Is Automation the Solution to Security Overload?

0 Copyright 2017 FUJITSU
Resolve
Security
Threats Fast
Fujitsu World Tour 2017
Mark Ackerman
ServiceNow – Snr Director MESAT
#FujitsuWorldTour

1
© 2017 ServiceNow All Rights Reserved Confidential
Faster
To Market
A New Generation Of Company Is Disrupting The Old
More
Transparency
New
Experience
Customer logos are the trademarks or registered trademarks of their respective holders and not ServiceNow

2
Email, Spreadsheets,
Forms, Messenger, Calls
Most Companies are Stuck In An Old Work Model
Work
Incidents
Requests
Cases
Tasks
Departments
IT
HR
Services
Security

3
Unproductive
Employees
Higher Operating
Cost
Slow Resolution
Times
That Work Model Hurts Business

4
Requester ProviderService Owner
The ServiceNow System Of Action™
Collaborate
& Resolve
Automate
Resolution
Prioritize
& Assign
Measure &
Optimize
Define
Services
Self
Serve
View
Status
Request
Status
Build
Experiences

5
IT SECURITY HR BUSINESS APPSCUSTOMER SERVICE
The Now Platform™ Powers The System Of Action
Single
Database
Contextual
Collaboration
Service
Catalog
Service
Portal
Subscription
& Notification
Knowledge
Base
OrchestrationDeveloper
Tools
Reports &
Dashboards
Workflow
Intelligent Automation Engine
Predictive
Modeling
Anomaly
Detection
Peer
Benchmarking
Performanc
e
Forecasting
Collaborate
& resolve
Automate
Resolution
Prioritize
& Assign
Measure &
Optimize
Define
Services
Self
Serve
View
Status
Request
Status
Build
Experiences
Secure & Compliant ScalableMulti-Instance
NOW PLATFORM
NONSTOP CLOUD

6
© 2017 ServiceNow All Rights Reserved Confidential© 2017 ServiceNow All Rights Reserved Confidential
Resolve Real Security
Threats Fast

7
Organizations Have Invested in LOTS of Security Products
But what happens when something goes wrong?

8
Organizations Are Struggling to Find and Stop Breaches
Source: Ponemon Institute 2017
On average, it took respondents 191 days to spot a breach
caused by a malicious attacker, and 66 days to contain it.

9
QID 70000
NETBIOS
Vulnerability
** “Majority” reference from CERT - https://www.cert.org/vulnerability-analysis/
You have many
vulnerabilities
NOW WHAT?
Vulnerability Solutions do a good job
of detection but typically provide
zero remediation capabilities
CVE-2009-0244
Windows Mobile
Vulnerability
The Majority of Breaches Are Due to Existing Vulnerabilities
QID 86476
Web Server
Vulnerability
CVE-2014-3566
SSL VulnerabilityVulnerability Scan
Results Database

10
Security Teams are Overwhelmed
Manual Tools
Too Many Alerts
& No Context
Siloed from IT
Security IT

11
The Core Problem: Missing Critical Incidents
Response - How do we quickly
organize and act on the detection
noise?
• Consolidate Information
• Understand Business Impact
• Execute Consistent Workflow
• Manage Service Levels
• Auto Remediate
• Capture Metrics
• Enable IT, Security, & BU Collaboration
• Meet Audit and Regulatory Requirements
• SIEM
• Firewall/IPS/IDS
• Identity & Access
• Threat/Intel
• Vulnerability Detection
• Network Security
• Security Endpoint
Detection
Security &
IT Teams
Thousands of events
per day… people can’t
scale to meet the volume

12
The Wrong Tools Are Being Used for Response

13
Secure & Compliant ScalableMulti-Instance
Intelligent Automation Engine
WorkflowService
Catalog
Knowledge
Base
Developer
Tools
Contextual
Collaboratio
n
Single
Database
Service
Portal
Subscription &
Notification
Performance
Forecasting
Predictive
Modeling
Orchestratio
n
Reports &
Dashboards
Anomaly
Detection
Peer
Benchmarking
Introducing ServiceNow Security Operations
Security Incident
Response
Automation &
Orchestration
Deep IT
Integration
Vulnerability
Response
Threat
Intelligence
Trusted Security
Circles

14
Security Operations: Security Incident Response
• Integrates with 3rd party threat detection
systems and SIEMs
• Prioritize incidents based on business impact
• Enrich incidents with threat intelligence
• Automation and workflows reduce manual
tasks
• Improve collaboration between IT, End Users
and Security Teams
Security Incident
Response

15
Security Operations: Vulnerability Response
• Integrates with the National Vulnerability
Database
• 3rd party integrations with market-leading
vulnerability identification solutions
• Prioritize vulnerable items
• Automate patch requests
• Seamless integration with Incident Response
tasks, change requests and problem
management
Vulnerability
Response

