Upload
servicenow
View
379
Download
0
Embed Size (px)
Citation preview
© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security Automation And Orchestration Best PracticesJoseph Blankenship, Senior Analyst
We work with business and
technology leaders to develop
customer-obsessed strategies
that drive growth.
2© 2017 FORRESTER. REPRODUCTION PROHIBITED.
3© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Analyst Bio
Joseph (aka JB) supports Security & Risk
professionals, helping clients develop
security strategies and make informed
decisions to protect against risk. He covers
security infrastructure and operations,
including security information management
(SIM), security analytics, security automation
and orchestration (SAO), distributed denial of
service (DDoS), and network security. His
research focuses on security monitoring,
threat detection, insider threat, operations,
and management.Joseph Blankenship, Senior Analyst
Forrester
4© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Agenda
› Major Challenges In Security Operations
› Best Practices For A Successful Deployment
› Wrap-Up And Recommendations
5© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Major Challenges In Security Operations
6© 2017 FORRESTER. REPRODUCTION PROHIBITED.
One Of My Favorite Tools
7© 2017 FORRESTER. REPRODUCTION PROHIBITED.
We Have LOTS Of Security Tools
Source: Momentum Partners
8© 2017 FORRESTER. REPRODUCTION PROHIBITED.
More tools = more security
alerts
9© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Addressing The Skills Gap
Image Source: www.flickr.com/photos/jamesjordan/3235815231
Orchestration is the coordination of
activities, both human and
automated, required to achieve a
desired outcome.
Automation is taking action without
human intervention.
Security Automation And Orchestration Can Help Alleviate The Skills Gap
10© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Defining Security Automation And Orchestration
› Forrester defines SAO as:
Technology products that provide automated, coordinated, and policy-based
action of security processes across multiple technologies, making security
operations faster, less error-prone, and more efficient.
11© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Increasing Complexity Necessitates The Use Of Automation.
Source: Reduce Risk And Improve Security Through Infrastructure Automation Forrester report
12© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Embrace Automation And Orchestration
› Historically, security pros have shied away
from automation
• Risk of stopping legitimate traffic or disrupting
business
• Need for human analyst to research and make
decisions
› Completely manual processes are too slow
• Other parts of the business are already automated
• Security has to catch up
13© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Base: 1,700 Security technology decision-makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Complexity of our IT environment
Changing/evolving nature of IT threats (internal and…
Compliance with new privacy laws
Day-to-day tactical activities taking up too much time
Building a culture of data stewardship
Lack of budget
Lack of staff (the security team is understaffed)
Unavailability of security employees with the right skills
Inability to measure the effectiveness of our security…
Other priorities in the organization taking precedence…
SAO Addresses Half Of the Top 10 Enterprise Security Challenges
14© 2017 FORRESTER. REPRODUCTION PROHIBITED.
State that using automation and
orchestration tools to improve security
operations is a high or critical priority.
Base: 1,169 Security technology decision-makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017
68%
15© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Planning to
implement within
the next 12
months
Implementing;
implemented;
or expanding
implementation
23% 51%
Base: 604 Network security decision-makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017
16© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Plan to increase spending on SAO
technologies from 2017 – 2018.47%
Base: 1,169 Security technology decision-makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017
17© 2017 FORRESTER. REPRODUCTION PROHIBITED.
SAO Tools:
› Act as “security middleware”• Links security and analytics tools
› Orchestrate security processes• Deliver consistent incident investigation and response
› Inform and educate analysts• Provides next steps for analysts
› Enable automation without requiring coding skills• Extends capabilities to analysts through UI
› Facilitate automated response• Take policy-based actions to stop attacks
› Provide reporting• Report on SOC effectiveness and productivity
Source: Forrester’s Breakout Vendors: Security Automation And Orchestration (SAO) report
18© 2017 FORRESTER. REPRODUCTION PROHIBITED.
SAO Tools Amplify Human Analysts
SAO tools will help analysts become
more productive, but will not be a
replacement for human analysts.
19© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Optimize security operations by orchestrating processes and automating manual tasks.
20© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Does This Mean We No Longer Need Analysts?
SAO tools will help analysts become
more productive, but will not be a
replacement for human analysts.
21© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Best Practices For A Successful Deployment
22© 2017 FORRESTER. REPRODUCTION PROHIBITED.
23© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Getting Started With SAO
› What are the tasks/processes ready
for automation today?
• Repetitive tasks
• High manual effort, low-risk processes
like investigation, context building, and
querying
› Build a strong foundation, then work
on more advanced automation
• Complicated processes
• Remediation activities
Take A Crawl, Walk, Run
Approach
24© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Steps To a Successful SAO Deployment
› Choose an SAO vendor that works with your current technology investment
• Validate integrations with your technology
› Identify processes for orchestration/automation
• Choose documented, consistent processes
• Focus on highly manual processes that will provide immediate benefit
› Create a roadmap for SAO
• Add new playbooks as you gain success
› Build success criteria and measure success
• Know what a successful deployment looks like
• Measure productivity gains, MTTD, and MTTR
› Get help
• Most vendors have customer success teams and communities – take advantage of them
Be careful not to
create too many
playbooks at first.
Build playbooks, roll
them out, evaluate,
then move on.
25© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Wrap-Up And Recommendations
26© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Wrap-Up And Next Steps
› Prioritize SAO as part of your security roadmap
• SAO has the potential to significantly impact operations
› Build a business case for SAO
• Demonstrate productivity gains, improved detection, and reporting
› Evaluate process to look for automation opportunities
• Build a foundation before increasing complexity
› Get your team on board
• Your team may be skeptical, so help them see the benefits for them
• Designate someone as the SAO champion or lead
27© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved
Security Automation & Orchestration Best Practices
Piero DePaoli
Senior Director, Product MarketingServiceNow Security Business Unit
28© 2017 ServiceNow All Rights Reserved
One in ~32 million definitions
29© 2017 ServiceNow All Rights Reserved
Only ~521K for Orchestration
30© 2017 ServiceNow All Rights Reserved
Putting Automation & Orchestration Into Context
Security Incident
Response
Vulnerability
ResponseWorkflow
Automation &
Orchestration
Deep IT
Integration
Threat
Intelligence
ENTERPRISE SECURITY RESPONSE
31© 2017 ServiceNow All Rights Reserved
Use Case 1: High Profile Vulnerability Planning & Execution
• Scenario:
– Major software vulnerability announced
• What happens
– Need to quickly understand potential impact and inform execs
32© 2017 ServiceNow All Rights Reserved
Use Case 1: High Profile Vulnerability Planning & Execution
• Use the CMDB to determine which business services use the vulnerable software
33© 2017 ServiceNow All Rights Reserved
Use Case 1: High Profile Vulnerability Planning & Execution
• Automatically prioritize vulnerabilities based on:
– Business service impact
– Asset criticality
– Vulnerability risk score
• Automatically identify the assets creating the most risk and are ready to take action
• Facilitate emergency patches to critical assets
34© 2017 ServiceNow All Rights Reserved
Use Case 1: High Profile Vulnerability Planning & Execution
• Can immediately report that all critical systems are patched…
35© 2017 ServiceNow All Rights Reserved
Use Case 1: High Profile Vulnerability Planning & Execution
• …and have a plan for responding to the rest
36© 2017 ServiceNow All Rights Reserved
Use Case 2: Automatic Security Incident InvestigationThe Typical Incident Investigation Process
Security Incident Generated
Analyst Prioritizes, Assigns &
Categorizes Incident
Analyst identifies & extracts IPs, hashes
& IoCs
Analyst runs reputational
lookups via threat intel indicators
Analyst gets running processes
from target machine
Analysts gets network
connections from target machine
Analyst runs hashes on all running
processes
Analyst runs threat intel lookups on all
processes and network
connections
Analyst confirms threat
Analyst begins remediation
process
37© 2017 ServiceNow All Rights Reserved
Use Case 2: Automatic Security Incident InvestigationThe Incident Investigation Process with Automation
Security Incident Generated
Analyst Prioritizes, Assigns &
Categorizes Incident
Analyst identifies & extracts IPs, hashes
& IoCs
Analyst runs reputational
lookups via threat intel indicators
Analyst gets running processes
from target machine
Analysts gets network
connections from target machine
Analyst runs hashes on all running
processes
Analyst runs threat intel lookups on all
processes and network
connections
Analyst confirms threat
Analyst begins remediation
process
Red Boxes = Data Enrichment Activities
38© 2017 ServiceNow All Rights Reserved
Use Case 3: Automatic Phishing Incident Handling
• Scenario:
– User believes they have received a Phishing Email
• What happens
– User sends the email to [email protected]
– Report which automatically submits email and contents for malware scanning
39© 2017 ServiceNow All Rights Reserved
Use Case 3: Automatic Phishing Incident Handling
• If malicious:
– Determine who else has received email
• if opened, delete it from mail server and scan for malware
• If not opened, delete it from mail server
– Update mail server protection to block email
– Update firewall rules to block URL included in email
40© 2017 ServiceNow All Rights Reserved
Use Case 4: Managing Vendor Risk
• Scenario:
– Major software vulnerability announced
• What happens
– Need to quickly understand potential impact and inform execs
– Potential Impact is bigger than just MY systems, this includes third parties that house or access sensitive data
41© 2017 ServiceNow All Rights Reserved
Use Case 4: Managing Vendor Risk
1 2 3
Automatically create dependency mappings using CMDB and GRC indicators to create risk scores for vendors
Identify critical vendors and high priority issues with dynamically generated risk scores.
Create questionnaire on status of specific vulnerability and automatically push out to all vendors
4 Easily report progress on critical vs non-critical and take actions if needed
42© 2017 ServiceNow All Rights Reserved
Three Strategies for Implementing Automation & Orchestration
43© 2017 ServiceNow All Rights Reserved
ServiceNow
SingleDatabase
ContextualCollaboration
ServiceCatalog
ServicePortal
Subscription & Notification
KnowledgeBase
OrchestrationDeveloperTools
Reports & Dashboards
Workflow
Intelligent Automation Engine
Predictive Modeling
Anomaly Detection
PeerBenchmark
s
Performance
Forecasting
Nonstop Cloud
BUSINESS APPSIT SECURITY HRCUSTOMER SERVICE
44© 2017 ServiceNow All Rights Reserved
ServiceNow Security Operations
Security Incident
Response
Vulnerability
ResponseWorkflow
Automation &
Orchestration
Deep IT
Integration
Threat
Intelligence
SingleDatabase
ContextualCollaboration
ServiceCatalog
ServicePortal
Subscription & Notification
KnowledgeBase
OrchestrationDeveloperTools
Reports & Dashboards
Workflow
Intelligent Automation Engine
Predictive Modeling
Anomaly Detection
PeerBenchmark
s
Performance
Forecasting
Nonstop Cloud
45© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Joseph Blankenship
www.forrester.com/Joseph-Blankenship@infosec_jb
Piero DePaoli
www.servicenow.com/sec-ops@pierodepaoli
Q & A