Joseph Blankenship is a leading security industry veteran and currently a senior analyst at Forrester serving security and risk professionals. This session examined how analytics and automation are combining to transform security operations. Specifically, he will address how combating threats and keeping pace with change requires security technologies to work together and security leaders to embrace automation.

1. © 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.

2. © 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Put Analytics And Automation At The
Core Of Security
Joseph Blankenship, Senior Analyst
October 18, 2017

3. We work with business and
technology leaders to develop
customer-­obsessed strategies
that drive growth.
3© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.

4. 4© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Analyst Bio
Joseph (aka JB) supports Security & Risk
professionals, helping clients develop
security strategies and make informed
decisions to protect against risk. He covers
security infrastructure and operations,
including security information management
(SIM), security analytics, security automation
and orchestration (SAO), distributed denial of
service (DDoS), and network security. His
research focuses on security monitoring,
threat detection, insider threat, operations,
and management.Joseph Blankenship, Senior Analyst
Forrester

5. 5© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
My Challenge For Today

6. 6© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Agenda
› The Evolving World
› Cybersecurity Has To Evolve
› Analytics And Automation
› Starting Your Automation Journey
› Rules of Engagement
› Wrap-Up

7. 7© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
The Evolving World

8. 8© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
People And Technology Continue To Evolve
www.vexels.com/vectors/preview/71108/evolution-­of-­human-­work-­silhouettes

9. 9© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Delivering A 5 MB Hard Drive In 1956
1.25in
.94in
.08in thick

10. 10© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Smartphones Replaced A Host Of Devices

11. 11© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Concerts Have Evolved

12. 12© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Remember Telephone Operators?
Image Source: www.flickr.com/photos/jill_carlson/11085936793, www.flickr.com/photos/70251312,

13. 13© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Cybersecurity Has To Evolve

14. 14© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
51% of firms
were breached in
the past 12
months.
48% of Enterprise Firms Suffered 2+ Breaches in 2017

15. 15© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Top Data Types Breached
Base: 614 global network security decision-­makers whose firms have had a security breach in the past 12 months
Source: Forrester Data Global Business Technographics Security Survey, 2017
41%
34%
29%
28%
26%
22%
20%
16%
8%
Personally identifiable information (name, address, phone,
Social Security number)
Authentication credentials (user IDs and passwords, other
forms of credentials)
Account numbers
Intellectual property
Corporate financial data
Website defacement
Payment/credit card data
Other personal data (e.g., customer service data)
Other sensitive corporate data (e.g., marketing/strategy plans,
pricing)
“What types of data were potentially compromised or breached in the past 12
months?”

16. 16© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Security Analysis Is A Manual Activity
Source: Forrester’s Security Operations Center (SOC) Staffing

17. 17© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Too Many Alerts / Too Few Analysts
Source: Forrester’s Security Operations Center (SOC) Staffing

18. 18© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Attacker Dwell Time Still Averages 99 Days
› Dwell times have dropped from 146
days in 2015 to 99 days in 2016
› While this is a substantial
improvement, it’s still far too long
2017 FireEye M-­Trends Report
Obligatory Picture Of Guy In Hoodie With Ones And Zeroes

19. 19© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
The lack of speed and agility when responding
to a suspected data breach is the most
significant issue facing security teams today.
Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.

20. 20© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Infrastructures Are Increasingly Complex

21. 21© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Organizations can't handle increased
complexity with manual processes.

22. 22© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Increasing
Complexity
Necessitates
The Use Of
Automation
Source: Reduce Risk And Improve Security Through Infrastructure Automation Forrester report

23. 23© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Analytics And Automation

24. 24© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.

25. 25© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Security Analytics Enables Better Detection
Source: Forrester’s Vendor Landscape: Security Analytics (SA)

26. 26© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Automation Will Speed Response
› Alert triaging
› Context gathering
› Containment
› Remediation

27. 27© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Automation Isn’t A Four Letter Word
› Historically, security pros have shied away from automation
• Risk of stopping legitimate traffic or disrupting business
• Need for human analyst to research and make decisions

28. 28© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Base: 1,700 Security technology decision-­makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Complexity of our IT environment
Changing/evolving nature of IT threats (internal and …
Compliance with new privacy laws
Day-­to-­day tactical activities taking up too much time
Building a culture of data stewardship
Lack of budget
Lack of staff (the security team is understaffed)
Unavailability of security employees with the right …
Inability to measure the effectiveness of our security …
Other priorities in the organization taking precedence …
Top 10 Enterprise Security Challenges

29. 29© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
State that using automation and
orchestration tools to improve security
operations is a high or critical priority.
Base: 1,169 Security technology decision-­makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017
68%

30. 30© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Security Is Evolving To Be More Automated

31. 31© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
#1 Security Productivity Tool

32. 32© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Analysts Also Swivel Chair Between Tools

33. 33© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
We Already Have LOTS Of Security Tools
Source: Momentum Partners

34. 34© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
More tools = more security
alerts

35. 35© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.

36. 36© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Automation Will Help Break Down Silos

37. 37© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Automation will help analysts become
more productive, but will not be a
replacement for human analysts.

38. 38© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Starting Your Automation Journey

39. 39© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Crawl, Walk, Run
› What are the tasks/processes
ready for automation today?
• Repetitive, manual tasks
• Low-­risk processes like
investigation, context building,
and querying
› Build a strong foundation, then
work on more advanced
automation
• Complicated processes
• Remediation activities

40. 40© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Targeted Attack Hierarchy of Needs
Source: Forrester’s Targeted-­Attack Hierarchy Of Needs: Assess Your Core Capabilities report

41. 41© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.

42. 42© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Rules Of Engagement

43. 43© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Automating Response
› Automating security is a business requirement
› Security is behind other parts of the business
Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response

44. 44© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Automation Requires Defined Rules Of Engagement
› To enable automation, security teams must:
• Know the business
› Understand key systems and data
• Establish policies for automating
› When to automate
› When to send to a human analyst
• Build consistent processes
› Bad process = garbage in / garbage out
› Policies based on business requirements
• Protect toxic data – IT’S ALL ABOUT THE DATA
• Build policies based on data risk
A Formula For Defining Toxic Data

45. 45© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Rules Of Engagement
Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response

46. 46© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Wrap-­Up And Next Steps
› Security teams lack the speed and agility to stop breaches
• Inadequate tools and slow, manual processes impede progress
• Complex environments require automation
› We have to make better, faster security decisions
• Security analytics tools help make that happen
• Ability to automate is dependent on more accurate, improved detection
› Automation can deliver faster response
• Build a foundation before increasing complexity
• Define rules of engagement for automation

47. FORRESTER.COM
Thank you
© 2017 F O RRE S T E R. RE PRO DUCTI ON P RO HIB ITE D.
Joseph Blankenship
www.forrester.com/Joseph-­Blankenship
@infosec_jb