16
Security Operations: Threat Intelligence
• Automatically connects indicators or observed
compromises with an incident
• Incorporates multiple feeds, including customer
custom feeds and confidence scoring for more
reliability in identifying issues
• Supports STIX language and TAXII to enhance recent
threat data
• Seamless integration with Security Incident
Response
Threat
Intelligence

17
Security Operations: Trusted Security Circles
• Threat intelligence sharing
• Integrates with Security Incident Response
• Perform sightings search of observables with
members of one or more circles
• Circles may be exclusive to an industry or supply
chain
Trusted Security
Circles

18
Connect Security and IT

19
Single system of record
captures everything
related to the incident:
• Tasks
• Attachments
• Post Incident Reviews
• Work Notes
• Etc.
NIST-based
process
Share Information Between Security and IT

20
Facilitate Collaboration with Workflows
• Take action on an endpoint or file that has been
identified as malicious
• Isolate a system from the network that has
been compromised
• Remediate a file removing the file and it’s
artifacts from the system
• Future actions – Blacklisting across all control
points (Email, Network and Endpoint)

21
Automatically Generate Post Incident Reviews
The Post Incident Review is
created from:
• Assessments
• Related Tasks
• Work Notes
• etc.

22
Create a Security Reference Library
Security Knowledge Base
provides:
• Secure articles
• Event systems
documentation
• SOP documentation
• Key contacts lists
• Post Incident Review
documentation

23
Organize Requests from End Users

24
Identify Threats Faster with Intelligence Feeds
• Comprehensive catalog of IoCs
• Automatic IoC lookup
• Embeds IoCs with linked
incidents and systems
• Supports multiple threat feeds

25
ServiceWatch• automatically maps applications and infrastructure components to business services
Understand Business Impact Before Taking Action
Security Breach
Mission Critical Service / Application
Security Breach
Service Outage • Avoid business disruption when patching
or taking systems offline
• See the broad impact of an incident
affecting multiple systems
• Immediately know who owns an asset

26
• Install Patch
• Remove Virus
• Change Network Configuration
• Remote Analysis
• Take Systems Offline
• Rebuild Systems
• Configure Systems
• Reset Passwords
• Automated Forensics
• Information Gathering
Faster Remediation with Orchestration

27
Integrate with Your Existing Security Products
Logos are trademarks or registered trademarks of their respective owners and not ServiceNow

28
View Metrics Using Role-Based Dashboards & Reports
Severe Vulnerabilities by Business Service All Vulnerabilities by Business Service

29
Performance Analytics for Security Operations
Deliver effective
automation
Prioritize resources
Anticipate trends
Drive continuous
improvement
Align with overall
business goals

30
Security Operations Ecosystem
Detection
Vulnerabi
lity
Vulnerability
SIEM
Threat Intelligence
CMDB
Orchest
ration
Orchestration
Post Incident ReviewIT Connection
AutomationWorkflows
Logos are trademarks or registered trademarks of their respective owners and not ServiceNow

31
AMP – Customer Success Story
AMP is a Global
2000 financial
services company in
Australia and New
Zealand with
superannuation,
investment
products, insurance,
financial advice and
banking products
including home
loans and savings
accounts
60%
of CIs updated with correct
IP information as part of a
vulnerability scan
CMDB data quality
resulting in a significant
improvement in
50%
1
Including incoming
Events from
FireEye
in Vulnerability response time*
- Vulnerability Response
- Security Incident
- Threat Intelligence
30% reduction* in
Deployed in
6 weeks
Single
repository
for all
Security
incidents
enabling
holistic
reporting
and responding
to security
incidents in a
standardized
way
Significantly reducing vulnerability
window
and improving
AMPs security
posture
Vulnerable items
processed,
prioritized
and
actioned
SIR Resolution
time
8
Security
catalogue
items
1
Single ‘Front Door’ to
engage with AMP’s
Cyber Team
With an initial
number of
Reduction
50,000
within 24 hours from
Go-Live
* Projected metric

32
The Results Are Game Changing
Energized
Employees
Game-Changing
Economics
Higher Service
Levels

34
ServiceNow Is A Fast-Growing, Global Company
~5,600 Employees
Major Sites
Silicon Valley, San Diego, Seattle
Amsterdam, London
Sydney, Hyderabad
$1+ Billion In Annual Revenue
$28M $64M
$128M
$683M
$1B
’16
$1.39B
‘09
$244M
$425M
‘10 ‘11 ‘12 ‘13 ‘14 ‘15 ’17E
$1.901- $1.911B
ESTIMATED

35
Global Enterprises In Every Industry Rely on ServiceNow
Construction Federal Financial Services Healthcare Higher Education Insurance IT Services Manufacturing Media MSPs Oil and Gas Retail Services Technology

Is Automation the Solution to Security Overload?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Is Automation the Solution to Security Overload?

Similar to Is Automation the Solution to Security Overload? (20)

More from Fujitsu Middle East

More from Fujitsu Middle East (18)

Recently uploaded

Recently uploaded (20)

Is Automation the Solution to Security Overload?