Security Automation and Orchestration Best Practices

Post on 21-Jan-2018

378 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

Transcript

© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Security Automation And Orchestration Best PracticesJoseph Blankenship, Senior Analyst

We work with business and

technology leaders to develop

customer-obsessed strategies

that drive growth.

2© 2017 FORRESTER. REPRODUCTION PROHIBITED.

3© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Analyst Bio

Joseph (aka JB) supports Security & Risk

professionals, helping clients develop

security strategies and make informed

decisions to protect against risk. He covers

security infrastructure and operations,

including security information management

(SIM), security analytics, security automation

and orchestration (SAO), distributed denial of

service (DDoS), and network security. His

research focuses on security monitoring,

threat detection, insider threat, operations,

and management.Joseph Blankenship, Senior Analyst

Forrester

4© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Agenda

› Major Challenges In Security Operations

› Best Practices For A Successful Deployment

› Wrap-Up And Recommendations

5© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Major Challenges In Security Operations

6© 2017 FORRESTER. REPRODUCTION PROHIBITED.

One Of My Favorite Tools

7© 2017 FORRESTER. REPRODUCTION PROHIBITED.

We Have LOTS Of Security Tools

Source: Momentum Partners

8© 2017 FORRESTER. REPRODUCTION PROHIBITED.

More tools = more security

alerts

9© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Addressing The Skills Gap

Image Source: www.flickr.com/photos/jamesjordan/3235815231

Orchestration is the coordination of

activities, both human and

automated, required to achieve a

desired outcome.

Automation is taking action without

human intervention.

Security Automation And Orchestration Can Help Alleviate The Skills Gap

10© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Defining Security Automation And Orchestration

› Forrester defines SAO as:

Technology products that provide automated, coordinated, and policy-based

action of security processes across multiple technologies, making security

operations faster, less error-prone, and more efficient.

11© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Increasing Complexity Necessitates The Use Of Automation.

Source: Reduce Risk And Improve Security Through Infrastructure Automation Forrester report

12© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Embrace Automation And Orchestration

› Historically, security pros have shied away

from automation

• Risk of stopping legitimate traffic or disrupting

business

• Need for human analyst to research and make

decisions

› Completely manual processes are too slow

• Other parts of the business are already automated

• Security has to catch up

13© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Base: 1,700 Security technology decision-makers (1,000+ employees)

Source: Forrester Data Global Business Technographics Security Survey, 2017

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Complexity of our IT environment

Changing/evolving nature of IT threats (internal and…

Compliance with new privacy laws

Day-to-day tactical activities taking up too much time

Building a culture of data stewardship

Lack of budget

Lack of staff (the security team is understaffed)

Unavailability of security employees with the right skills

Inability to measure the effectiveness of our security…

Other priorities in the organization taking precedence…

SAO Addresses Half Of the Top 10 Enterprise Security Challenges

14© 2017 FORRESTER. REPRODUCTION PROHIBITED.

State that using automation and

orchestration tools to improve security

operations is a high or critical priority.

Base: 1,169 Security technology decision-makers (1,000+ employees)

Source: Forrester Data Global Business Technographics Security Survey, 2017

68%

15© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Planning to

implement within

the next 12

months

Implementing;

implemented;

or expanding

implementation

23% 51%

Base: 604 Network security decision-makers (1,000+ employees)

Source: Forrester Data Global Business Technographics Security Survey, 2017

16© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Plan to increase spending on SAO

technologies from 2017 – 2018.47%

Base: 1,169 Security technology decision-makers (1,000+ employees)

Source: Forrester Data Global Business Technographics Security Survey, 2017

17© 2017 FORRESTER. REPRODUCTION PROHIBITED.

SAO Tools:

› Act as “security middleware”• Links security and analytics tools

› Orchestrate security processes• Deliver consistent incident investigation and response

› Inform and educate analysts• Provides next steps for analysts

› Enable automation without requiring coding skills• Extends capabilities to analysts through UI

› Facilitate automated response• Take policy-based actions to stop attacks

› Provide reporting• Report on SOC effectiveness and productivity

Source: Forrester’s Breakout Vendors: Security Automation And Orchestration (SAO) report

18© 2017 FORRESTER. REPRODUCTION PROHIBITED.

SAO Tools Amplify Human Analysts

SAO tools will help analysts become

more productive, but will not be a

replacement for human analysts.

19© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Optimize security operations by orchestrating processes and automating manual tasks.

20© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Does This Mean We No Longer Need Analysts?

SAO tools will help analysts become

more productive, but will not be a

replacement for human analysts.

21© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Best Practices For A Successful Deployment

22© 2017 FORRESTER. REPRODUCTION PROHIBITED.

23© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Getting Started With SAO

› What are the tasks/processes ready

for automation today?

• Repetitive tasks

• High manual effort, low-risk processes

like investigation, context building, and

querying

› Build a strong foundation, then work

on more advanced automation

• Complicated processes

• Remediation activities

Take A Crawl, Walk, Run

Approach

24© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Steps To a Successful SAO Deployment

› Choose an SAO vendor that works with your current technology investment

• Validate integrations with your technology

› Identify processes for orchestration/automation

• Choose documented, consistent processes

• Focus on highly manual processes that will provide immediate benefit

› Create a roadmap for SAO

• Add new playbooks as you gain success

› Build success criteria and measure success

• Know what a successful deployment looks like

• Measure productivity gains, MTTD, and MTTR

› Get help

• Most vendors have customer success teams and communities – take advantage of them

Be careful not to

create too many

playbooks at first.

Build playbooks, roll

them out, evaluate,

then move on.

25© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Wrap-Up And Recommendations

26© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Wrap-Up And Next Steps

› Prioritize SAO as part of your security roadmap

• SAO has the potential to significantly impact operations

› Build a business case for SAO

• Demonstrate productivity gains, improved detection, and reporting

› Evaluate process to look for automation opportunities

• Build a foundation before increasing complexity

› Get your team on board

• Your team may be skeptical, so help them see the benefits for them

• Designate someone as the SAO champion or lead

27© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

Security Automation & Orchestration Best Practices

Piero DePaoli

Senior Director, Product MarketingServiceNow Security Business Unit

28© 2017 ServiceNow All Rights Reserved

One in ~32 million definitions

29© 2017 ServiceNow All Rights Reserved

Only ~521K for Orchestration

30© 2017 ServiceNow All Rights Reserved

Putting Automation & Orchestration Into Context

Security Incident

Response

Vulnerability

ResponseWorkflow

Automation &

Orchestration

Deep IT

Integration

Threat

Intelligence

ENTERPRISE SECURITY RESPONSE

31© 2017 ServiceNow All Rights Reserved

Use Case 1: High Profile Vulnerability Planning & Execution

• Scenario:

– Major software vulnerability announced

• What happens

– Need to quickly understand potential impact and inform execs

32© 2017 ServiceNow All Rights Reserved

Use Case 1: High Profile Vulnerability Planning & Execution

• Use the CMDB to determine which business services use the vulnerable software

33© 2017 ServiceNow All Rights Reserved

Use Case 1: High Profile Vulnerability Planning & Execution

• Automatically prioritize vulnerabilities based on:

– Business service impact

– Asset criticality

– Vulnerability risk score

• Automatically identify the assets creating the most risk and are ready to take action

• Facilitate emergency patches to critical assets

34© 2017 ServiceNow All Rights Reserved

Use Case 1: High Profile Vulnerability Planning & Execution

• Can immediately report that all critical systems are patched…

35© 2017 ServiceNow All Rights Reserved

Use Case 1: High Profile Vulnerability Planning & Execution

• …and have a plan for responding to the rest

36© 2017 ServiceNow All Rights Reserved

Use Case 2: Automatic Security Incident InvestigationThe Typical Incident Investigation Process

Security Incident Generated

Analyst Prioritizes, Assigns &

Categorizes Incident

Analyst identifies & extracts IPs, hashes

& IoCs

Analyst runs reputational

lookups via threat intel indicators

Analyst gets running processes

from target machine

Analysts gets network

connections from target machine

Analyst runs hashes on all running

processes

Analyst runs threat intel lookups on all

processes and network

connections

Analyst confirms threat

Analyst begins remediation

process

37© 2017 ServiceNow All Rights Reserved

Use Case 2: Automatic Security Incident InvestigationThe Incident Investigation Process with Automation

Security Incident Generated

Analyst Prioritizes, Assigns &

Categorizes Incident

Analyst identifies & extracts IPs, hashes

& IoCs

Analyst runs reputational

lookups via threat intel indicators

Analyst gets running processes

from target machine

Analysts gets network

connections from target machine

Analyst runs hashes on all running

processes

Analyst runs threat intel lookups on all

processes and network

connections

Analyst confirms threat

Analyst begins remediation

process

Red Boxes = Data Enrichment Activities

38© 2017 ServiceNow All Rights Reserved

Use Case 3: Automatic Phishing Incident Handling

• Scenario:

– User believes they have received a Phishing Email

• What happens

– User sends the email to phishing@example.com

– Report which automatically submits email and contents for malware scanning

39© 2017 ServiceNow All Rights Reserved

Use Case 3: Automatic Phishing Incident Handling

• If malicious:

– Determine who else has received email

• if opened, delete it from mail server and scan for malware

• If not opened, delete it from mail server

– Update mail server protection to block email

– Update firewall rules to block URL included in email

40© 2017 ServiceNow All Rights Reserved

Use Case 4: Managing Vendor Risk

• Scenario:

– Major software vulnerability announced

• What happens

– Need to quickly understand potential impact and inform execs

– Potential Impact is bigger than just MY systems, this includes third parties that house or access sensitive data

41© 2017 ServiceNow All Rights Reserved

Use Case 4: Managing Vendor Risk

1 2 3

Automatically create dependency mappings using CMDB and GRC indicators to create risk scores for vendors

Identify critical vendors and high priority issues with dynamically generated risk scores.

Create questionnaire on status of specific vulnerability and automatically push out to all vendors

4 Easily report progress on critical vs non-critical and take actions if needed

42© 2017 ServiceNow All Rights Reserved

Three Strategies for Implementing Automation & Orchestration

43© 2017 ServiceNow All Rights Reserved

ServiceNow

SingleDatabase

ContextualCollaboration

ServiceCatalog

ServicePortal

Subscription & Notification

KnowledgeBase

OrchestrationDeveloperTools

Reports & Dashboards

Workflow

Intelligent Automation Engine

Predictive Modeling

Anomaly Detection

PeerBenchmark

s

Performance

Forecasting

Nonstop Cloud

BUSINESS APPSIT SECURITY HRCUSTOMER SERVICE

44© 2017 ServiceNow All Rights Reserved

ServiceNow Security Operations

Security Incident

Response

Vulnerability

ResponseWorkflow

Automation &

Orchestration

Deep IT

Integration

Threat

Intelligence

SingleDatabase

ContextualCollaboration

ServiceCatalog

ServicePortal

Subscription & Notification

KnowledgeBase

OrchestrationDeveloperTools

Reports & Dashboards

Workflow

Intelligent Automation Engine

Predictive Modeling

Anomaly Detection

PeerBenchmark

s

Performance

Forecasting

Nonstop Cloud

45© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Joseph Blankenship

www.forrester.com/Joseph-Blankenship@infosec_jb

Piero DePaoli

www.servicenow.com/sec-ops@pierodepaoli

Q & A

top related