Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Future of Keeping Your Organization Safe

245 views

Published on

Senior Forrester Analyst, Joseph Blankenship, and ServiceNow security expert, Piero DePaoli, discuss why automating your security incident response is the smartest choice you can make for your organization's safety.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Future of Keeping Your Organization Safe

  1. 1. Automated Security Incident Response: The Future of Keeping Your Organization Safe Joseph Blankenship, Senior Analyst November 9, 2016
  2. 2. © 2016 Forrester Research, Inc. Reproduction Prohibited 2 Security Teams Are Overwhelmed “We've all got our switches, lights, and knobs to deal with, Striker. I mean, down here there are literally hundreds and thousands of blinking, beeping, and flashing lights, blinking and beeping and flashing - they're *flashing* and they're *beeping*. I can't stand it anymore! They're *blinking* and *beeping* and *flashing*! Why doesn't somebody pull the plug!” - Buck Murdock, Airplane II: The Sequel
  3. 3. © 2016 Forrester Research, Inc. Reproduction Prohibited 3 Security Staffing Remains A Top Concern › Security teams are understaffed • 62% of enterprises report not having enough security staff › Finding the right skills is also a challenge • 65% of enterprises state finding employees with the right skills is a challenge Source: Forrester Business Technographics Global Security 2016 Image: www.flickr.com/photos/dt10111/2901811351
  4. 4. © 2016 Forrester Research, Inc. Reproduction Prohibited 4 We Spend A Lot Of Time Doing The Little Things › Security teams spend too much time on day-to-day tasks • 65% of enterprises state that tactical activities taking up too much time is a challenge Source: Forrester Business Technographics Global Security 2016
  5. 5. © 2016 Forrester Research, Inc. Reproduction Prohibited 5 Threats And Vulnerabilities Remain The Focus Base: 856 North American & European security technology decision-makers (1000+ employees) Source: Forrester's Global Business Technographics® Security Survey, 2015
  6. 6. © 2016 Forrester Research, Inc. Reproduction Prohibited 6 53% Of Firms Surveyed Were Breached In The Past 12 Months 47% 11% 16% 14% 5% 2% 1% 4% “How many times do you estimate that your firm's sensitive data was potentially compromised or breached in the past 12 months?” No breaches in the past 12 months Once Twice Three to five times Six to 10 times 11 to 25 times More than 25 times in the past 12 months Base: 1,167 Network security decision-makers Source: Forrester’s Global Business Technographics Security Survey, 2016
  7. 7. The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today. Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.
  8. 8. © 2016 Forrester Research, Inc. Reproduction Prohibited 8 PII, Credentials, And IP Are Top Targets 10% 16% 25% 26% 26% 29% 30% 30% 31% Other sensitive corporate data (e.g., marketing/strategy plans, pricing) Other personal data (e.g., customer service data) Account numbers Website defacement Payment/credit card data Corporate financial data Intellectual property Authentication credentials (user IDs and passwords, other forms of credentials) Personally identifiable information (name, address, phone, Social Security number) “What types of data were potentially compromised or breached in the past 12 months?” Base: 619 network security decision-makers whose firms have had a security breach in the past 12 months Source: Forrester’s Global Business Technographics Security Survey, 2016
  9. 9. © 2016 Forrester Research, Inc. Reproduction Prohibited 9 We Have LOTS Of Security Solutions Source: Momentum Partners
  10. 10. © 2016 Forrester Research, Inc. Reproduction Prohibited 10 Analysis Today Is Largely Human Based Source: Forrester’s Security Operations Center (SOC) Staffing
  11. 11. © 2016 Forrester Research, Inc. Reproduction Prohibited 11 Too Many Alerts / Too Few Analysts Source: Forrester’s Security Operations Center (SOC) Staffing
  12. 12. © 2016 Forrester Research, Inc. Reproduction Prohibited 12 Reducing The Frustration › To reduce the frustration, we need: • Better decision making • Increased visibility • Deeper security context • Improved workflow • Security automation
  13. 13. © 2016 Forrester Research, Inc. Reproduction Prohibited 13 Security Analytics Enables Better Decisions Source: Forrester’s Counteract Cyberattacks With Security Analytics
  14. 14. © 2016 Forrester Research, Inc. Reproduction Prohibited 14 SA Platforms Collect and Analyze Disparate Data Security Analytics External Threat Intelligence Internal Threat Intelligence Netflow (NAV) Log Data SUBA Identity Data (IAM, PIM) Vulnerability Data Automated Response Security Context (User, System & Network) Threat Intelligence (OSINT, HUMINT, SIGINT) Human Analysis Events & Alerts
  15. 15. © 2016 Forrester Research, Inc. Reproduction Prohibited 15 #1 Security Productivity Tool
  16. 16. © 2016 Forrester Research, Inc. Reproduction Prohibited 16 Automation Isn’t A Four Letter Word › Historically, security pros have shied away from automation • Risk of stopping legitimate traffic or disrupting business • Need for human analyst to research and make decisions › Other aspects of business have automated for years • Security is playing catch-up › Automation can increase efficiency and productivity • Elevate less experienced analysts • Free analyst time • React faster
  17. 17. © 2016 Forrester Research, Inc. Reproduction Prohibited 17 Crawl, Walk, Run › What are the tasks/processes ready for automation today? • Repetitive tasks • Low-risk processes like investigation, context building, and querying › Build a strong foundation, then work on more advanced automation • Complicated processes • Remediation activities
