MI-One Issue #12 - Columba Edition

2025's emerging cybersecurity trends and a closer look at ServiceNow's ecosystem.

Hi there.

As we move deeper into 2025, we're seeing the cybersecurity landscape continue to evolve at an unprecedented pace.

Where January typically focused on early predictions, February gives us a chance to observe how emerging trends are materializing.

First up, let’s examine a few key developments we're seeing in the security integration space and how they're building off the foundations we discussed last month.

A few of the major trends that have gained significant momentum in recent weeks include:

The rise of Federated Security Operations is emerging as a key focus area, building upon last month's ASOC trend. Microsoft, Google Cloud, and AWS, among other major players, are enhancing their security offerings to support this model, while specialized vendors like Wiz, SentinelOne, and CrowdStrike are expanding their capabilities to facilitate cross-cloud security operations. ASOC trend related to integration is the orchestration of multiple security tools to create a unified, automated response ecosystem. For example, CrowdStrike or SentinelOne detects phishing activity on endpoints, triggering IOC data to Google Chronicle for real-time correlation with cloud security data from AWS GuardDuty. Wiz identifies cloud misconfigurations and vulnerabilities, enriching threat context in Chronicle for cross-platform analysis. CrowdStrike or SentinelOne then executes endpoint quarantine and remediation, synchronizing updates via ServiceNow for coordinated SOC response.
The integration of Generative AI capabilities into security workflows is accelerating. We're seeing more and more applications, particularly in threat hunting and incident response. Security platforms are moving beyond basic AI-powered alerting to provide context-aware recommendations and automated response playbooks. For example, Google Security Operation (formerly Chronicle) integrates Generative AI for threat detection, using machine learning models to analyze large datasets and detect anomalies across logs, network traffic, and endpoints. It enriches security data by correlating with external threat intelligence using APIs like MISP and OpenDXL.

Google SecOps uses Generative AI models, specifically from Google Vertex AI, to automatically generate detailed incident reports in natural language, summarizing the attack’s scope, timeline, and affected assets. Vertex AI integration with GoogleSecOps launched in Google SecOps Marketplace 3 weeks ago.

With Sailpoint's IPO last week and the first significant listing for a cybersecurity company this year, it signals a refocus towards identity-first security. One of the main challenges organizations face is the fragmentation of identity data across multiple systems. This is where Identity-First Security Integration becomes crucial. In an Identity-First Security workflow, tools like Okta or SailPoint manage user authentication and access controls, integrating identity data with XDR for anomaly detection. SIEM aggregates security logs, correlating identity events with system activities to identify threats. SOAR automates response actions such as account lockdowns and endpoint isolation, ensuring swift containment and remediation of incidents.
Data Security Platforms are rapidly evolving with a focus on unified platformization. Platformized DSPM solutions consolidate various data security functions, reducing the complexity of managing different security silos. These platforms integrate data classification, access controls, data encryption, and data loss prevention (DLP) into a unified platform. A data breach or misconfiguration in any part of the network is detected across all connected systems in real-time, ensuring consistent policy enforcement and threat detection. The recently announced partnership between Check Point and Wiz is an integration that strengthens DSPM by providing real-time cloud risk visibility and vulnerability detection (Wiz), combined with advanced threat prevention and automated response (Check Point). Wiz continuously scans for misconfigurations and data exposure, while Check Point applies intrusion prevention and security policy enforcement. This unified platform enables continuous compliance, automated threat mitigation, and proactive data protection across multi-cloud environments.

Now, let's take a look at what’s happening elsewhere in the industry.

Under the Lens — ServiceNow

Expanding your organization’s security playbook can appear daunting at times. With so many tools, platforms, and integration options available it’s not always clear where the most immediate benefits lie.

In this month’s edition, we’re taking a closer and more curated look at the ServiceNow suite of security products.

