The Future of Keeping Your Organization Safe
-
Upload
servicenow -
Category
Technology
-
view
116 -
download
2
Transcript of The Future of Keeping Your Organization Safe
Automated Security Incident Response:The Future of Keeping Your Organization SafeJoseph Blankenship, Senior Analyst
November 9, 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 2
Security Teams Are Overwhelmed
“We've all got our switches, lights, and knobs to deal with, Striker. I mean, down here there are literally hundreds and thousands of blinking, beeping, and flashing lights, blinking and beeping and flashing - they're *flashing* and they're *beeping*. I can't stand it anymore! They're *blinking* and *beeping* and *flashing*! Why doesn't somebody pull the plug!”- Buck Murdock, Airplane II: The Sequel
© 2016 Forrester Research, Inc. Reproduction Prohibited 3
Security Staffing Remains A Top Concern› Security teams are understaffed
• 62% of enterprises report not having enough security staff
› Finding the right skills is also a challenge
• 65% of enterprises state finding employees with the right skills is a challenge
Source: Forrester Business Technographics Global Security 2016Image: www.flickr.com/photos/dt10111/2901811351
© 2016 Forrester Research, Inc. Reproduction Prohibited 4
We Spend A Lot Of Time Doing The Little Things› Security teams spend too much
time on day-to-day tasks• 65% of enterprises state that
tactical activities taking up too much time is a challenge
Source: Forrester Business Technographics Global Security 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 5
Threats And Vulnerabilities Remain The Focus
Base: 856 North American & European security technology decision-makers(1000+ employees)
Source: Forrester's Global Business Technographics® Security Survey, 2015
© 2016 Forrester Research, Inc. Reproduction Prohibited 6
53% Of Firms Surveyed Were Breached In The Past 12 Months
47%
11%
16%
14%
5%
2% 1%4%
“How many times do you estimate that your firm's sensitive data was potentially com-promised or breached in the past 12 months?”
No breaches in the past 12 monthsOnceTwiceThree to five timesSix to 10 times11 to 25 timesMore than 25 times in the past 12 monthsDon't know
Base: 1,167 Network security decision-makersSource: Forrester’s Global Business Technographics Security Survey, 2016
The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today.
Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.
© 2016 Forrester Research, Inc. Reproduction Prohibited 8
PII, Credentials, And IP Are Top Targets
Other sensitive corporate data (e.g., marketing/strategy plans, pricing)
Other personal data (e.g., customer service data)
Account numbers
Website defacement
Payment/credit card data
Corporate financial data
Intellectual property
Authentication credentials (user IDs and passwords, other forms of credentials)
Personally identifiable information (name, address, phone, Social Security number)
10%
16%
25%
26%
26%
29%
30%
30%
31%
“What types of data were potentially compromised or breached in the past 12 months?”
Base: 619 network security decision-makers whose firms have had a security breach in the past 12 monthsSource: Forrester’s Global Business Technographics Security Survey, 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 9
We Have LOTS Of Security Solutions
Source: Momentum Partners
© 2016 Forrester Research, Inc. Reproduction Prohibited 10
Analysis Today Is Largely Human Based
Source: Forrester’s Security Operations Center (SOC) Staffing
© 2016 Forrester Research, Inc. Reproduction Prohibited 11
Too Many Alerts / Too Few Analysts
Source: Forrester’s Security Operations Center (SOC) Staffing
© 2016 Forrester Research, Inc. Reproduction Prohibited 12
Reducing The Frustration› To reduce the frustration, we need:
• Better decision making
• Increased visibility
• Deeper security context
• Improved workflow
• Security automation
© 2016 Forrester Research, Inc. Reproduction Prohibited 13
Security Analytics Enables Better Decisions
Source: Forrester’s Counteract Cyberattacks With Security Analytics
© 2016 Forrester Research, Inc. Reproduction Prohibited 14
SA Platforms Collect and Analyze Disparate Data
Security Analytics
External Threat
Intelligence
Internal Threat
Intelligence
Netflow(NAV)
Log Data SUBAIdentity
Data (IAM, PIM)
Vulnerability Data
Automated Response
Security Context(User, System & Network)
Threat Intelligence(OSINT, HUMINT, SIGINT) Human Analysis Events & Alerts
© 2016 Forrester Research, Inc. Reproduction Prohibited 15
#1 Security Productivity Tool
© 2016 Forrester Research, Inc. Reproduction Prohibited 16
Automation Isn’t A Four Letter Word› Historically, security pros have shied away from automation
• Risk of stopping legitimate traffic or disrupting business
• Need for human analyst to research and make decisions
› Other aspects of business have automated for years
• Security is playing catch-up
› Automation can increase efficiency and productivity
• Elevate less experienced analysts
• Free analyst time
• React faster
© 2016 Forrester Research, Inc. Reproduction Prohibited 17
Crawl, Walk, Run› What are the tasks/processes ready for
automation today?• Repetitive tasks
• Low-risk processes like investigation, context building, and querying
› Build a strong foundation, then work on more advanced automation
• Complicated processes
• Remediation activities
© 2016 Forrester Research, Inc. Reproduction Prohibited 18
Automating Response› Automating security is a business requirement
› Security is behind other parts of the business
Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response
© 2016 Forrester Research, Inc. Reproduction Prohibited 19
Automation Requires Defined Rules Of Engagement› To enable automation, security teams must:
• Establish policies for automating
› When to automate, when to send to human analyst
• Build consistent processes
› Bad process = garbage in / garbage out
› Policies based on business requirements
• Protect toxic data – IT’S ALL ABOUT THE DATA
• Build policies based on data risk
© 2016 Forrester Research, Inc. Reproduction Prohibited 20
Rules Of Engagement
Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response
© 2016 Forrester Research, Inc. Reproduction Prohibited 21
Declarative Security› Develop consistent policies and
processes
› Define rules of engagement with your business leaders
› Develop automated response playbooks
Source: Forrester’s Twelve Recommendations For Your Security Program In 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 22
Wrap-Up› Security teams are overwhelmed
• We have to respond faster and become more efficient
› Automation is a business requirement• Security has to catch up with other aspects of the business
› Evaluate process to look for automation opportunities• Build a foundation before increasing complexity
› Create “Rules of Engagement” for automation• Base your ROE on risk and confidence
forrester.com
Thank you
Joseph Blankenshipwww.forrester.com/Joseph-Blankenship
@infosec_jb
© 2016 ServiceNow All Rights ReservedConfidential © 2016 ServiceNow All Rights ReservedConfidential
Automated Security Incident Response:The Future of Keeping Your Organization Safe
Piero DePaoliSenior Director, Security Business UnitServiceNowNovember 9, 2016
© 2016 ServiceNow All Rights Reserved 25Confidential
Enterprise Security Response
The Need: Enterprise Security Response
Security IncidentResponse
VulnerabilityResponse
ThreatIntelligence
Workflow &Automation
Deep ITIntegration
© 2016 ServiceNow All Rights Reserved 26Confidential
Security Operations: Security Incident Response
• Integrates with 3rd party threat detection systems and SIEMs
• Prioritizes incidents based on business impact
• Enriches incidents with threat intelligence• Automation and workflows reduce
manual tasks• Improves collaboration between IT, end-
users, and security teams
© 2016 ServiceNow All Rights Reserved 27Confidential
Security Operations: Vulnerability Response
• Integrates with the National Vulnerability Database
• 3rd party integrations with market-leading vulnerability identification solutions
• Prioritizes vulnerable items• Automates patch requests• Seamless integration with incident
response tasks, change requests, and problem management
© 2016 ServiceNow All Rights Reserved 28Confidential
Security Operations: Threat Intelligence
• Automatically connects indicators or observed compromises with an incident
• Incorporates multiple feeds, including customer-specific feeds and confidence scoring to reliably identify issues
• Supports STIX language and TAXII to enhance recent threat data
• Seamless integration with Security Incident Response
© 2016 ServiceNow All Rights Reserved 29Confidential
Built on the ServiceNow Enterprise Cloud Platform
Multi-Instance Architecture
CMDBWorkflow & Automation
High Availability
DataReplication
Reporting
CustomizationKnowledge
BaseAPIs
Security
© 2016 ServiceNow All Rights Reserved 30Confidential
Use Cases
© 2016 ServiceNow All Rights Reserved 31Confidential
Use Case 1: Automatic Security Incident Creation & Enrichment
• Scenario:– SIEM creates event suspicious activity
from a server sending outbound communication to a suspicious IP address
• What happens– Incident Responder needs to
understand the reason to properly gauge the extent of the issue
– Security incident automatically created as a result of the integration with ServiceNow CMDB which shows the business critical services running on the affected asset
© 2016 ServiceNow All Rights Reserved 32Confidential
Use Case 1: Automatic Security Incident Creation & Enrichment
• An Incident Responder can use the information from the security incident & integration with Threat Intelligence solutions to enrich the information
© 2016 ServiceNow All Rights Reserved 33Confidential
Use Case 1: Automatic Security Incident Creation & Enrichment
• Now the Incident Responder knows the potential malware file name and associated Vulnerability to take appropriate actions
© 2016 ServiceNow All Rights Reserved 34Confidential
Use Case 2: Automatic Phishing Incident Handling
• Scenario:– User believes they have received a
Phishing Email
• What happens– User sends the email to
[email protected]– Report which automatically submits
email and contents for malware scanning
© 2016 ServiceNow All Rights Reserved 35Confidential
Use Case 2: Automatic Phishing Incident Handling
• If malicious:– Determine who else has
received email• if opened, delete it from mail
server and scan for malware• If not opened, delete it from mail
server
– Update mail server protection to block email
– Update firewall rules to block URL included in email
© 2016 ServiceNow All Rights Reserved 36Confidential
Key Benefits
Connect Security and IT• Use a single platform for collaboration and
accountabilityResolve Security Threats Faster• Correlate, prioritize, and automate
Gain a Definitive View of Security Posture• Leverage metrics, service levels, and
dashboardsAttract and Retain Security Talent
© 2016 ServiceNow All Rights Reserved 37Confidential
Want to learn more? Visit http://www.servicenow.com/products/security-operations.html