six weeks to security operations the amp story · 2020. 7. 16. · function: enterprise cyber...
TRANSCRIPT
1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved
Mike ByrneCyber Security AMP
Six Weeks to Security Operations – The AMP Story
2© 2017 ServiceNow All Rights Reserved
Agenda
• Introductions
• The AMP Security Operations Story
• Lessons Learned
3© 2017 ServiceNow All Rights Reserved
Speaker Introduction
NAME: Mike Byrne
TITLE: Consultant
FUNCTION: Enterprise Cyber Security
COMPANY: AMP
EXPERIENCE: 18 Years experience in the technology industry, 15 years in Cyber Security and Risk Management.
EXPERTISE: Architecture, Governance, Operations, Management Consulting, and Program Management.
ACHIEVEMENTS: Delivered ServiceNow Security Operations in 6 weeks, including Security service catalogue.
CURRENT PROJECTS: Driving continuous improvement of Cyber at AMP.
4© 2017 ServiceNow All Rights Reserved
My Company
Company’s Primary Products/solutions:
• Banking
• Investment management
• Financial planning and advice
• Insurance and superannuation
Name: AMP
Industry: Financial Services
Market Focus: Financial services company in Australia and New Zealand with superannuation and investment products, insurance, financial advice and banking products
Company-wide Initiatives
• Grow internationally
• Create a customer-centred culture
• Regulatory Compliance & risk management
• Become more efficient by changing the way we work and use technology
5© 2017 ServiceNow All Rights Reserved
Objectives and What You Will Learn
Objectives
– Provide insight to the AMP ServiceNow Security Operations deployment
What you will learn
– Why we implemented ServiceNow Security Operations
– Understand the environment and challenges facing AMP
– Learn about how AMP deployed ServiceNow Security Operations in 6 weeks
– Key outcomes and lessons you may apply for your initiatives/projects
6© 2017 ServiceNow All Rights Reserved
Context – Setting the stage
Industry trendsAttacks - more frequent, more sophisticated
Information - growing rapidly, across multiple channels and physical boundaries
Focus –Shift to prevent and protect, not detect and remediate
Competitive pressuresBrand and Trust
Digital transformationsCloud first initiatives
Legacy processes
Push for analytics & standardisation
Desire for more Data driven decisions
Program drivers and goalsSingle system of record
Integrate to automate then orchestrate
Improve visibility, reduce risk exposure and increase efficiency
7© 2017 ServiceNow All Rights Reserved
Goals and ChallengesPREVENT
Immature processes
STRATEGY AND
GOVERNANCE
IMPROVE
End-to-end Vulnerability Management
TRANSFORMATION
Attributes:
Technical assessments
Security Operations &
Monitoring
Incident response
Security analytics
DETECT
Managing Security Incidents
CYBER DEFENSE
RESPOND
Inconsistent Resolution with no visibility of impact
DIGITAL RESPONSE SERVICES
Post Breach
Attributes:
Digital evidence preservation and cyber investigations services
Post-Breach analysis and mitigation
Attributes:
Security transformation
Informed by technology strategy
Long-term engagement delivery
Business-outcome focused
Attributes:
Comprehensive in breadth (Target Operating Model)
Benefits driven from strategy through execution
Information driven approach
Pre-Breach
8© 2017 ServiceNow All Rights Reserved
Solution at a Glance
Actionable Intelligence - Solving the right problems at the right time
1 – BasicOperations
2 – Visibility and Performance
3 - Context and Enrichment
4 - Automated Remediation
5 – Actionable Intelligence
Security Operations Maturity
Value-based Prioritisation
Visibility and Reporting
Enhanced data enrichment tied to
incidents
Context-driven detection
Automated Response Actions for Proactive
Measures and Countermeasures
Integrated Change Request and History
Circles of Trust for Peer Intel Sharing
Dynamic Workflow to Educate and Enable Teams
Basic Incident Ticketing
Incident Response Definition
Prioritisation by Impact
KPIs, Reporting and SLAs
Noise Reduction
Automate data gathering tasks
Threat intelligence integrated with Incident
Response
Time to Detect per event reduced
Compress the time to contain and remediate
incidents
Enable visibility for changes and task fulfillment across
teams
Easily handle common attacks to improve response closure
Integration with core security systems
Process and Accountability
Defined
Security Information Network for intel and
attack method updates
Automated querying of internal and supplier
environments
Educational expert systems and best practice sharing
Enh
ance
d T
ime
to
De
tect
an
d R
esp
on
d
9© 2017 ServiceNow All Rights Reserved
Solution – Strategy or Approach or MethodologyDetecting modern day vulnerabilities and threats is vital, however the struggle to implement efficient and effective collaboration between security and IT is critical
Process & Workflow ToolingRefinement and
AutomationService Level & Insight
Role of ServiceNow
Reviewed and analysed existing processes against
ServiceNow Security Operations suite functionality and identified
gaps
Designed and implemented ServiceNow Security Operations vulnerability response, security
incident response and threat intelligence applications
Linked ITSM incident process to security incident response enabling a central repository for all incidents
with automation to create a Security incident from ITSM based on Category eliminating dual entry
Security Incidents and Vulnerabilitiespose risk and usually require IT
Change. Enabled threat intelligence capability to obtain immediate
information around indicators of compromise
ServiceNow played an important role in bridging the gaps between IT & Security,
with its exceptional workflow management, ability to define standard requests and assign Service Levels to workflow.
Integrations with leading security tools ensure timely
detection, enrichment of data and better Prioritisation.
Reduce silo behaviors by taking a comprehensive approach that targets the identified gaps with proven methods and a good practice, tailored solution – identify and take key business units on the journey with you.
Key elements of the approach:• Defining a mutually agreed Operating Model between Security & IT that covers responsibilities, processes and agreed
service levels;• Work towards an integrated and aligned landscape of tooling and automation, reducing overlap;• Establish a single workflow automation tool across Security & IT for all processes;• Effective Change Management to align the business and Cyber Security.
10© 2017 ServiceNow All Rights Reserved
Solution – Timeline
2017 | Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Hyper Care
Kickoff Release
System Design
Coding
Code Improvement
Integration
Testing
Exec Review
11© 2017 ServiceNow All Rights Reserved
Value Outcomes
360% Response Time
A decrease of
Vulnerability Response Time
Months to Minutes Response
6XFASTER
Security Incident Response Time
12© 2017 ServiceNow All Rights Reserved
Lessons Learned
1. Cleary define metrics and outcomes from the start
2. Don’t assume CI information is of good quality
3. Better integration and features with Qualys
4. Break the business in slowly with only critical and high vulnerabilities first.
13© 2017 ServiceNow All Rights Reserved
Our Next Steps
Evolve our Threat Intelligence
Disrupting the cyber criminal ecosystem
Continued Orchestration
Risk reduction and threat prevention by context and
priority
Published Cyber Services
More Cyber Services on service catalogue
14© 2017 ServiceNow All Rights Reserved
Top Takeaways
1 2 3
Contextualisation
Solving right problems at the right time
Visibility
Informed Action
Automation
Faster everything...
15© 2017 ServiceNow All Rights Reserved 15© 2017 ServiceNow All Rights Reserved
Thank You
Mike ByrneEnterprise Cyber Security ConsultantAMP