Let's begin with the basics. ServiceNow provides an integrated security and operations platform across key areas:

Security Operations:
1. ServiceNow SecOps delivers security incident response, vulnerability management, and threat intelligence in a single platform, connecting security and IT teams for faster resolutions.
2. ServiceNow Vulnerability Management specifically handles the complete vulnerability lifecycle, from identification to remediation, with risk-based prioritization and automated workflows. ServiceNow NVD integration assists with managing such vulnerabilities.
3. Security Incident Response (SIR) orchestrates the entire incident response lifecycle, from detection and analysis to containment, eradication, and recovery. SIR automates workflows, facilitates collaboration, and provides a centralized platform for managing security incidents, minimizing their impact, and ensuring timely resolution.
IT Service Management & Infrastructure:
1. ServiceNow ITSM forms the backbone of IT service delivery, incident management, and change management processes.
2. Incident Management streamlines the process of recording, classifying, investigating, and resolving incidents, minimizing downtime and service disruptions.
3. Service Operations Workspace provides a unified, modern interface for IT teams to manage incidents, problems, changes, and other service-related tasks efficiently. It offers real-time dashboards and contextual information for improved productivity.
4. Asset Management tracks and manages IT assets throughout their lifecycle, from procurement to disposal, ensuring accurate inventory and enabling better decision-making.
5. At its core, the ServiceNow CMDB (Configuration Management Database) maintains a single system of record for all IT assets and their relationships.
6. Service Graph Connectors extend this capability by automatically populating and maintaining CMDB data from various sources, ensuring accurate infrastructure visibility.
IT Operations:
1. ServiceNow ITOM (IT Operations Management) enables service mapping, event management, and operational intelligence, with Discovery and Service Mapping providing comprehensive visibility into IT infrastructure.
2. ServiceNow integrates with firewall management tools to automate audit processes, generate reports on firewall rule compliance, identify potential security gaps, and ensure adherence to security policies.
Platform Security:
1. ServiceNow Platform Security includes role-based access control, encryption, and audit logging, while Now Platform serves as the foundation for secure application development and workflow automation.

Optimizing ServiceNow Platform Usage:

Utilize Flow Designer: Easily build automated workflows without coding using Flow Designer's drag-and-drop interface. Create reusable workflows and set up automated processes that start based on specific triggers, performing pre-defined actions. Connect your different business applications using pre-built connectors from Integration Hub.
Data normalization and cleansing: Ensure data quality by implementing data normalization and cleansing processes. The data can be sent to import sets and further transformed via Transform Map for data mapping and normalization. This is crucial for accurate reporting, analytics, and automation.

Use REST APIs: Leverage ServiceNow's REST APIs to integrate with other systems and applications. REST API allows us to insert data into ServiceNow. We can make use of their various built-in endpoints. Rather than using the API for outbound purposes, these APIs are used to send data to ServiceNow. These APIs also allow easy ingestion of webhook/stream data into ServiceNow.
Make use of Service Graph Connectors by fetching information on all assets in your organization. The data is then pushed into ServiceNow CMDB. The data can be leveraged in Security Incident Response and Vulnerability Response and if devices or assets are affected, necessary actions can be taken once the data is added to CMDB. For Vulnerability Management, in case of vulnerability detection, the Service Graph Connector allows us to find which device(s) is affected.

ServiceNow Integration Best Practices:

Authentication & Authorization
- Implement OAuth 2.0 or mTLS instead of basic auth
- Define granular OAuth roles with specific scopes
- Maintain regular rotation of API credentials

Data Management
- Standardize data models between ServiceNow CMDB and security tools
- Use Service Graph Connectors for accurate CMDB mapping
- Implement robust CI identification rules to prevent duplicates

Event Processing
- Configure webhooks for significant security events only
- Implement deduplication for incident creation
- Set up appropriate rate limiting on both sides

API Optimization
- Use pagination for large datasets (e.g., 1000 records per request)
- Implement bulk synchronization instead of individual calls
- Monitor and respect API rate limit
- Outbound API calls should be asynchronous to prevent the ServiceNow Server from waiting for a response.

Infrastructure
- Deploy dedicated MID Servers for security integrations
- Position MID Servers in the respective network zones
- Enable proper logging and monitoring
- Implement high availability with redundant endpoints

Automation
- Utilize Flow Designer and IntegrationHub for workflows
- Configure bi-directional updates between systems
- Implement automated incident triage with decision trees

Security Application and Version Updates

Splunk Platform's OpenSSL 3 Migration is planned for later in 2025 for both Splunk Cloud and Enterprise, bringing several important changes:
- Apps will need explicit opt-in for compatibility with the new version through Splunkbase's app release page.
- Platform upgrades include Python 3.9, NodeJS 20, and exclusive TLS 1.2 support (older SSL/TLS versions deprecated).
- Testing requirements now mandate validation against the Splunk Enterprise Beta to ensure OpenSSL 3 compatibility.
- Developers must update incompatible apps by April 2025 to avoid any service disruption.

