deconstructing enterprise security response
TRANSCRIPT
© 2017 ServiceNow All Rights Reserved 1© 2017 ServiceNow All Rights Reserved
Deconstructing Enterprise Security Response:Essentials for an Effective Threat Response Architecture
© 2017 ServiceNow All Rights Reserved 2
Presenters
Jon OltsikSenior Principal Analyst
Enterprise Strategy Group
Piero DePaoliSenior Director, Security Business Unit
ServiceNow
Enterprise Strategy Group | Getting to the bigger truth.™
© 2017 by The Enterprise Strategy Group, Inc.
March 14, 2017Incident Response Trends
Jon Oltsik, Senior Principal Analyst
© 2017 by The Enterprise Strategy Group, Inc.
Incident Response Changes Experienced Over the Last Two Years
None of the above
Outsourced one or more aspect of incident response to a managed security service provider (MSSP)
An increase in the number/volume of security alerts
An increase in the amount of threat intelligence used for incident response
An increase in the number of hours dedicated to incident response
Additional processes/collaboration required between security teams and IT operations teams
Worked with professional services firm to help the organization improve its incident response policies, processes, or technologies
An increase in the volume and complexity related to vulnerability scanning and patch management
An increase in the number of people involved in incident response
Addition of new hires/employees dedicated to incident response who spend a substantial amount of their time on incident response
An increase in the amount of staff training needed for incident response
An increase in the number of threat detection tools used for incident response
An increase in the volume of data collected/analyzed for incident response
Incident response activities extend to newer IT initiatives like cloud computing, mobile computing, Internet of Things (IoT) applications, etc.
Adoption of an enterprise Security Operations Center (SOC), Computer Emergency Response Team (CERT), or similar development.
2%
24%
28%
33%
33%
33%
33%
33%
34%
36%
36%
37%
40%
40%
40%
Over the past two years, has your organization experienced any of the following changes with incident response? (Percent of respondents, N=184, multiple responses accepted)
© 2017 by The Enterprise Strategy Group, Inc.
Incident Response Efficiency and Effectiveness is Limited by Manual Processes
Yes, significantly; 52%Yes, somewhat; 41%
No; 7%
Don’t know; 1%
Do you believe that your organization’s incident response efficiency and effectiveness are lim-ited by the time and effort required for manual processes? (Percent of respondents, N=184)
© 2017 by The Enterprise Strategy Group, Inc.
Percent of Incident Response Time Spent on Manual Processes
Less than 10% of the total time spent on incident response is
spent on manual processes like these
Between 10% and 25% of the total time spent on incident re-
sponse is spent on manual processes like
these
Between 26% and 50% of the total time spent on incident re-
sponse is spent on manual processes like
these
Between 51% and 75% of the total time spent on incident re-
sponse is spent on manual processes like
these
More than 75% of the total time spent on incident response is
spent on manual pro-cesses like these
Don’t know
5%
33% 34%
18%
9%
1%
In your opinion, how much of your organization’s incident response time is occupied by manual processes today (i.e., finding forms, filling in paper work, physically viewing multiple security and IT analytics tools, finding a particular person, etc.)?
(Percent of respondents, N=184)
Top IR Challenges
33% say, “coordinating incident response activities between cybersecurity and IT operations teams”
30% say, “monitoring IR processes from end-to-end to ensure that all incidents are adequately addressed and closed”
28% say, “maintaining the right skills for IR”
26% say, “issues around technology integration of various security controls and technologies”
© 2017 by The Enterprise Strategy Group, Inc.
Streamlining Incident Response Operations is a High Priority
Streamlining incident response operations with the goal of making the IR staff more
efficient and effective; 59%
Automating incident response remediation tasks; 39%
Don’t know; 2%
In your opinion, which is the higher priority for incident response automation/orchestration at your organization? (Percent of respondents, N=184)
© 2017 by The Enterprise Strategy Group, Inc.
Use of Technologies to Automate and Orchestrate Incident Response
Yes, extensively (i.e., technical steps used for incident response process automation are being used extensively in a production environment today
and there are ongoing plans to continue this effort); 45%
Yes, somewhat (i.e., technical steps used for incident response process automation are starting to be used in a production environment today
and there are ongoing plans to continue this effort); 47%
No, but we plan to perform technical integration, and/or deploy new technologies intended to help automate and orchestrate incident re-
sponse processes within the next 12 to 24 months; 5%
No, but we are interested in performing technical integration, and/or deploying new technologies intended to help automate and orches-
trate incident response processes within the next 12 to 24 months; 1%
No and we have no plans or interest in performing technical inte-gration, and/or deploying new technologies intended to help auto-mate and orchestrate incident response processes at this time; 1%
Don’t know; 1%
Has your organization done any technical integration and/or deployed any new technologies intended to help automate and orchestrate incident response processes? (Percent of respondents, N=184)
© 2017 by The Enterprise Strategy Group, Inc.
Actions Taken (or Will be Taken) to Automate Incident Response Processes
Allow us to automate repetitive and time-consuming tasks
Decrease the number of hours required for incident response processes
Increase the number of security alerts we can follow up on
Automation/orchestration can help us prioritize incidents
Automation/orchestration can help us collect, process, and enrich security data in a more efficient manner
Automation/orchestration can help us improve the efficiency of IT operations tasks like updating antivirus signatures or installing software patches
Allow us to automate simple remediation actions
Improve collaboration between cybersecurity and IT operations groups
Improve our ability to detect and respond to incidents in a timely manner
36%
36%
36%
37%
37%
38%
38%
45%
48%
You indicated that your organization has taken actions to automate and/or orchestrate incident response processes or is planning to do so or interested in doing so in the future. Why has or will your organization do this? (Percent of respondents, N=182,
multiple responses accepted)
© 2017 by The Enterprise Strategy Group, Inc.
Change in Incident Response Spending Over the Next Two Years
Increase significantly; 46%
Increase somewhat; 42%
Remain about the same; 10%
Decrease somewhat; 1%
Decrease significantly; 1%
Over the next two years, how will your organization’s spending on incident response (including tech-nologies, processes, services, etc.) change, if at all? (Percent of respondents, N=184)
© 2017 by The Enterprise Strategy Group, Inc.
Incident Response Actions Organizations Will Take Over the Next Two Years
None of the above
Outsource aspects of incident response to third-party managed security service providers
Outsource all incident response processes and responsibilities to third-party managed security service providers
Develop a formal documented incident response process
Work with professional services organizations to develop formal incident response processes
Test our incident response processes more often
Provide incident response training for cybersecurity and IT operations staff
Create a new cybersecurity group that acts as a Computer Emergency Response Team (CERT) and is given responsibility/oversight for all incident response processes and operations
Hire more incident response personnel
Consolidate existing incident response personnel and technologies into a common location as a means for improving commu -nication and collaboration on incident response processes and operations
Improve the alignment of incident response processes and IT governance processes
1%
24%
24%
30%
33%
34%
34%
39%
39%
42%
47%
As part of its cybersecurity strategy, will your organization take any of the following actions with regards to incident response over the next two years? (Percent of respondents, N=184, multiple responses accepted)
© 2017 by The Enterprise Strategy Group, Inc.
The Bigger Truth
IR is a cybersecurity priority Not getting any easier
Pressing need for IR automation and orchestration Generally starts with orchestration then proceeds to
automation Done in conjunction with process improvement
Successful organizations start small and grow
Thank You
Enterprise Strategy Group | Getting to the bigger truth.™
http://www.twitter.com/esg-global
http://www.facebook.com/ESGglobal
https://www.linkedin.com/groups?gid=1295607&trk=myg_ugrp_ovr
http://www.youtube.com/user/ESGglobal
FOLLOW ESG
© 2017 by The Enterprise Strategy Group, Inc.
Jon Oltsik, Principal [email protected]
© 2017 ServiceNow All Rights Reserved 15
Organizations Have Invested In LOTS Of Security Products
But what happens when something goes wrong?
© 2017 ServiceNow All Rights Reserved 16
Security Teams Are Overwhelmed
Manual ToolsToo Many Alerts& No Context Siloed from IT
Security IT
© 2017 ServiceNow All Rights Reserved 17
The Need: Enterprise Security Response
Security IncidentResponse Workflow Automation &
OrchestrationDeep IT
IntegrationVulnerability
ResponseThreat
Intelligence
ENTERPRISE SECURITY RESPONSE
© 2017 ServiceNow All Rights Reserved 18
Resolve Real Security Threats FastBring Security & IT Together• Single platform for collaboration and accountability
Identify Real Security Problems• Prioritization and automatic enrichment
Leverage Workflow and Automation• Resolve Real Security Threats Fast!
© 2017 ServiceNow All Rights Reserved 19
Single system of record captures everything related to the incident:• Tasks• Attachments• Post Incident Reviews• Work Notes• Etc.
NIST-based process
Share Information Between Security and IT
© 2017 ServiceNow All Rights Reserved 20
Facilitate Collaboration with Workflows
© 2017 ServiceNow All Rights Reserved 21
ServiceWatch• automatically maps applications and infrastructure components to business services
Understand Business Impact
Security Breach
Mission Critical Service / Application
Security Breach
Service Outage • Patching or taking breached systems offline can cause business disruption
• Lack of a Relational CMDB leads to misunderstanding broader breaches
• Lack of asset ownership information slows investigation
• SLAs are missed due to misunderstood impact and priority
© 2017 ServiceNow All Rights Reserved 22
Identify Threats Faster with Intelligence Feeds
• Comprehensive catalog of IoCs
• Automatic IoC lookup
• Embeds IoCs with linked incidents and systems
• Supports multiple threat feeds
© 2017 ServiceNow All Rights Reserved 23
Orchestrate Threat Intelligence LookupsAutomate the Data Enrichment Activities
Security Incident Generated
Analyst Prioritizes, Assigns &
Categorizes Incident
Analyst identifies & extracts IPs,
hashes & IoCs
Analyst runs reputational lookups via threat intel indicators
Analyst gets running
processes from target machine
Analysts gets network
connections from target machine
Analyst runs hashes on all
running processes
Analyst runs threat intel
lookups on all processes and
network connections
Analyst confirms threat
Analyst begins remediation
process
Red Boxes = Data Enrichment Activities
© 2017 ServiceNow All Rights Reserved 24
Integrate Existing Security Products
Enforcement
Vulnerability
SIEM
Protection
Vulnerability
SIEM
Threat Intelligence
User Submissions CMDB
Orchestration
Orchestration
Post-Incident Review IT Change Request
Enterprise Security Response
© 2017 ServiceNow All Rights Reserved 25
Use Metrics & Dashboards to Demonstrate Value
Severe Vulnerabilities by Business Service All Vulnerabilities by Business Service
© 2017 ServiceNow All Rights Reserved 26
• Don’t miss Knowledge17, May 7 – 11, Orlando
• Join us at:• FS-ISAC Summit, April 30 – May 3, Lake Buena Vista
• Ignite 2017 Cybersecurity Conference, June 12 – 15, Vancouver
• Learn more at www.servicenow.com/sec-ops
Q & A
© 2017 ServiceNow All Rights Reserved 27
W O R K AT L I G H T S P E E D ™