The Future of Keeping Your Organization Safe

Automated Security Incident Response:The Future of Keeping Your Organization SafeJoseph Blankenship, Senior Analyst

November 9, 2016

© 2016 Forrester Research, Inc. Reproduction Prohibited 2

Security Teams Are Overwhelmed

“We've all got our switches, lights, and knobs to deal with, Striker. I mean, down here there are literally hundreds and thousands of blinking, beeping, and flashing lights, blinking and beeping and flashing - they're *flashing* and they're *beeping*. I can't stand it anymore! They're *blinking* and *beeping* and *flashing*! Why doesn't somebody pull the plug!”- Buck Murdock, Airplane II: The Sequel


Security Staffing Remains A Top Concern› Security teams are understaffed

• 62% of enterprises report not having enough security staff

› Finding the right skills is also a challenge

• 65% of enterprises state finding employees with the right skills is a challenge

Source: Forrester Business Technographics Global Security 2016Image: www.flickr.com/photos/dt10111/2901811351


We Spend A Lot Of Time Doing The Little Things› Security teams spend too much

time on day-to-day tasks• 65% of enterprises state that

tactical activities taking up too much time is a challenge

Source: Forrester Business Technographics Global Security 2016


Threats And Vulnerabilities Remain The Focus

Base: 856 North American & European security technology decision-makers(1000+ employees)

Source: Forrester's Global Business Technographics® Security Survey, 2015


53% Of Firms Surveyed Were Breached In The Past 12 Months

47%

11%

16%

14%

5%

2% 1%4%

“How many times do you estimate that your firm's sensitive data was potentially com-promised or breached in the past 12 months?”

No breaches in the past 12 monthsOnceTwiceThree to five timesSix to 10 times11 to 25 timesMore than 25 times in the past 12 monthsDon't know

Base: 1,167 Network security decision-makersSource: Forrester’s Global Business Technographics Security Survey, 2016

The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today.

Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.


PII, Credentials, And IP Are Top Targets

Other sensitive corporate data (e.g., marketing/strategy plans, pricing)

Other personal data (e.g., customer service data)

Account numbers

Website defacement

Payment/credit card data

Corporate financial data

Intellectual property

Authentication credentials (user IDs and passwords, other forms of credentials)

Personally identifiable information (name, address, phone, Social Security number)

10%

16%

25%

26%

26%

29%

30%

30%

31%

“What types of data were potentially compromised or breached in the past 12 months?”

Base: 619 network security decision-makers whose firms have had a security breach in the past 12 monthsSource: Forrester’s Global Business Technographics Security Survey, 2016


We Have LOTS Of Security Solutions

Source: Momentum Partners


Analysis Today Is Largely Human Based

Source: Forrester’s Security Operations Center (SOC) Staffing


Too Many Alerts / Too Few Analysts

Source: Forrester’s Security Operations Center (SOC) Staffing


Reducing The Frustration› To reduce the frustration, we need:

• Better decision making

• Increased visibility

• Deeper security context

• Improved workflow

• Security automation


Security Analytics Enables Better Decisions

Source: Forrester’s Counteract Cyberattacks With Security Analytics


SA Platforms Collect and Analyze Disparate Data

Security Analytics

External Threat

Intelligence

Internal Threat

Intelligence

Netflow(NAV)

Log Data SUBAIdentity

Data (IAM, PIM)

Vulnerability Data

Automated Response

Security Context(User, System & Network)

Threat Intelligence(OSINT, HUMINT, SIGINT) Human Analysis Events & Alerts


#1 Security Productivity Tool


Automation Isn’t A Four Letter Word› Historically, security pros have shied away from automation

• Risk of stopping legitimate traffic or disrupting business

• Need for human analyst to research and make decisions

› Other aspects of business have automated for years

• Security is playing catch-up

› Automation can increase efficiency and productivity

• Elevate less experienced analysts

• Free analyst time

• React faster


Crawl, Walk, Run› What are the tasks/processes ready for

automation today?• Repetitive tasks

• Low-risk processes like investigation, context building, and querying

› Build a strong foundation, then work on more advanced automation

• Complicated processes

• Remediation activities


Automating Response› Automating security is a business requirement

› Security is behind other parts of the business

Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response


Automation Requires Defined Rules Of Engagement› To enable automation, security teams must:

