improve your security response with automation
TRANSCRIPT
How Automation Can Dramatically Improve Your Security Response Program
Featured Presenters
Harold ByunSenior DirectorSecurity Business Unit ServiceNow
Piero DePaoli Senior DirectorSecurity Business Unit ServiceNow
© 2016 ServiceNow All Rights Reserved 3Confidential
Organizations Have Invested in LOTS of Security Products
But what happens when something goes wrong?
© 2016 ServiceNow All Rights Reserved 4Confidential
But are Struggling to Find and Stop Breaches…
Source: Ponemon Institute 2016
On average, it took respondents 201 days to spot a breach caused by a malicious attacker, and 70 days to contain it.
© 2016 ServiceNow All Rights Reserved 5Confidential
Security Teams are Overwhelmed
Manual ToolsToo Many Alerts& No Context Siloed from IT
Security IT
© 2016 ServiceNow All Rights Reserved 6Confidential
Security Response Challenge – Data Gathering and Enrichment
• SIEM• APT• EPS
Security Alert
SecurityAnalyst
What info do I need?
What systems have the info that I
need?
What lookups do I need to run to derive 2nd level enrichment?
Have I seen this type of threat
before?
Is it a threat attempting to go
undetected?
Security Runbook knowledge
Multiple disparate solutions
Manual scripting and operational
tasks
No historical threat intel tied to
incidents or CIs
No context across asset, service type
or user group
Slow
er S
ecur
ity R
espo
nse
© 2016 ServiceNow All Rights Reserved 7Confidential
Enterprise Security Response
The Need: Enterprise Security Response
Security IncidentResponse
VulnerabilityResponse
ThreatIntelligence
Workflow &Automation
Deep ITIntegration
© 2016 ServiceNow All Rights Reserved 8Confidential
Introducing Security Operations
© 2016 ServiceNow All Rights Reserved 9Confidential
Built on the IT-Connected Enterprise Cloud Platform
Multi-Instance Architecture
CMDBWorkflow & Automation
High Availability
DataReplication
Reporting
CustomizationKnowledge
BaseAPIs
Security
© 2016 ServiceNow All Rights Reserved 10Confidential
Security Operations: Security Incident Response
• Integrates with 3rd party threat detection systems and SIEMs
• Prioritizes incidents based on business impact
• Enriches incidents with threat intelligence• Automation and workflows reduce
manual tasks• Improves collaboration between IT, End
Users and Security Teams
© 2016 ServiceNow All Rights Reserved 11Confidential
Security Operations: Vulnerability Response
• Integrates with the National Vulnerability Database
• 3rd party integrations with market-leading vulnerability identification solutions
• Prioritizes vulnerable items• Automates patch requests• Seamless integration with Incident
Response tasks, change requests and problem management
© 2016 ServiceNow All Rights Reserved 12Confidential
Security Operations: Threat Intelligence
• Automatically connects indicators or observed compromises with an incident
• Incorporates multiple feeds, including customer custom feeds and confidence scoring for more reliability in identifying issues
• Supports STIX language and TAXII to enhance recent threat data
• Seamless integration with Security Incident Response
© 2016 ServiceNow All Rights Reserved 13Confidential
Security Response Challenge – Data Gathering and Enrichment
• SIEM• APT• EPS
Security Alert
SecurityAnalyst
What info do I need?
What systems have the info that I
need?
What lookups do I need to run to derive 2nd level enrichment?
Have I seen this type of threat
before?
Is it a threat attempting to go
undetected?
Security Runbook knowledge
Multiple disparate solutions
Manual scripting and operational
tasks
No historical threat intel tied to
incidents or CIs
No context across asset, service type
or user group
Slow
er S
ecur
ity R
espo
nse
© 2016 ServiceNow All Rights Reserved 14Confidential
Typical Security Incident Investigation Process
Security incident generated
Analyst prioritizes, assigns &
categorizes incident
Analyst identifies & extracts IPs, hashes
& IoCs
Analyst runs reputational
lookups via threat intel indicators
Analyst gets running processes
from target machine
Analysts gets network
connections from target machine
Analyst runs hashes on all running
processes
Analyst runs threat intel lookups on all
processes and network
connections
Analyst confirms threat
Analyst begins remediation
process
© 2016 ServiceNow All Rights Reserved 15Confidential
Typical Security Incident Investigation Process Speed up Incident Resolution: Automated Threat Intelligence Lookup
Security Incident Generated
Analyst Prioritizes, Assigns &
Categorizes Incident
Analyst identifies & extracts IPs, hashes
& IoCs
Analyst runs reputational
lookups via threat intel indicators
Analyst gets running processes
from target machine
Analysts gets network
connections from target machine
Analyst runs hashes on all running
processes
Analyst runs threat intel lookups on all
processes and network
connections
Analyst confirms threat
Analyst begins remediation
process
Red Boxes = Data Enrichment Activities
© 2016 ServiceNow All Rights Reserved 16Confidential
Key Benefits
Security and IT are Connected• Single platform for collaboration and accountability
Prioritize & Resolve Security Threats Faster• Identification, correlation and automation
Definitive View of Security Posture• Metrics, service levels, and dashboards
© 2016 ServiceNow All Rights Reserved 17Confidential
• http://www.darkreading.com/events/d/d-id/1127669
• http://www.servicenow.com/sec-ops
Please visit our sponsor and learn more: