Security Automation and Orchestration Best Practices

© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Security Automation And Orchestration Best PracticesJoseph Blankenship, Senior Analyst

We work with business and

technology leaders to develop

customer-obsessed strategies

that drive growth.

2© 2017 FORRESTER. REPRODUCTION PROHIBITED.


Analyst Bio

Joseph (aka JB) supports Security & Risk

professionals, helping clients develop

security strategies and make informed

decisions to protect against risk. He covers

security infrastructure and operations,

including security information management

(SIM), security analytics, security automation

and orchestration (SAO), distributed denial of

service (DDoS), and network security. His

research focuses on security monitoring,

threat detection, insider threat, operations,

and management.Joseph Blankenship, Senior Analyst

Forrester


Agenda

› Major Challenges In Security Operations

› Best Practices For A Successful Deployment

› Wrap-Up And Recommendations


Major Challenges In Security Operations


One Of My Favorite Tools


We Have LOTS Of Security Tools

Source: Momentum Partners


More tools = more security

alerts


Addressing The Skills Gap

Image Source: www.flickr.com/photos/jamesjordan/3235815231

Orchestration is the coordination of

activities, both human and

automated, required to achieve a

desired outcome.

Automation is taking action without

human intervention.

Security Automation And Orchestration Can Help Alleviate The Skills Gap


Defining Security Automation And Orchestration

› Forrester defines SAO as:

Technology products that provide automated, coordinated, and policy-based

action of security processes across multiple technologies, making security

operations faster, less error-prone, and more efficient.


Increasing Complexity Necessitates The Use Of Automation.

Source: Reduce Risk And Improve Security Through Infrastructure Automation Forrester report

https://www.forrester.com/report/Reduce+Risk+And+Improve+Security+Through+Infrastructure+Automation/-/E-RES137741


Embrace Automation And Orchestration

› Historically, security pros have shied away

from automation

• Risk of stopping legitimate traffic or disrupting

business

• Need for human analyst to research and make

decisions

› Completely manual processes are too slow

• Other parts of the business are already automated

• Security has to catch up


Base: 1,700 Security technology decision-makers (1,000+ employees)

Source: Forrester Data Global Business Technographics Security Survey, 2017

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Complexity of our IT environment

Changing/evolving nature of IT threats (internal and…

Compliance with new privacy laws

Day-to-day tactical activities taking up too much time

Building a culture of data stewardship

Lack of budget

Lack of staff (the security team is understaffed)

Unavailability of security employees with the right skills

Inability to measure the effectiveness of our security…

Other priorities in the organization taking precedence…

SAO Addresses Half Of the Top 10 Enterprise Security Challenges


State that using automation and

orchestration tools to improve security

operations is a high or critical priority.



68%


Planning to

implement within

the next 12

months

Implementing;

implemented;

or expanding

implementation

23% 51%

Base: 604 Network security decision-makers (1,000+ employees)



Plan to increase spending on SAO

technologies from 2017 – 2018.47%




SAO Tools:

› Act as “security middleware”• Links security and analytics tools

› Orchestrate security processes• Deliver consistent incident investigation and response

› Inform and educate analysts• Provides next steps for analysts

› Enable automation without requiring coding skills• Extends capabilities to analysts through UI

› Facilitate automated response• Take policy-based actions to stop attacks

› Provide reporting• Report on SOC effectiveness and productivity

Source: Forrester’s Breakout Vendors: Security Automation And Orchestration (SAO) report


SAO Tools Amplify Human Analysts

SAO tools will help analysts become

more productive, but will not be a

replacement for human analysts.


Optimize security operations by orchestrating processes and automating manual tasks.


Does This Mean We No Longer Need Analysts?

SAO tools will help analysts become

more productive, but will not be a

replacement for human analysts.


Best Practices For A Successful Deployment



Getting Started With SAO

› What are the tasks/processes ready

for automation today?

• Repetitive tasks

• High manual effort, low-risk processes

like investigation, context building, and

querying

› Build a strong foundation, then work

on more advanced automation

• Complicated processes

• Remediation activities

Take A Crawl, Walk, Run

Approach


Steps To a Successful SAO Deployment

› Choose an SAO vendor that works with your current technology investment

• Validate integrations with your technology

› Identify processes for orchestration/automation

• Choose documented, consistent processes

• Focus on highly manual processes that will provide immediate benefit

› Create a roadmap for SAO

• Add new playbooks as you gain success

› Build success criteria and measure success

• Know what a successful deployment looks like

• Measure productivity gains, MTTD, and MTTR

› Get help

• Most vendors have customer success teams and communities – take advantage of them

Be careful not to

create too many

playbooks at first.

Build playbooks, roll

them out, evaluate,

then move on.


