put analytics and automation at the core of security – joseph blankenship – senior analyst,...
TRANSCRIPT
© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Put Analytics And Automation At The Core Of SecurityJoseph Blankenship, Senior Analyst
October 18, 2017
We work with business and technology leaders to develop customer-obsessed strategies that drive growth.
3© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
4© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Analyst BioJoseph (aka JB) supports Security & Risk professionals, helping clients develop security strategies and make informed decisions to protect against risk. He covers security infrastructure and operations, including security information management (SIM), security analytics, security automation and orchestration (SAO), distributed denial of service (DDoS), and network security. His research focuses on security monitoring, threat detection, insider threat, operations, and management.Joseph Blankenship, Senior Analyst
Forrester
5© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
My Challenge For Today
6© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Agenda
› The Evolving World
› Cybersecurity Has To Evolve
› Analytics And Automation
› Starting Your Automation Journey
› Rules of Engagement
› Wrap-Up
7© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
The Evolving World
8© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
People And Technology Continue To Evolve
www.vexels.com/vectors/preview/71108/evolution-of-human-work-silhouettes
9© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Delivering A 5 MB Hard Drive In 1956
1.25in
.94in
.08in thick
10© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Smartphones Replaced A Host Of Devices
11© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Concerts Have Evolved
12© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Remember Telephone Operators?
Image Source: www.flickr.com/photos/jill_carlson/11085936793, www.flickr.com/photos/70251312,
13© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Cybersecurity Has To Evolve
14© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
51% of firms were breached in the past 12 months.
48% of Enterprise Firms Suffered 2+ Breaches in 2017
15© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Top Data Types Breached
Base: 614 global network security decision-makers whose firms have had a security breach in the past 12 monthsSource: Forrester Data Global Business Technographics Security Survey, 2017
41%
34%
29%
28%
26%
22%
20%
16%
8%
Personally identifiable information (name, address, phone, Social Security number)
Authentication credentials (user IDs and passwords, other forms of credentials)
Account numbers
Intellectual property
Corporate financial data
Website defacement
Payment/credit card data
Other personal data (e.g., customer service data)
Other sensitive corporate data (e.g., marketing/strategy plans, pricing)
“What types of data were potentially compromised or breached in the past 12 months?”
16© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Security Analysis Is A Manual Activity
Source: Forrester’s Security Operations Center (SOC) Staffing
17© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Too Many Alerts / Too Few Analysts
Source: Forrester’s Security Operations Center (SOC) Staffing
18© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Attacker Dwell Time Still Averages 99 Days
› Dwell times have dropped from 146days in 2015 to 99 days in 2016›While this is a substantial improvement, it’s still far too long
2017 FireEye M-Trends Report
Obligatory Picture Of Guy In Hoodie With Ones And Zeroes
19© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today.
Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.
20© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Infrastructures Are Increasingly Complex
21© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Organizations can't handle increased complexity with manual processes.
22© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Increasing Complexity Necessitates The Use Of Automation
Source: Reduce Risk And Improve Security Through Infrastructure Automation Forrester report
23© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Analytics And Automation
24© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
25© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Security Analytics Enables Better Detection
Source: Forrester’s Vendor Landscape: Security Analytics (SA)
26© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Automation Will Speed Response
› Alert triaging
› Context gathering› Containment
› Remediation
27© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Automation Isn’t A Four Letter Word
› Historically, security pros have shied away from automation• Risk of stopping legitimate traffic or disrupting business• Need for human analyst to research and make decisions
28© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Base: 1,700 Security technology decision-makers (1,000+ employees)Source: Forrester Data Global Business Technographics Security Survey, 2017
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Complexity of our IT environment
Changing/evolving nature of IT threats (internal and …
Compliance with new privacy laws
Day-to-day tactical activities taking up too much time
Building a culture of data stewardship
Lack of budget
Lack of staff (the security team is understaffed)
Unavailability of security employees with the right …
Inability to measure the effectiveness of our security …
Other priorities in the organization taking precedence …
Top 10 Enterprise Security Challenges
29© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
State that using automation and orchestration tools to improve security operations is a high or critical priority.
Base: 1,169 Security technology decision-makers (1,000+ employees)Source: Forrester Data Global Business Technographics Security Survey, 2017
68%
30© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Security Is Evolving To Be More Automated
31© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
#1 Security Productivity Tool
32© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Analysts Also Swivel Chair Between Tools
33© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
We Already Have LOTS Of Security Tools
Source: Momentum Partners
34© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
More tools = more security
alerts
35© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
36© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Automation Will Help Break Down Silos
37© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Automation will help analysts become more productive, but will not be a replacement for human analysts.
38© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Starting Your Automation Journey
39© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Crawl, Walk, Run
›What are the tasks/processes ready for automation today?
• Repetitive, manual tasks• Low-risk processes like investigation, context building, and querying
› Build a strong foundation, then work on more advanced automation
• Complicated processes• Remediation activities
40© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Targeted Attack Hierarchy of Needs
Source: Forrester’s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilities report
41© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
42© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Rules Of Engagement
43© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Automating Response
› Automating security is a business requirement
› Security is behind other parts of the business
Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response
44© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Automation Requires Defined Rules Of Engagement
› To enable automation, security teams must:• Know the business
› Understand key systems and data
• Establish policies for automating› When to automate› When to send to a human analyst
• Build consistent processes› Bad process = garbage in / garbage out
› Policies based on business requirements• Protect toxic data – IT’S ALL ABOUT THE DATA• Build policies based on data risk
A Formula For Defining Toxic Data
45© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Rules Of Engagement
Source: Forrester’s Rules Of Engagement: A Call To Action To Automate Breach Response
46© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Wrap-Up And Next Steps
› Security teams lack the speed and agility to stop breaches• Inadequate tools and slow, manual processes impede progress• Complex environments require automation
›We have to make better, faster security decisions• Security analytics tools help make that happen• Ability to automate is dependent on more accurate, improved detection
› Automation can deliver faster response• Build a foundation before increasing complexity• Define rules of engagement for automation
FORRESTER.COM
Thank you© 2017 F O RREST ER. REPRO DUCTI ON PRO HIB ITED.
Joseph Blankenshipwww.forrester.com/Joseph-Blankenship@infosec_jb