deconstructing enterprise security response

© 2017 ServiceNow All Rights Reserved 1© 2017 ServiceNow All Rights Reserved

Deconstructing Enterprise Security Response:Essentials for an Effective Threat Response Architecture

© 2017 ServiceNow All Rights Reserved 2

Presenters

Jon OltsikSenior Principal Analyst

Enterprise Strategy Group

Piero DePaoliSenior Director, Security Business Unit

ServiceNow

Enterprise Strategy Group | Getting to the bigger truth.™

© 2017 by The Enterprise Strategy Group, Inc.

March 14, 2017Incident Response Trends

Jon Oltsik, Senior Principal Analyst


Incident Response Changes Experienced Over the Last Two Years

None of the above

Outsourced one or more aspect of incident response to a managed security service provider (MSSP)

An increase in the number/volume of security alerts

An increase in the amount of threat intelligence used for incident response

An increase in the number of hours dedicated to incident response

Additional processes/collaboration required between security teams and IT operations teams

Worked with professional services firm to help the organization improve its incident response policies, processes, or technologies

An increase in the volume and complexity related to vulnerability scanning and patch management

An increase in the number of people involved in incident response

Addition of new hires/employees dedicated to incident response who spend a substantial amount of their time on incident response

An increase in the amount of staff training needed for incident response

An increase in the number of threat detection tools used for incident response

An increase in the volume of data collected/analyzed for incident response

Incident response activities extend to newer IT initiatives like cloud computing, mobile computing, Internet of Things (IoT) applications, etc.

Adoption of an enterprise Security Operations Center (SOC), Computer Emergency Response Team (CERT), or similar development.

2%

24%

28%

33%

33%

33%

33%

33%

34%

36%

36%

37%

40%

40%

40%

Over the past two years, has your organization experienced any of the following changes with incident response? (Percent of respondents, N=184, multiple responses accepted)


Incident Response Efficiency and Effectiveness is Limited by Manual Processes

Yes, significantly; 52%Yes, somewhat; 41%

No; 7%

Don’t know; 1%

Do you believe that your organization’s incident response efficiency and effectiveness are lim-ited by the time and effort required for manual processes? (Percent of respondents, N=184)


Percent of Incident Response Time Spent on Manual Processes

Less than 10% of the total time spent on incident response is

spent on manual processes like these

Between 10% and 25% of the total time spent on incident re-

sponse is spent on manual processes like

these



these



these

More than 75% of the total time spent on incident response is

spent on manual pro-cesses like these

Don’t know

5%

33% 34%

18%

9%

1%

In your opinion, how much of your organization’s incident response time is occupied by manual processes today (i.e., finding forms, filling in paper work, physically viewing multiple security and IT analytics tools, finding a particular person, etc.)?

(Percent of respondents, N=184)

Top IR Challenges

33% say, “coordinating incident response activities between cybersecurity and IT operations teams”

30% say, “monitoring IR processes from end-to-end to ensure that all incidents are adequately addressed and closed”

28% say, “maintaining the right skills for IR”

26% say, “issues around technology integration of various security controls and technologies”


Streamlining Incident Response Operations is a High Priority

Streamlining incident response operations with the goal of making the IR staff more

efficient and effective; 59%

Automating incident response remediation tasks; 39%

Don’t know; 2%

In your opinion, which is the higher priority for incident response automation/orchestration at your organization? (Percent of respondents, N=184)


Use of Technologies to Automate and Orchestrate Incident Response

Yes, extensively (i.e., technical steps used for incident response process automation are being used extensively in a production environment today

and there are ongoing plans to continue this effort); 45%

Yes, somewhat (i.e., technical steps used for incident response process automation are starting to be used in a production environment today

and there are ongoing plans to continue this effort); 47%

No, but we plan to perform technical integration, and/or deploy new technologies intended to help automate and orchestrate incident re-

sponse processes within the next 12 to 24 months; 5%

No, but we are interested in performing technical integration, and/or deploying new technologies intended to help automate and orches-

trate incident response processes within the next 12 to 24 months; 1%

No and we have no plans or interest in performing technical inte-gration, and/or deploying new technologies intended to help auto-mate and orchestrate incident response processes at this time; 1%

Don’t know; 1%

Has your organization done any technical integration and/or deployed any new technologies intended to help automate and orchestrate incident response processes? (Percent of respondents, N=184)


Actions Taken (or Will be Taken) to Automate Incident Response Processes

Allow us to automate repetitive and time-consuming tasks

Decrease the number of hours required for incident response processes

Increase the number of security alerts we can follow up on

Automation/orchestration can help us prioritize incidents

Automation/orchestration can help us collect, process, and enrich security data in a more efficient manner

Automation/orchestration can help us improve the efficiency of IT operations tasks like updating antivirus signatures or installing software patches