Wrap-Up And Recommendations


Wrap-Up And Next Steps

› Prioritize SAO as part of your security roadmap

• SAO has the potential to significantly impact operations

› Build a business case for SAO

• Demonstrate productivity gains, improved detection, and reporting

› Evaluate process to look for automation opportunities

• Build a foundation before increasing complexity

› Get your team on board

• Your team may be skeptical, so help them see the benefits for them

• Designate someone as the SAO champion or lead

27© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

Security Automation & Orchestration Best Practices

Piero DePaoli

Senior Director, Product MarketingServiceNow Security Business Unit

28© 2017 ServiceNow All Rights Reserved

One in ~32 million definitions


Only ~521K for Orchestration


Putting Automation & Orchestration Into Context

Security Incident

Response

Vulnerability

ResponseWorkflow

Automation &

Orchestration

Deep IT

Integration

Threat

Intelligence

ENTERPRISE SECURITY RESPONSE


Use Case 1: High Profile Vulnerability Planning & Execution

• Scenario:

– Major software vulnerability announced

• What happens

– Need to quickly understand potential impact and inform execs



• Use the CMDB to determine which business services use the vulnerable software



• Automatically prioritize vulnerabilities based on:

– Business service impact

– Asset criticality

– Vulnerability risk score

• Automatically identify the assets creating the most risk and are ready to take action

• Facilitate emergency patches to critical assets



• Can immediately report that all critical systems are patched…



• …and have a plan for responding to the rest


Use Case 2: Automatic Security Incident InvestigationThe Typical Incident Investigation Process

Security Incident Generated

Analyst Prioritizes, Assigns &

Categorizes Incident

Analyst identifies & extracts IPs, hashes

& IoCs

Analyst runs reputational

lookups via threat intel indicators

Analyst gets running processes

from target machine

Analysts gets network

connections from target machine

Analyst runs hashes on all running

processes

Analyst runs threat intel lookups on all

processes and network

connections

Analyst confirms threat

Analyst begins remediation

process


Use Case 2: Automatic Security Incident InvestigationThe Incident Investigation Process with Automation

Security Incident Generated

Analyst Prioritizes, Assigns &

Categorizes Incident

Analyst identifies & extracts IPs, hashes

& IoCs

Analyst runs reputational

lookups via threat intel indicators

Analyst gets running processes

from target machine

Analysts gets network

connections from target machine

Analyst runs hashes on all running

processes

Analyst runs threat intel lookups on all

processes and network

connections

Analyst confirms threat

Analyst begins remediation

process

Red Boxes = Data Enrichment Activities


Use Case 3: Automatic Phishing Incident Handling

• Scenario:

– User believes they have received a Phishing Email

• What happens

– User sends the email to [email protected]

– Report which automatically submits email and contents for malware scanning

mailto:[email protected]


Use Case 3: Automatic Phishing Incident Handling

• If malicious:

– Determine who else has received email

• if opened, delete it from mail server and scan for malware

• If not opened, delete it from mail server

– Update mail server protection to block email

– Update firewall rules to block URL included in email


Use Case 4: Managing Vendor Risk

• Scenario:

– Major software vulnerability announced

• What happens

– Need to quickly understand potential impact and inform execs

– Potential Impact is bigger than just MY systems, this includes third parties that house or access sensitive data


Use Case 4: Managing Vendor Risk

1 2 3

Automatically create dependency mappings using CMDB and GRC indicators to create risk scores for vendors

Identify critical vendors and high priority issues with dynamically generated risk scores.

Create questionnaire on status of specific vulnerability and automatically push out to all vendors

4 Easily report progress on critical vs non-critical and take actions if needed


Three Strategies for Implementing Automation & Orchestration


ServiceNow

SingleDatabase

ContextualCollaboration

ServiceCatalog

ServicePortal

Subscription & Notification

KnowledgeBase

OrchestrationDeveloperTools

Reports & Dashboards

Workflow

Intelligent Automation Engine

Predictive Modeling

Anomaly Detection

PeerBenchmark

s

Performance

Forecasting

Nonstop Cloud

BUSINESS APPSIT SECURITY HRCUSTOMER SERVICE


ServiceNow Security Operations

Security Incident

Response

Vulnerability

ResponseWorkflow

Automation &

Orchestration

Deep IT

Integration

Threat

Intelligence

SingleDatabase

ContextualCollaboration

ServiceCatalog

ServicePortal

Subscription & Notification

KnowledgeBase

OrchestrationDeveloperTools

Reports & Dashboards

Workflow

Intelligent Automation Engine

Predictive Modeling

Anomaly Detection

PeerBenchmark

s

Performance

Forecasting

Nonstop Cloud


Joseph Blankenship

www.forrester.com/Joseph-Blankenship@infosec_jb

Piero DePaoli

www.servicenow.com/sec-ops@pierodepaoli

Q & A