six weeks to security operations the amp story · 2020. 7. 16. · function: enterprise cyber...

1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

Mike ByrneCyber Security AMP

Six Weeks to Security Operations – The AMP Story

2© 2017 ServiceNow All Rights Reserved

Agenda

• Introductions

• The AMP Security Operations Story

• Lessons Learned


Speaker Introduction

NAME: Mike Byrne

TITLE: Consultant

FUNCTION: Enterprise Cyber Security

COMPANY: AMP

EXPERIENCE: 18 Years experience in the technology industry, 15 years in Cyber Security and Risk Management.

EXPERTISE: Architecture, Governance, Operations, Management Consulting, and Program Management.

ACHIEVEMENTS: Delivered ServiceNow Security Operations in 6 weeks, including Security service catalogue.

CURRENT PROJECTS: Driving continuous improvement of Cyber at AMP.


My Company

Company’s Primary Products/solutions:

• Banking

• Investment management

• Financial planning and advice

• Insurance and superannuation

Name: AMP

Industry: Financial Services

Market Focus: Financial services company in Australia and New Zealand with superannuation and investment products, insurance, financial advice and banking products

Company-wide Initiatives

• Grow internationally

• Create a customer-centred culture

• Regulatory Compliance & risk management

• Become more efficient by changing the way we work and use technology


Objectives and What You Will Learn

Objectives

– Provide insight to the AMP ServiceNow Security Operations deployment

What you will learn

– Why we implemented ServiceNow Security Operations

– Understand the environment and challenges facing AMP

– Learn about how AMP deployed ServiceNow Security Operations in 6 weeks

– Key outcomes and lessons you may apply for your initiatives/projects


Context – Setting the stage

Industry trendsAttacks - more frequent, more sophisticated

Information - growing rapidly, across multiple channels and physical boundaries

Focus –Shift to prevent and protect, not detect and remediate

Competitive pressuresBrand and Trust

Digital transformationsCloud first initiatives

Legacy processes

Push for analytics & standardisation

Desire for more Data driven decisions

Program drivers and goalsSingle system of record

Integrate to automate then orchestrate

Improve visibility, reduce risk exposure and increase efficiency


Goals and ChallengesPREVENT

Immature processes

STRATEGY AND

GOVERNANCE

IMPROVE

End-to-end Vulnerability Management

TRANSFORMATION

Attributes:

Technical assessments

Security Operations &

Monitoring

Incident response

Security analytics

DETECT

Managing Security Incidents

CYBER DEFENSE

RESPOND

Inconsistent Resolution with no visibility of impact

DIGITAL RESPONSE SERVICES

Post Breach

Attributes:

Digital evidence preservation and cyber investigations services

Post-Breach analysis and mitigation

Attributes:

Security transformation

Informed by technology strategy

Long-term engagement delivery

Business-outcome focused

Attributes:

Comprehensive in breadth (Target Operating Model)

Benefits driven from strategy through execution

Information driven approach

Pre-Breach


Solution at a Glance

Actionable Intelligence - Solving the right problems at the right time

1 – BasicOperations

2 – Visibility and Performance

3 - Context and Enrichment

4 - Automated Remediation

5 – Actionable Intelligence

Security Operations Maturity

Value-based Prioritisation

Visibility and Reporting

Enhanced data enrichment tied to

incidents

Context-driven detection

Automated Response Actions for Proactive

Measures and Countermeasures

Integrated Change Request and History

Circles of Trust for Peer Intel Sharing

Dynamic Workflow to Educate and Enable Teams

Basic Incident Ticketing

Incident Response Definition

Prioritisation by Impact

KPIs, Reporting and SLAs

Noise Reduction

Automate data gathering tasks

Threat intelligence integrated with Incident

Response

Time to Detect per event reduced

Compress the time to contain and remediate

incidents

Enable visibility for changes and task fulfillment across

teams

Easily handle common attacks to improve response closure

Integration with core security systems

Process and Accountability

Defined

Security Information Network for intel and

attack method updates

Automated querying of internal and supplier

environments

Educational expert systems and best practice sharing

Enh

ance

d T

ime

to

De

tect

an

d R

esp

on

d


Solution – Strategy or Approach or MethodologyDetecting modern day vulnerabilities and threats is vital, however the struggle to implement efficient and effective collaboration between security and IT is critical

Process & Workflow ToolingRefinement and

AutomationService Level & Insight

Role of ServiceNow

Reviewed and analysed existing processes against

ServiceNow Security Operations suite functionality and identified

gaps

Designed and implemented ServiceNow Security Operations vulnerability response, security

incident response and threat intelligence applications

Linked ITSM incident process to security incident response enabling a central repository for all incidents

with automation to create a Security incident from ITSM based on Category eliminating dual entry

Security Incidents and Vulnerabilitiespose risk and usually require IT

Change. Enabled threat intelligence capability to obtain immediate

information around indicators of compromise

ServiceNow played an important role in bridging the gaps between IT & Security,

with its exceptional workflow management, ability to define standard requests and assign Service Levels to workflow.

Integrations with leading security tools ensure timely

detection, enrichment of data and better Prioritisation.

Reduce silo behaviors by taking a comprehensive approach that targets the identified gaps with proven methods and a good practice, tailored solution – identify and take key business units on the journey with you.

Key elements of the approach:• Defining a mutually agreed Operating Model between Security & IT that covers responsibilities, processes and agreed

service levels;• Work towards an integrated and aligned landscape of tooling and automation, reducing overlap;• Establish a single workflow automation tool across Security & IT for all processes;• Effective Change Management to align the business and Cyber Security.


Solution – Timeline

2017 | Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Hyper Care

Kickoff Release

System Design

Coding

Code Improvement

Integration

Testing

Exec Review


Value Outcomes

360% Response Time

A decrease of

Vulnerability Response Time

Months to Minutes Response

6XFASTER

Security Incident Response Time


Lessons Learned

1. Cleary define metrics and outcomes from the start

2. Don’t assume CI information is of good quality

3. Better integration and features with Qualys

4. Break the business in slowly with only critical and high vulnerabilities first.


Our Next Steps

Evolve our Threat Intelligence

Disrupting the cyber criminal ecosystem

Continued Orchestration

Risk reduction and threat prevention by context and

priority

Published Cyber Services

More Cyber Services on service catalogue


Top Takeaways

1 2 3

Contextualisation

Solving right problems at the right time

Visibility

Informed Action

Automation

Faster everything...

six weeks to security operations the amp story · 2020. 7. 16. · function: enterprise cyber...

Documents