servicenow webinar 12/1: simplify security operations - detect, prioritize and respond

© 2016 ServiceNow All Rights Reserved 11© 2016 ServiceNow All Rights Reserved

Simplify Security Operations -Detect, Prioritize and Respond

Bryce Schroeder - Sr. Director Security and Risk Practice

1st December 2016

© 2016 ServiceNow All Rights Reserved 2

Simplify Security Operations - Agenda

• Introduction

• NIST Guidance

• Why So Complicated?

• Steps to Simplify

• Conclusion


Bryce Schroeder, serves as Sr. Director of ServiceNow’ s new Security and Risk Practice. This business unit is focused on solving Enterprise Security Response. Before ServiceNow Bryce was VP of Security Engineering for Tripwire Inc. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineers in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior leadership roles at Symantec where he drove global solutions as well as Sun Microsystems where he pioneered development and successful deployment of secure remote automated software integration, distribution and test across the Internet.

Bryce earned his Master’s in Engineering and Technology Management from Portland State University and three Bachelor’s from Oregon State University in Electrical Engineering, Computer Engineering and Computer Science.


The Enterprise Cloud Company

Cloud-based Service that Modernizes and Transforms the Enterprise

Highly Secure and Available Enterprise Cloud

SaaS Business Model

~3,200Enterprise Customers

~4,200Global Employees

Major SitesSan Diego, Silicon Valley, Seattle, Amsterdam,

London, Sydney, Israel, India

$28M$64M

FY10FY09

$425M

$244M

$128M

FY11 FY12 FY13

$683M

Enterprise Cloud NYSE: NOW Strong Revenue & Growth

$1BN

FY14 FY15 FY16E

$1.370-$1.380BN


NIST Framework for Improving Critical Infrastructure Cybersecurity


Security Operations Complications


THREAT LANDSCAPE


days on average to spot a breachMean Time to Identify [MTTI]

days to containMean Time to Contain[MTTC]


The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today.

Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.


WE HAVE LOTS OF SECURITY SOLUTIONS

Source: Momentum Partners


WHY ARE SECURITY SOLUTIONS COMPLEX? Disconnected Silos

SIEM, Malware, Threat Network Protection Endpoint Solutions IAMs


Emails, Spreadsheets, Phone Calls, Meetings, and Text Messages are difficult to measure and don’t provide an easy way to understand how your processes are performing, where the bottlenecks are, and how to improve them.

THE WRONG TOOLS ARE BEING USED FOR RESPONSE


SECURITY RESPONDERS ARE OVERWHELMED

• SIEM

• APT

• EPS

SecurityAnalyst

What info do I need?

What systems have the info that I

need?

What lookups do I need to run to derive 2nd level

enrichment?

Have I seen this type of threat

before?

Is it a threat attempting to go

undetected?

Security Runbookknowledge

Multiple disparate solutions

Manual scripting and operational

tasks

No historical threat intel tied to

incidents or CIs

No context across asset, service type

or user group

Slo

wer

Sec

uri

ty R

esp

on

se

SecurityAlert


CYBERSECURITY SKILL & TALENT GAP


NET IMPACT ON THE BUSINESS

Average total cost of a data breach

$4 MM

Average cost per stolen record

$158

Increase in cost since 2013

29%

Impact of 16 factors on per capita cost of a data breach

Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis


COMPLICATIONS FOR SECURITY OPERATIONS

Time & Change

Threat Landscape

Time to Identify

Time to Contain

Toolsets

Siloed

Different context

Too many alerts

Communication

Wrong method for accountable

real-time incident response

Skill & Talent

Gap

Not enough skilled analysts

to manage increasing incidents

Alert Overload

Too many alerts


SimplifySecurity Operations


FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS

Single System for IT & Security

Collaborate

&

Communicate

Service Mapping

Criticality

&

Prioritization

Automate

Security Runbook

Cross reference

Prefetch

Knowledge & Capability

Track Progress, Find Gaps &

Optimize

VisualizeYour

Security Posture


SIMPLIFY: Single System for IT & Security

Single system that captures all collateral related to the incident.• Tasks• Attachments• Post Incident Reviews• Work Notes• etc.

NIST-based process

Role based so sensitive data is only shared with the proper roles.


SIMPLIFY: Single System for IT & Security

Notify enables conference calls to be quickly initiated with the necessary stakeholders

Connect enables chat groups to be quickly assembled so critical resources can easily collaborate and audit response actions.

Notify Connect


SIMPLIFY: Service Mapping

Security BreachOn Vulnerable Asset

Mission Critical Service / Application

Security BreachMatching Known IOCOn Vulnerable Asset

Service OutageProvide Situational Awareness/Prioritization:

Have we or our peers seen this attack before? (Threat)

What do these assets mean to the business?

What business risks are tied to these assets?

How vulnerable are these assets?

Is anything else is going on with these assets?

What are our plans?

Open Up Communication:

Security Catalog

Virtual War Room through Connect


SIMPLIFY: Automate


SIMPLIFY: Automate

Security Incident Types can have a Service Levels associated with it

When a Security Incident comes in with “matching” conditions… the SLA process starts.

• Workflow facilitates collaboration and a consistent process that all stakeholders can follow and use to track response progress.


SIMPLIFY: Visualize


SIMPLIFY: Visualize

Service Outage Map

Open Security Incidents by type

CISO Trend dashboard

Business Service to Security Incident Criticality


SIMPLIFY: Knowledge & Capability

The Post Incident Review is automatically generated from…

• Assessments• Related Tasks• Work Notes• Incident flow steps• etc.

The Post Incident Review can be useful for the audit documentation.


SIMPLIFY: Knowledge & Capability

Security Knowledgebase

Secure articles

• Event systems

documentation

• SOPs documentation

• Key contacts lists

• Post Incident Review

documentation


FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS

Single System for IT & Security

Collaborate

&

Communicate

Service Mapping

Criticality

&

Prioritization

Automate

Security Runbook

Cross reference

Prefetch

Knowledge & Capability

Track Progress, Find Gaps &

Optimize

VisualizeYour

Security Posture


Enterprise Security Response

SERVICENOW: ENTERPRISE SECURITY RESPONSE

Security IncidentResponse

VulnerabilityResponse

ThreatIntelligence

Workflow &Automation

Deep ITIntegration


Simplify Security Operations -Detect, Prioritize and Respond

Bryce Schroeder - Sr. Director Security and Risk Practice

[email protected]

THANK YOU

servicenow webinar 12/1: simplify security operations - detect, prioritize and respond

Software