Embed Size (px)
Citation preview
© Copyright Syncurity Proprietary and Confidential
Streamlining Security Operations
Turbo-charging Security Operations to Keep Pace with Threats…
John Jolly, President and CEO IIA / ISACA Chicago - October 25, 2017
© Copyright Syncurity Proprietary and Confidential
Streamlining Security Operations
While Enabling Audit
John Jolly, President and CEO IIA / ISACA Chicago - October 25, 2017
© Copyright Syncurity Proprietary and Confidential
Agenda
About Me Really Short Survey Context on Security Operations Really Cool Demo Free Stuff / Questions
© Copyright Syncurity Proprietary and Confidential
About Me
30+ Years as a Security Practitioner Led Commercial / Federal Cybersecurity business
at General Dynamics Practical Experience in SecOps & Breach
Response
© Copyright Syncurity Proprietary and Confidential
Really Short Survey
How many of you work in an enterprise that has a SOC or a dedicated Security Operations Team?
“My name is John Jolly, and I am here to recruit you.”
© Copyright Syncurity Proprietary and Confidential
First Some Context…
The Universe of Cyber:
Systems that generate
alerts
Systems that dispose of
alerts
© Copyright Syncurity Proprietary and Confidential
The Security Operations Problem Firewall IDS/IPS
Antivirus Netflow
Email/Web Filtering
Vulnerability Scanning
IAM
SIEM
EDR
UEBA
Too many point solutions:
“Studies have shown that some companies have up to 70 different
security vendors installed” - CISCO
© Copyright Syncurity Proprietary and Confidential
The Security Operations Problem
Firewall IDS/IPS
Antivirus Netflow
Email/Web Filtering
Vulnerability Scanning
IAM
SIEM
EDR
UEBA
93% of organizations are overwhelmed by alerts and unable to triage all relevant threats*
*McAfee Labs Threats Report Dec 2016
© Copyright Syncurity Proprietary and Confidential
SecOps - A Simple Model
Do it in a way that is repeatable, scalable, and auditable
Most of the leverage around risk and efficiency is in Triage
Find the bad stuff (true positives) in the alert haystack (Triage or Alert
Handling)
Contain, Remediate, Report…
(Incident Handling)
© Copyright Syncurity Proprietary and Confidential
Why separate Triage & Incident Processes
Triage - High volume - speed / efficiency - internal focus Incidents - Low volume - accuracy / efficiency - external focus Greater potential for automation in triage Alignment of technical skills Audit & reporting requirements differ Triage - assessing risk; Incident - managing risk
© Copyright Syncurity Proprietary and Confidential
The Importance of Risk
Align security operations to business risk Most Security teams today don’t do this well
Assessing Risk (Triage) Likelihood - patch level, attributes of threat Severity - asset owner, business process, threat actor
Managing Risk (Incident) Avoid, Mitigate, Accept Process, Notifications, Regulatory
© Copyright Syncurity Proprietary and Confidential
Universal SecOps Metrics Dwell Time - How long does it take from the time the alert
is generated until you escalate it to an incident Time to Contain - How does it take to contain the threat Time to Remediate - How long does it take to remediate
the asset, the process & resume normal business operations
(Weighted in all cases by enterprise risk…)
© Copyright Syncurity Proprietary and Confidential
Important Considerations
Human Insight Matters … a lot! Every Enterprise is Unique “Bring Your Own Enterprise”
Everybody is on a Journey Auditability will be increasingly important
© Copyright Syncurity Proprietary and Confidential
Enterprise functions all have a system of record that enables compliance and audit …
SALES HR MARKETING FINANCE
What About Security?
© Copyright Syncurity Proprietary and Confidential
Sample of Relevant Regulatory Authorities and Regimes Financials
Department of Treasury FFIEC - Federal Financial Institutions Examination Council CFPB - Consumer Financial Protection Bureau
Legislative Cybersecurity Information Sharing Act HIPPA Gramm-Leach-Billey
SEC - Securities and Exchange Commission FTC - Federal Trade Commission EU / GDPR
A system of record that can demonstrate adherence to process and regulatory compliance will be increasingly important for internal audit / governance, external audit, and insurance underwriters
© Copyright Syncurity Proprietary and Confidential
The SecOps Hierarchy of Needs
Automated Remediation
Automated Investigations
Intelligent Alert Prioritization
Automated Alert Enrichment
Customizable Workflow and Reporting Engine
Define Processes and Procedures
Enterprise Process Forms the Foundation 1) Define enterprise process for security operations 2) Customize process to align with best practices 3) Accelerate triage via automated enrichment (context) 4) Prioritize alert “haystack” with risk based score
5) Automate investigations (when possible) 6) Automate remediation (when possible)
© Copyright Syncurity Proprietary and Confidential
Really Cool Demo
© Copyright Syncurity Proprietary and Confidential
Free Stuff / Questions?
Stop by our table to enter the raffle and say hello
Contact: John Jolly, President and CEO
© Copyright Syncurity Proprietary and Confidential
Streamlining Security Operations
Contact John Jolly, President and CEO