• Establish policies for automating

› When to automate, when to send to human analyst

• Build consistent processes

› Bad process = garbage in / garbage out

› Policies based on business requirements

• Protect toxic data – IT’S ALL ABOUT THE DATA

• Build policies based on data risk


Rules Of Engagement

Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response


Declarative Security› Develop consistent policies and

processes

› Define rules of engagement with your business leaders

› Develop automated response playbooks

Source: Forrester’s Twelve Recommendations For Your Security Program In 2016


Wrap-Up› Security teams are overwhelmed

• We have to respond faster and become more efficient

› Automation is a business requirement• Security has to catch up with other aspects of the business

› Evaluate process to look for automation opportunities• Build a foundation before increasing complexity

› Create “Rules of Engagement” for automation• Base your ROE on risk and confidence

forrester.com

Thank you

Joseph Blankenshipwww.forrester.com/Joseph-Blankenship

@infosec_jb

© 2016 ServiceNow All Rights ReservedConfidential © 2016 ServiceNow All Rights ReservedConfidential

Automated Security Incident Response:The Future of Keeping Your Organization Safe

Piero DePaoliSenior Director, Security Business UnitServiceNowNovember 9, 2016

© 2016 ServiceNow All Rights Reserved 25Confidential

Enterprise Security Response

The Need: Enterprise Security Response

Security IncidentResponse

VulnerabilityResponse

ThreatIntelligence

Workflow &Automation

Deep ITIntegration


Security Operations: Security Incident Response

• Integrates with 3rd party threat detection systems and SIEMs

• Prioritizes incidents based on business impact

• Enriches incidents with threat intelligence• Automation and workflows reduce

manual tasks• Improves collaboration between IT, end-

users, and security teams


Security Operations: Vulnerability Response

• Integrates with the National Vulnerability Database

• 3rd party integrations with market-leading vulnerability identification solutions

• Prioritizes vulnerable items• Automates patch requests• Seamless integration with incident

response tasks, change requests, and problem management


Security Operations: Threat Intelligence

• Automatically connects indicators or observed compromises with an incident

• Incorporates multiple feeds, including customer-specific feeds and confidence scoring to reliably identify issues

• Supports STIX language and TAXII to enhance recent threat data

• Seamless integration with Security Incident Response


Built on the ServiceNow Enterprise Cloud Platform

Multi-Instance Architecture

CMDBWorkflow & Automation

High Availability

DataReplication

Reporting

CustomizationKnowledge

BaseAPIs

Security


Use Cases


Use Case 1: Automatic Security Incident Creation & Enrichment

• Scenario:– SIEM creates event suspicious activity

from a server sending outbound communication to a suspicious IP address

• What happens– Incident Responder needs to

understand the reason to properly gauge the extent of the issue

– Security incident automatically created as a result of the integration with ServiceNow CMDB which shows the business critical services running on the affected asset



• An Incident Responder can use the information from the security incident & integration with Threat Intelligence solutions to enrich the information



• Now the Incident Responder knows the potential malware file name and associated Vulnerability to take appropriate actions


Use Case 2: Automatic Phishing Incident Handling

• Scenario:– User believes they have received a

Phishing Email

• What happens– User sends the email to

[email protected]– Report which automatically submits

email and contents for malware scanning

mailto:[email protected]


Use Case 2: Automatic Phishing Incident Handling

• If malicious:– Determine who else has

received email• if opened, delete it from mail

server and scan for malware• If not opened, delete it from mail

server

– Update mail server protection to block email

– Update firewall rules to block URL included in email


Key Benefits

Connect Security and IT• Use a single platform for collaboration and

accountabilityResolve Security Threats Faster• Correlate, prioritize, and automate

Gain a Definitive View of Security Posture• Leverage metrics, service levels, and

dashboardsAttract and Retain Security Talent


Want to learn more? Visit http://www.servicenow.com/products/security-operations.html

The Future of Keeping Your Organization Safe

Technology

Transcript of The Future of Keeping Your Organization Safe