Palo Alto Network’s Cortex XSOAR 8.9 was made generally available in February 2025 with a bunch of updates some of which are mentioned below:
- Playbooks received a visual refresh and now have collapsible sections for improved navigation.
- Development tenants now have unlimited user licenses.
- Other enhancements include bulk actions for retaining incidents, improved War Room filtering, enhanced engine upgrades and broader platform support, better remote repository management, deeper audit logging, Syslog integration for logs and alerts, new Guard Rail alerts, and new administration APIs.
- Release notes include more details of the update.
OCSF recently released its latest version, v 1.4.0 with the following updates:
- New Category: "Unmanned Systems" category added.
- New Event Classes: Several new event classes were added across categories, including "OSINT Inventory Info," "Script Activity," "Drone Flights Activity," "Airborne Broadcast Activity," "Cloud Resources Inventory Info," and "Application Error."
- New Profile: "incident" profile was added.
- New Dictionary Attributes: Numerous new attributes were added, including has_mfa, environment_variables, related_cves, exploit_last_seen_time, and attributes to support SBOM data (sbom, author, software_component, etc). Support for unmanned systems data (altitude, speed, location) was added.
Palo Alto Networks' Cortex XSIAM released version 2.5 with security operations updates. Key updates include:
- Expanded Capabilities: Streamlined SIEM upgrades with bulk data import, enhanced investigations with MITRE ATT&CK TTPs and enriched Causality Forensics Highlights, Prisma Access Browser integration, website data in ASM, and expanded automated exposure remediation.
- Enhanced Platform: Improved Broker VM visibility and auditing, enhanced version compatibility notifications, additional alert fields in emails, simplified self-service asset management, War Room filtering, custom alert field mapping, new rule tags, protection against malicious ASP/ASPX files, visibility of CVEs without CVSS scores, integration permissions via RBAC, new API capabilities, playbook collapsible sections and visual refresh, role-based access control for integration commands, and more.

You can find more details in their official release notes.

Insights: From Our Integration Factory

Google SecOps + OT Security: This integration between Google SecOps and OT security solutions enhances threat detection and incident response capabilities within operational technology environments. By ingesting OT security data into Google SecOps, organizations gain a unified view of their security posture across both IT and OT domains. This allows for more comprehensive threat analysis, faster incident investigation, and improved overall security management for critical infrastructure.
Key Data Streams:
- Security Logs and Alerts: Captures security events and alerts generated by OT security tools, such as intrusion detection systems, firewalls, and endpoint protection platforms.
- Asset Inventory and Configuration Data: Imports information about OT assets, including devices, controllers, and network infrastructure, along with their configurations and relationships.
- Vulnerability and Threat Intelligence: Ingest vulnerability data specific to OT devices and systems, along with threat intelligence feeds.

Cortex XSOAR + IoT Security: This integration allows security teams to automate incident response workflows for IoT devices. By connecting Cortex XSOAR with IoT security platforms, organizations can automatically trigger actions based on detected threats or vulnerabilities. This includes actions like isolating compromised devices, patching vulnerabilities, or notifying relevant stakeholders.

This automation accelerates response times, reduces manual effort, and improves the overall security posture of IoT environments.

ServiceNow Vulnerability Response + OT Security: This integration extends vulnerability management capabilities to operational technology environments. By integrating ServiceNow Vulnerability Response with OT security solutions, organizations can centralize vulnerability data from both IT and OT assets. This consolidated view enables security teams to prioritize and remediate vulnerabilities across the organization, reducing the risk of cyberattacks.
We released Splunk NVD-CVE-Fetcher-App version 1.0.3 in February 2025. This latest version includes an update to the Splunk_SDK to its newest version. The app requires Splunk Enterprise 9.0 or above and allows Splunk administrators to fetch vulnerabilities from the National Vulnerability Database (NVD) into Splunk. It uses a dedicated "nvd_vulnerabilities" index and can be configured with customizable polling intervals. The app supports optional API key authentication and allows users to specify how many historical days of vulnerability data they want to fetch.

The previous version (1.0.2) was released in July 2024 and included updates to internal libraries and the Splunk Addon builder.