Companies and organizations in our modern world have a big problem — there are not enough people with the right skill set. What kind of people? Cyber security experts that can handle their company’s security incidents. This is not a new problem.

As a result of this, more and more organizations are outsourcing their security operations to Managed Security Services Providers (MSSP). A MSSP has a goal to prove their ongoing value to customers by protecting customers from advanced threats. For a MSSP, however, this also brings enough challenges. How do you handle the security incidents of multiple customers? What if you have 100 customers, generating 10 incidents each and every day? This is where automation comes in to play.

Want to learn about Cisco Secure Endpoint,
and see a live demo of this cool use case?
Register to join our live webinar
March 16th at 9:00 AM Pacific Time | 17:00 London, UK (GMT)

What is Cisco Secure Endpoint?

Cisco Secure Endpoint (formerly known as AMP for Endpoints) is a cloud managed, subscription-based SaaS solution to protect Windows, Mac, Linux, Android and iOS endpoints. It is part of the “AMP Everywhere” integrated architecture with intelligence sharing with Cisco Secure Firewall, Secure Email, and more. It handles prevention, detection, and response in a single security agent (connector).

Due to the flexible licensing options, and a dedicated multi-tenant MSSP SaaS interface, this is a go-to choice for MSSPs. It has an easy way to create API keys for all tenants (customers) and also a new API to create new tenants. Obviously, Secure Endpoint prevents most security incidents from happening, however certain events still require human intervention and research. How to handle this for multiple customers will be discussed below.

Secure Endpoint MSSP

A cool use case with ServiceNow

ServiceNow (Service-now in 2011) is an American software company based in Santa Clara, California that develops a cloud computing platform to help companies manage digital workflows for enterprise operations. ServiceNow Incident Management supports the incident management process with the ability to log incidents, classify by impact and urgency, assign to appropriate groups, escalate, resolve, and report. Many service providers (and MSSP) use ServiceNow as a platform to handle all incoming tickets and incidents.

Any user can record an incident and track it until service is restored and the issue is resolved. Each incident is generated through various methods (e.g. the API) as a task record that contains pertinent information. Incidents can be assigned to appropriate service desk members, who document the investigation and resolve the task. After the incident is resolved, it is closed. All of this can be done using APIs as well. If you want to try this out, I recommend opening a ServiceNow developer instance:

How to get started? Try this out!

To show you what an example flow could be to handle security incidents, I have created a set of SecureX orchestration workflows that work together. The idea is that one can have multiple customers, all generating Secure Endpoint events. That being said, the MSSP service desk does not have time to check all of the Secure Endpoint dashboards every couple of minutes to check for new events. They work in ServiceNow as a single pane of glass, so they would like to integrate this with Secure Endpoint (via SecureX). Therefore, the set of example SecureX orchestration workflows do the following:

  1. (AMP) Security events occur and trigger first workflow.
  2. Parsing happens per tenant, per event.
  3. Actions are taken for AMP, SecureX and ServiceNow (and easily add more modules).
  4. Service desk uses single platform (ServiceNow) to handle events. Threat hunting happens in SecureX.
  5. When ServiceNow incident is closed, it automatically triggers response actions in SecureX.

Want to see a demo? Check this out:

Want to try this at home? Check this out (please test thoroughly before using in production!): https://github.com/chrivand/amp-mssp-events-to-snow

Register to join our live webinar
March 16th at 9:00 AM Pacific Time | 17:00 London, UK (GMT)


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

Twitter @CiscoDevNet | Facebook | LinkedIn

Visit the new Developer Video Channel


Christopher Van Der Made

Product Management Leader

Cisco XDR