Allow us to automate simple remediation actions

Improve collaboration between cybersecurity and IT operations groups

Improve our ability to detect and respond to incidents in a timely manner

36%

36%

36%

37%

37%

38%

38%

45%

48%

You indicated that your organization has taken actions to automate and/or orchestrate incident response processes or is planning to do so or interested in doing so in the future. Why has or will your organization do this? (Percent of respondents, N=182,

multiple responses accepted)


Change in Incident Response Spending Over the Next Two Years

Increase significantly; 46%

Increase somewhat; 42%

Remain about the same; 10%

Decrease somewhat; 1%

Decrease significantly; 1%

Over the next two years, how will your organization’s spending on incident response (including tech-nologies, processes, services, etc.) change, if at all? (Percent of respondents, N=184)


Incident Response Actions Organizations Will Take Over the Next Two Years

None of the above

Outsource aspects of incident response to third-party managed security service providers

Outsource all incident response processes and responsibilities to third-party managed security service providers

Develop a formal documented incident response process

Work with professional services organizations to develop formal incident response processes

Test our incident response processes more often

Provide incident response training for cybersecurity and IT operations staff

Create a new cybersecurity group that acts as a Computer Emergency Response Team (CERT) and is given responsibility/oversight for all incident response processes and operations

Hire more incident response personnel

Consolidate existing incident response personnel and technologies into a common location as a means for improving commu -nication and collaboration on incident response processes and operations

Improve the alignment of incident response processes and IT governance processes

1%

24%

24%

30%

33%

34%

34%

39%

39%

42%

47%

As part of its cybersecurity strategy, will your organization take any of the following actions with regards to incident response over the next two years? (Percent of respondents, N=184, multiple responses accepted)


The Bigger Truth

IR is a cybersecurity priority Not getting any easier

Pressing need for IR automation and orchestration Generally starts with orchestration then proceeds to

automation Done in conjunction with process improvement

Successful organizations start small and grow

Thank You

Enterprise Strategy Group | Getting to the bigger truth.™

http://www.twitter.com/esg-global

http://www.facebook.com/ESGglobal

https://www.linkedin.com/groups?gid=1295607&trk=myg_ugrp_ovr

http://www.youtube.com/user/ESGglobal

FOLLOW ESG


Jon Oltsik, Principal [email protected]


Organizations Have Invested In LOTS Of Security Products

But what happens when something goes wrong?


Security Teams Are Overwhelmed

Manual ToolsToo Many Alerts& No Context Siloed from IT

Security IT


The Need: Enterprise Security Response

Security IncidentResponse Workflow Automation &

OrchestrationDeep IT

IntegrationVulnerability

ResponseThreat

Intelligence

ENTERPRISE SECURITY RESPONSE


Resolve Real Security Threats FastBring Security & IT Together• Single platform for collaboration and accountability

Identify Real Security Problems• Prioritization and automatic enrichment

Leverage Workflow and Automation• Resolve Real Security Threats Fast!


Single system of record captures everything related to the incident:• Tasks• Attachments• Post Incident Reviews• Work Notes• Etc.

NIST-based process

Share Information Between Security and IT


Facilitate Collaboration with Workflows


ServiceWatch• automatically maps applications and infrastructure components to business services

Understand Business Impact

Security Breach

Mission Critical Service / Application

Security Breach

Service Outage • Patching or taking breached systems offline can cause business disruption

• Lack of a Relational CMDB leads to misunderstanding broader breaches

• Lack of asset ownership information slows investigation

• SLAs are missed due to misunderstood impact and priority

https://youtu.be/XOvko08Izk0


Identify Threats Faster with Intelligence Feeds

• Comprehensive catalog of IoCs

• Automatic IoC lookup

• Embeds IoCs with linked incidents and systems

• Supports multiple threat feeds


Orchestrate Threat Intelligence LookupsAutomate the Data Enrichment Activities

Security Incident Generated

Analyst Prioritizes, Assigns &

Categorizes Incident

Analyst identifies & extracts IPs,

hashes & IoCs

Analyst runs reputational lookups via threat intel indicators

Analyst gets running

processes from target machine

Analysts gets network

connections from target machine

Analyst runs hashes on all

running processes

Analyst runs threat intel

lookups on all processes and

network connections

Analyst confirms threat

Analyst begins remediation

process

Red Boxes = Data Enrichment Activities


Integrate Existing Security Products

Enforcement

Vulnerability

SIEM

Protection

Vulnerability

SIEM

Threat Intelligence

User Submissions CMDB

Orchestration

Orchestration

Post-Incident Review IT Change Request

Enterprise Security Response


Use Metrics & Dashboards to Demonstrate Value

Severe Vulnerabilities by Business Service All Vulnerabilities by Business Service


• Don’t miss Knowledge17, May 7 – 11, Orlando

• Join us at:• FS-ISAC Summit, April 30 – May 3, Lake Buena Vista

• Ignite 2017 Cybersecurity Conference, June 12 – 15, Vancouver

• Learn more at www.servicenow.com/sec-ops

Q & A

http://www.servicenow.com/sec-ops


W O R K AT L I G H T S P E E D ™

deconstructing enterprise security response

Technology