  18. 18. © 2016 Forrester Research, Inc. Reproduction Prohibited 18 Automating Response › Automating security is a business requirement › Security is behind other parts of the business Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response
  19. 19. © 2016 Forrester Research, Inc. Reproduction Prohibited 19 Automation Requires Defined Rules Of Engagement › To enable automation, security teams must: • Establish policies for automating › When to automate, when to send to human analyst • Build consistent processes › Bad process = garbage in / garbage out › Policies based on business requirements • Protect toxic data – IT’S ALL ABOUT THE DATA • Build policies based on data risk
  20. 20. © 2016 Forrester Research, Inc. Reproduction Prohibited 20 Rules Of Engagement Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response
  21. 21. © 2016 Forrester Research, Inc. Reproduction Prohibited 21 Declarative Security › Develop consistent policies and processes › Define rules of engagement with your business leaders › Develop automated response playbooks Source: Forrester’s Twelve Recommendations For Your Security Program In 2016
  22. 22. © 2016 Forrester Research, Inc. Reproduction Prohibited 22 Wrap-Up › Security teams are overwhelmed • We have to respond faster and become more efficient › Automation is a business requirement • Security has to catch up with other aspects of the business › Evaluate process to look for automation opportunities • Build a foundation before increasing complexity › Create “Rules of Engagement” for automation • Base your ROE on risk and confidence
  23. 23. forrester.com Thank you Joseph Blankenship www.forrester.com/Joseph-Blankenship @infosec_jb
  24. 24. © 2016 ServiceNow All Rights ReservedConfidential © 2016 ServiceNow All Rights ReservedConfidential Automated Security Incident Response: The Future of Keeping Your Organization Safe Piero DePaoli Senior Director, Security Business Unit ServiceNow November 9, 2016
  25. 25. © 2016 ServiceNow All Rights Reserved 25Confidential Enterprise Security Response The Need: Enterprise Security Response Security Incident Response Vulnerability Response Threat Intelligence Workflow & Automation Deep IT Integration
  26. 26. © 2016 ServiceNow All Rights Reserved 26Confidential Security Operations: Security Incident Response • Integrates with 3rd party threat detection systems and SIEMs • Prioritizes incidents based on business impact • Enriches incidents with threat intelligence • Automation and workflows reduce manual tasks • Improves collaboration between IT, end- users, and security teams
  27. 27. © 2016 ServiceNow All Rights Reserved 27Confidential Security Operations: Vulnerability Response • Integrates with the National Vulnerability Database • 3rd party integrations with market-leading vulnerability identification solutions • Prioritizes vulnerable items • Automates patch requests • Seamless integration with incident response tasks, change requests, and problem management
  28. 28. © 2016 ServiceNow All Rights Reserved 28Confidential Security Operations: Threat Intelligence • Automatically connects indicators or observed compromises with an incident • Incorporates multiple feeds, including customer-specific feeds and confidence scoring to reliably identify issues • Supports STIX language and TAXII to enhance recent threat data • Seamless integration with Security Incident Response
  29. 29. © 2016 ServiceNow All Rights Reserved 29Confidential Built on the ServiceNow Enterprise Cloud Platform Multi-Instance Architecture CMDBWorkflow & Automation High Availability Data Replication Reporting Customization Knowledge Base APIs Security
  30. 30. © 2016 ServiceNow All Rights Reserved 30Confidential Use Cases
  31. 31. © 2016 ServiceNow All Rights Reserved 31Confidential Use Case 1: Automatic Security Incident Creation & Enrichment • Scenario: – SIEM creates event suspicious activity from a server sending outbound communication to a suspicious IP address • What happens – Incident Responder needs to understand the reason to properly gauge the extent of the issue – Security incident automatically created as a result of the integration with ServiceNow CMDB which shows the business critical services running on the affected asset
  32. 32. © 2016 ServiceNow All Rights Reserved 32Confidential Use Case 1: Automatic Security Incident Creation & Enrichment • An Incident Responder can use the information from the security incident & integration with Threat Intelligence solutions to enrich the information
  33. 33. © 2016 ServiceNow All Rights Reserved 33Confidential Use Case 1: Automatic Security Incident Creation & Enrichment • Now the Incident Responder knows the potential malware file name and associated Vulnerability to take appropriate actions
  34. 34. © 2016 ServiceNow All Rights Reserved 34Confidential Use Case 2: Automatic Phishing Incident Handling • Scenario: – User believes they have received a Phishing Email • What happens – User sends the email to phishing@example.com – Report which automatically submits email and contents for malware scanning
  35. 35. © 2016 ServiceNow All Rights Reserved 35Confidential Use Case 2: Automatic Phishing Incident Handling • If malicious: – Determine who else has received email • if opened, delete it from mail server and scan for malware • If not opened, delete it from mail server – Update mail server protection to block email – Update firewall rules to block URL included in email
  36. 36. © 2016 ServiceNow All Rights Reserved 36Confidential Key Benefits Connect Security and IT • Use a single platform for collaboration and accountability Resolve Security Threats Faster • Correlate, prioritize, and automate Gain a Definitive View of Security Posture • Leverage metrics, service levels, and dashboards Attract and Retain Security Talent
  37. 37. © 2016 ServiceNow All Rights Reserved 37Confidential Want to learn more? Visit http://www.servicenow.com/products/security-operations.html

×