes, the other question that I see here is, is it possible to use life cycle stage of an asset -- a life cycle state of an asset from CMDB in the policies or queries? Absolutely, yes. You can define your policies based on the life cycle stage of an asset, whether it's decommissioned or any other state that you are interested in monitoring. We have provision in the policy builder for you to use to select any specific life cycle stage or for a given CMDB, CI, a configuration item as part of your policies. Again, that's the advantage of Security Posture Control as well because it's built on the foundation of CMDB. Any data that's available in CMDB configuration items is -- you can use that data to define your own queries or policies. And one more question I see here about remediation. Can remediation owners request for exceptions when tickets are assigned to them? Yes, not just that. When we create tickets or issues and assigned to the remediation owners, there is a set of controls that administrators can use to automate the entire remediation workflow. It includes automatically assigning these issues to the right teams, based on certain criteria, grouping those issues into what we call as remediation tasks. For example, if you see multiple issues on the same device, you can group all of them into one single remediation task for the IT ops team. You can also manage exception requests, so you can define approval process for a given exception request. Let's say, IT ops team comes in and says, "This asset would not install a given agent on this asset due to so and so reason." They can request for an exception with a valid reason. It could be -- if it's not available or awaiting the maintenance window, whatever it is, they can specify the reason, and it can go through a series of approvals before finally, the issue gets moved to the deferred state. So it's definitely possible to control the exception request process for the issues. Great. Yes, great questions there. Thank you for your participation. Moving on, please don't forget to register for and join us on -- in Las Vegas from May 7 to May 9 for Knowledge. Knowledge is the biggest event from ServiceNow, happens annually. This time, we have more than 500 breakout sessions, and you'll have a chance to meet with experts one-on-one to get help with any of the questions that you may have. We look forward to seeing you there in Knowledge in the month of May. And you can also register for checkout or on-demand webinars. You can see these webinars at https://www.servicenow.com/events/on-demand-webinars.html. You'd find some good information in these on-demand webinars. All right. So with that, I would like to thank you all again for your participation, for your questions, some great questions there. Thank you all again for your time. I appreciate it.