The document outlines a presentation by Bryce Schroeder on simplifying security operations within enterprises. It highlights the complexities security teams face, including the need for streamlined communication and standardized processes to improve incident response times. Five best practices are proposed for enhancing security operations, including using a single system for IT and security, automating security runbooks, and visualizing security postures.

1. © 2016 ServiceNow All Rights Reserved 11© 2016 ServiceNow All Rights Reserved
Simplify Security Operations -
Detect, Prioritize and Respond
Bryce Schroeder - Sr. Director Security and Risk Practice
1st December 2016

2. © 2016 ServiceNow All Rights Reserved 2
Simplify Security Operations - Agenda
• Introduction
• NIST Guidance
• Why So Complicated?
• Steps to Simplify
• Conclusion

3. © 2016 ServiceNow All Rights Reserved 3
Bryce Schroeder, serves as Sr. Director of ServiceNow’ s new Security and Risk Practice. This business unit
is focused on solving Enterprise Security Response. Before ServiceNow Bryce was VP of Security
Engineering for Tripwire Inc. Bryce joined Tripwire from NetApp where he led a team of Architects and
Systems Engineers in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior
leadership roles at Symantec where he drove global solutions as well as Sun Microsystems where he
pioneered development and successful deployment of secure remote automated software integration,
distribution and test across the Internet.
Bryce earned his Master’s in Engineering and Technology Management from Portland State University and
three Bachelor’s from Oregon State University in Electrical Engineering, Computer Engineering and
Computer Science.

4. © 2016 ServiceNow All Rights Reserved 4
The Enterprise Cloud Company
Cloud-based Service that Modernizes
and Transforms the Enterprise
Highly Secure and Available Enterprise Cloud
SaaS Business Model
~3,200
Enterprise Customers
~4,200
Global Employees
Major Sites
San Diego, Silicon Valley, Seattle, Amsterdam,
London, Sydney, Israel, India
$28M
$64M
FY10FY09
$425M
$244M
$128M
FY11 FY12 FY13
$683M
Enterprise Cloud NYSE: NOW Strong Revenue & Growth
$1BN
FY14 FY15 FY16E
$1.370-$1.380BN

5. © 2016 ServiceNow All Rights Reserved 8
NIST Framework for Improving Critical Infrastructure Cybersecurity

6. © 2016 ServiceNow All Rights Reserved 9
NIST Framework for Improving Critical Infrastructure Cybersecurity

7. © 2016 ServiceNow All Rights Reserved 10
Security Operations
Complications

8. © 2016 ServiceNow All Rights Reserved 11
THREAT LANDSCAPE

9. © 2016 ServiceNow All Rights Reserved 12
days on average to spot a breach
Mean Time to Identify [MTTI]
days to contain
Mean Time to Contain
[MTTC]

10. © 2016 ServiceNow All Rights Reserved 13INFILTRATION EXPLOITATION EXFILTRATION COVERING TRACKS

11. © 2016 ServiceNow All Rights Reserved 14
The lack of speed and agility when
responding to a suspected data breach
is the most significant issue facing
security teams today.
Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.

12. © 2016 ServiceNow All Rights Reserved 15
WE HAVE LOTS OF SECURITY SOLUTIONS
Source: Momentum Partners

13. © 2016 ServiceNow All Rights Reserved 16
WHY ARE SECURITY SOLUTIONS COMPLEX? Disconnected Silos
SIEM, Malware, Threat Network Protection Endpoint Solutions IAMs

14. © 2016 ServiceNow All Rights Reserved 17
Emails, Spreadsheets, Phone Calls, Meetings, and Text Messages are
difficult to measure and don’t provide an easy way to understand how
your processes are performing, where the bottlenecks are, and how to
improve them.
THE WRONG TOOLS ARE BEING USED FOR RESPONSE

15. © 2016 ServiceNow All Rights Reserved 18
SECURITY RESPONDERS ARE OVERWHELMED
• SIEM
• APT
• EPS
Security
Analyst
What info do I
need?
What systems have
the info that I
need?
What lookups do I
need to run to
derive 2nd level
enrichment?
Have I seen this
type of threat
before?
Is it a threat
attempting to go
undetected?
Security Runbook
knowledge
Multiple disparate
solutions
Manual scripting
and operational
tasks
No historical threat
intel tied to
incidents or CIs
No context across
asset, service type
or user group
SlowerSecurityResponse
Security
Alert

16. © 2016 ServiceNow All Rights Reserved 19
CYBERSECURITY SKILL & TALENT GAP

17. © 2016 ServiceNow All Rights Reserved 21
NET IMPACT ON THE BUSINESS
Average total cost of a data breach
$4 MM
Average cost per stolen record
$158
Increase in cost since 2013
29%
Impact of 16 factors on per capita cost of a data breach
Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis

18. © 2016 ServiceNow All Rights Reserved 22

19. © 2016 ServiceNow All Rights Reserved 23
COMPLICATIONS FOR SECURITY OPERATIONS
Time &
Change
Threat
Landscape
Time to
Identify
Time to
Contain
Toolsets
Siloed
Different
context
Too many
alerts
Communication
Wrong method
for accountable
real-time
incident
response
Skill & Talent
Gap
Not enough
skilled analysts
to manage
increasing
incidents
Alert
Overload
Too many
alerts

20. © 2016 ServiceNow All Rights Reserved 24
Simplify
Security Operations

21. © 2016 ServiceNow All Rights Reserved 25
FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS
Single System
for IT &
Security
Collaborate
&
Communicate
Service
Mapping
Criticality
&
Prioritization
Automate
Security
Runbook
Cross
reference
Prefetch
Knowledge &
Capability
Track Progress,
Find Gaps &
Optimize
Visualize
Your
Security
Posture

22. © 2016 ServiceNow All Rights Reserved 26
SIMPLIFY: Single System for IT & Security
Single system that
captures all collateral
related to the incident.
• Tasks
• Attachments
• Post Incident Reviews
• Work Notes
• etc.
NIST-based
process
Role based so
sensitive data is
only shared with
the proper roles.

23. © 2016 ServiceNow All Rights Reserved 27
SIMPLIFY: Single System for IT & Security
Notify enables conference
calls to be quickly initiated
with the necessary
stakeholders
Connect enables chat groups to be
quickly assembled so critical
resources can easily collaborate
and audit response actions.
Notify Connect

24. © 2016 ServiceNow All Rights Reserved 28
SIMPLIFY: Service Mapping
Security Breach
On Vulnerable Asset
Mission Critical Service / Application
Security Breach
Matching Known IOC
On Vulnerable Asset
Service Outage
Provide Situational Awareness/Prioritization:
 Have we or our peers seen this attack before? (Threat)
 What do these assets mean to the business?
 What business risks are tied to these assets?
 How vulnerable are these assets?
 Is anything else is going on with these assets?
 What are our plans?
Open Up Communication:
 Security Catalog
 Virtual War Room through Connect

25. © 2016 ServiceNow All Rights Reserved 29
SIMPLIFY: Automate

26. © 2016 ServiceNow All Rights Reserved 30
SIMPLIFY: Automate
Security Incident Types
can have a Service Levels
associated with it
When a Security Incident
comes in with
“matching” conditions…
the SLA process starts.
• Workflow facilitates collaboration and a
consistent process that all stakeholders can
follow and use to track response progress.

27. © 2016 ServiceNow All Rights Reserved 31
SIMPLIFY: Visualize

28. © 2016 ServiceNow All Rights Reserved 32
SIMPLIFY: Visualize
Service Outage Map
Open Security Incidents by type
CISO Trend dashboard
Business Service to Security Incident Criticality

29. © 2016 ServiceNow All Rights Reserved 33
SIMPLIFY: Knowledge & Capability
The Post Incident Review
is automatically generated
from…
• Assessments
• Related Tasks
• Work Notes
• Incident flow steps
• etc.
The Post Incident Review can be
useful for the audit documentation.

30. © 2016 ServiceNow All Rights Reserved 34
SIMPLIFY: Knowledge & Capability
Security Knowledgebase
Secure articles
• Event systems
documentation
• SOPs documentation
• Key contacts lists
• Post Incident Review
documentation

31. © 2016 ServiceNow All Rights Reserved 35
FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS
Single System
for IT &
Security
Collaborate
&
Communicate
Service
Mapping
Criticality
&
Prioritization
Automate
Security
Runbook
Cross
reference
Prefetch
Knowledge &
Capability
Track Progress,
Find Gaps &
Optimize
Visualize
Your
Security
Posture

32. © 2016 ServiceNow All Rights Reserved 36
Enterprise Security Response
SERVICENOW: ENTERPRISE SECURITY RESPONSE
Security Incident
Response
Vulnerability
Response
Threat
Intelligence
Workflow &
Automation
Deep IT
Integration

33. © 2016 ServiceNow All Rights Reserved 3737© 2016 ServiceNow All Rights Reserved
Simplify Security Operations -
Detect, Prioritize and Respond
Bryce Schroeder - Sr. Director Security and Risk Practice
bryce.schroeder@servicenow.com
THANK YOU

34. © 2016 ServiceNow All Rights Reserved 3838© 2016 ServiceNow All Rights Reserved