servicenow webinar 12/1: simplify security operations - detect, prioritize and respond
TRANSCRIPT
© 2016 ServiceNow All Rights Reserved 11© 2016 ServiceNow All Rights Reserved
Simplify Security Operations -Detect, Prioritize and Respond
Bryce Schroeder - Sr. Director Security and Risk Practice
1st December 2016
© 2016 ServiceNow All Rights Reserved 2
Simplify Security Operations - Agenda
• Introduction
• NIST Guidance
• Why So Complicated?
• Steps to Simplify
• Conclusion
© 2016 ServiceNow All Rights Reserved 3
Bryce Schroeder, serves as Sr. Director of ServiceNow’ s new Security and Risk Practice. This business unit is focused on solving Enterprise Security Response. Before ServiceNow Bryce was VP of Security Engineering for Tripwire Inc. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineers in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior leadership roles at Symantec where he drove global solutions as well as Sun Microsystems where he pioneered development and successful deployment of secure remote automated software integration, distribution and test across the Internet.
Bryce earned his Master’s in Engineering and Technology Management from Portland State University and three Bachelor’s from Oregon State University in Electrical Engineering, Computer Engineering and Computer Science.
© 2016 ServiceNow All Rights Reserved 4
The Enterprise Cloud Company
Cloud-based Service that Modernizes and Transforms the Enterprise
Highly Secure and Available Enterprise Cloud
SaaS Business Model
~3,200Enterprise Customers
~4,200Global Employees
Major SitesSan Diego, Silicon Valley, Seattle, Amsterdam,
London, Sydney, Israel, India
$28M$64M
FY10FY09
$425M
$244M
$128M
FY11 FY12 FY13
$683M
Enterprise Cloud NYSE: NOW Strong Revenue & Growth
$1BN
FY14 FY15 FY16E
$1.370-$1.380BN
© 2016 ServiceNow All Rights Reserved 8
NIST Framework for Improving Critical Infrastructure Cybersecurity
© 2016 ServiceNow All Rights Reserved 9
NIST Framework for Improving Critical Infrastructure Cybersecurity
© 2016 ServiceNow All Rights Reserved 12
days on average to spot a breachMean Time to Identify [MTTI]
days to containMean Time to Contain[MTTC]
© 2016 ServiceNow All Rights Reserved 14
The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today.
Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.
© 2016 ServiceNow All Rights Reserved 15
WE HAVE LOTS OF SECURITY SOLUTIONS
Source: Momentum Partners
© 2016 ServiceNow All Rights Reserved 16
WHY ARE SECURITY SOLUTIONS COMPLEX? Disconnected Silos
SIEM, Malware, Threat Network Protection Endpoint Solutions IAMs
© 2016 ServiceNow All Rights Reserved 17
Emails, Spreadsheets, Phone Calls, Meetings, and Text Messages are difficult to measure and don’t provide an easy way to understand how your processes are performing, where the bottlenecks are, and how to improve them.
THE WRONG TOOLS ARE BEING USED FOR RESPONSE
© 2016 ServiceNow All Rights Reserved 18
SECURITY RESPONDERS ARE OVERWHELMED
• SIEM
• APT
• EPS
SecurityAnalyst
What info do I need?
What systems have the info that I
need?
What lookups do I need to run to derive 2nd level
enrichment?
Have I seen this type of threat
before?
Is it a threat attempting to go
undetected?
Security Runbookknowledge
Multiple disparate solutions
Manual scripting and operational
tasks
No historical threat intel tied to
incidents or CIs
No context across asset, service type
or user group
Slo
wer
Sec
uri
ty R
esp
on
se
SecurityAlert
© 2016 ServiceNow All Rights Reserved 21
NET IMPACT ON THE BUSINESS
Average total cost of a data breach
$4 MM
Average cost per stolen record
$158
Increase in cost since 2013
29%
Impact of 16 factors on per capita cost of a data breach
Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis
© 2016 ServiceNow All Rights Reserved 23
COMPLICATIONS FOR SECURITY OPERATIONS
Time & Change
Threat Landscape
Time to Identify
Time to Contain
Toolsets
Siloed
Different context
Too many alerts
Communication
Wrong method for accountable
real-time incident response
Skill & Talent
Gap
Not enough skilled analysts
to manage increasing incidents
Alert Overload
Too many alerts
© 2016 ServiceNow All Rights Reserved 25
FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS
Single System for IT & Security
Collaborate
&
Communicate
Service Mapping
Criticality
&
Prioritization
Automate
Security Runbook
Cross reference
Prefetch
Knowledge & Capability
Track Progress, Find Gaps &
Optimize
VisualizeYour
Security Posture
© 2016 ServiceNow All Rights Reserved 26
SIMPLIFY: Single System for IT & Security
Single system that captures all collateral related to the incident.• Tasks• Attachments• Post Incident Reviews• Work Notes• etc.
NIST-based process
Role based so sensitive data is only shared with the proper roles.
© 2016 ServiceNow All Rights Reserved 27
SIMPLIFY: Single System for IT & Security
Notify enables conference calls to be quickly initiated with the necessary stakeholders
Connect enables chat groups to be quickly assembled so critical resources can easily collaborate and audit response actions.
Notify Connect
© 2016 ServiceNow All Rights Reserved 28
SIMPLIFY: Service Mapping
Security BreachOn Vulnerable Asset
Mission Critical Service / Application
Security BreachMatching Known IOCOn Vulnerable Asset
Service OutageProvide Situational Awareness/Prioritization:
Have we or our peers seen this attack before? (Threat)
What do these assets mean to the business?
What business risks are tied to these assets?
How vulnerable are these assets?
Is anything else is going on with these assets?
What are our plans?
Open Up Communication:
Security Catalog
Virtual War Room through Connect
© 2016 ServiceNow All Rights Reserved 30
SIMPLIFY: Automate
Security Incident Types can have a Service Levels associated with it
When a Security Incident comes in with “matching” conditions… the SLA process starts.
• Workflow facilitates collaboration and a consistent process that all stakeholders can follow and use to track response progress.
© 2016 ServiceNow All Rights Reserved 32
SIMPLIFY: Visualize
Service Outage Map
Open Security Incidents by type
CISO Trend dashboard
Business Service to Security Incident Criticality
© 2016 ServiceNow All Rights Reserved 33
SIMPLIFY: Knowledge & Capability
The Post Incident Review is automatically generated from…
• Assessments• Related Tasks• Work Notes• Incident flow steps• etc.
The Post Incident Review can be useful for the audit documentation.
© 2016 ServiceNow All Rights Reserved 34
SIMPLIFY: Knowledge & Capability
Security Knowledgebase
Secure articles
• Event systems
documentation
• SOPs documentation
• Key contacts lists
• Post Incident Review
documentation
© 2016 ServiceNow All Rights Reserved 35
FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS
Single System for IT & Security
Collaborate
&
Communicate
Service Mapping
Criticality
&
Prioritization
Automate
Security Runbook
Cross reference
Prefetch
Knowledge & Capability
Track Progress, Find Gaps &
Optimize
VisualizeYour
Security Posture
© 2016 ServiceNow All Rights Reserved 36
Enterprise Security Response
SERVICENOW: ENTERPRISE SECURITY RESPONSE
Security IncidentResponse
VulnerabilityResponse
ThreatIntelligence
Workflow &Automation
Deep ITIntegration
© 2016 ServiceNow All Rights Reserved 3737© 2016 ServiceNow All Rights Reserved
Simplify Security Operations -Detect, Prioritize and Respond
Bryce Schroeder - Sr. Director Security and Risk Practice
THANK YOU