Simplify Security Operations -

Detect, Prioritize and Respond

Bryce Schroeder - Sr. Director Security and Risk Practice

1st December 2016

©2016 ServiceNow All Rights Reserved 1

Simplify Security Operations - Agenda

• Introduction
• NIST Guidance
• Why So Complicated?
• Steps to Simplify
• Conclusion
© 2016 ServiceNow All Rights Reserved 2
Bryce Schroeder, serves as Sr. Director of ServiceNow’ s new Security and Risk Practice. This business unit
is focused on solving Enterprise Security Response. Before ServiceNow Bryce was VP of Security
Engineering for Tripwire Inc. Bryce joined Tripwire from NetApp where he led a team of Architects and
Systems Engineers in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior
leadership roles at Symantec where he drove global solutions as well as Sun Microsystems where he
pioneered development and successful deployment of secure remote automated software integration,
distribution and test across the Internet.
Bryce earned his Master’s in Engineering and Technology Management from Portland State University and
three Bachelor’s from Oregon State University in Electrical Engineering, Computer Engineering and
Computer Science.

© 2016 ServiceNow All Rights Reserved 3

The Enterprise Cloud Company
Enterprise Cloud NYSE: NOW Strong Revenue & Growth

Cloud-based Service that Modernizes ~3,200 ~4,200 $1.370-$1.380BN

and Transforms the Enterprise Enterprise Customers Global Employees

Highly Secure and Available Enterprise Cloud

Major Sites $1BN
San Diego, Silicon Valley, Seattle, Amsterdam,
SaaS Business Model
London, Sydney, Israel, India

$683M

$425M

$244M

$128M
$64M
$28M
FY09 FY10 FY11 FY12 FY13 FY14 FY15 FY16E

© 2016 ServiceNow All Rights Reserved 4

NIST Framework for Improving Critical Infrastructure Cybersecurity

© 2016 ServiceNow All Rights Reserved 8

NIST Framework for Improving Critical Infrastructure Cybersecurity

© 2016 ServiceNow All Rights Reserved 9

 Security Operations
Complications

© 2016 ServiceNow All Rights Reserved 10

THREAT LANDSCAPE

© 2016 ServiceNow All Rights Reserved 11

 days on average to spot a breach
Mean Time to Identify [MTTI]

days to contain
Mean Time to Contain
[MTTC]

© 2016 ServiceNow All Rights Reserved 12

©6
1
0O
A
FLTR
IN
S2erviceNow All Rights Reserved EXPLOITATION N
O
A
FILTR
13 EX COVERING TRACKS
 The lack of speed and agility when
responding to a suspected data breach
is the most significant issue facing
security teams today.

© 2016 ServiceNow All Rights Reserved 14

Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.
WE HAVE LOTS OF SECURITY SOLUTIONS

Source: Momentum Partners

© 2016 ServiceNow All Rights Reserved 15

WHY ARE SECURITY SOLUTIONS COMPLEX? Disconnected Silos

SIEM, Malware, Threat Network Protection Endpoint Solutions IAMs

© 2016 ServiceNow All Rights Reserved 16

THE WRONG TOOLS ARE BEING USED FOR RESPONSE

Emails, Spreadsheets, Phone Calls, Meetings, and Text Messages are

difficult to measure and don’t provide an easy way to understand how
your processes are performing, where the bottlenecks are, and how to
improve them.

© 2016 ServiceNow All Rights Reserved 17

SECURITY RESPONDERS ARE OVERWHELMED
What info do I Security Runbook
need? knowledge

What systems have

Slower Security Response

Multiple disparate
the info that I solutions
need?
• SIEM
What lookups do I Manual scripting
• APT need to run to and operational
• EPS derive 2nd level tasks
enrichment?
Security
Security Analyst
Have I seen this No historical threat
Alert intel tied to
type of threat
before? incidents or CIs

Is it a threat No context across

attempting to go asset, service type
undetected? or user group

© 2016 ServiceNow All Rights Reserved 18

CYBERSECURITY SKILL & TALENT GAP

© 2016 ServiceNow All Rights Reserved 19

NET IMPACT ON THE BUSINESS
Impact of 16 factors on per capita cost of a data breach

Average total cost of a data breach

$4 MM
Average cost per stolen record
$158

Increase in cost since 2013

29%

Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis

© 2016 ServiceNow All Rights Reserved 21

© 2016 ServiceNow All Rights Reserved 22
COMPLICATIONS FOR SECURITY OPERATIONS

Time & Toolsets Communication Alert Skill & Talent

Change Overload
Gap
Threat
Landscape Siloed Wrong method Too many Not enough
for accountable alerts skilled analysts
Time to Different
real-time to manage
Identify context
incident increasing
Time to Too many response incidents
Contain alerts

© 2016 ServiceNow All Rights Reserved 23

 Simplify
Security Operations

© 2016 ServiceNow All Rights Reserved 24

FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS

Single System Service Automate Visualize Knowledge &

for IT & Mapping Your Capability
Security
Security Security
Criticality Runbook Track Progress,
Posture
Collaborate Find Gaps &
& Cross
Optimize
& Prioritization reference
Communicate Prefetch
© 2016 ServiceNow All Rights Reserved 25
SIMPLIFY: Single System for IT & Security

NIST-based
process
Single system that
captures all collateral
related to the incident.
• Tasks
• Attachments
• Post Incident Reviews
• Work Notes
• etc.
Role based so
sensitive data is
only shared with
the proper roles.

© 2016 ServiceNow All Rights Reserved 26

SIMPLIFY: Single System for IT & Security
Notify
Connect
Connect enables chat groups to be
quickly assembled so critical
resources can easily collaborate
and audit response actions.

Notify enables conference

calls to be quickly initiated
with the necessary
stakeholders

© 2016 ServiceNow All Rights Reserved 27

SIMPLIFY: Service Mapping
Mission Critical Service / Application

Provide Situational Awareness/Prioritization: Service Outage

 Have we or our peers seen this attack before? (Threat) 

What do these assets mean to the business?
 What business risks are tied to these assets?
 How vulnerable are these assets? Security Breach
Matching Known IOC
On Vulnerable Asset
 Is anything else is going on with these assets?
 What are our plans?

Open Up Communication:
 Security Catalog Security Breach
On Vulnerable Asset
 Virtual War Room through Connect

© 2016 ServiceNow All Rights Reserved 28

SIMPLIFY: Automate

© 2016 ServiceNow All Rights Reserved 29

SIMPLIFY: Automate

Security Incident Types

can have a Service Levels
associated with it
• Workflow facilitates collaboration and a
consistent process that all stakeholders can
follow and use to track response progress.

When a Security Incident

comes in with
“matching” conditions…
the SLA process starts.
© 2016 ServiceNow All Rights Reserved
30
SIMPLIFY: Visualize

© 2016 ServiceNow All Rights Reserved 31

SIMPLIFY: Visualize
CISO Trend dashboard

Business Service to Security Incident Criticality

Service Outage Map

Open Security Incidents by type

32
© 2016 ServiceNow All Rights Reserved
SIMPLIFY: Knowledge & Capability

The Post Incident Review

is automatically generated
from…
• Assessments
• Related Tasks
• Work Notes
• Incident flow steps
• etc.

The Post Incident Review can be

useful for the audit documentation.

© 2016 ServiceNow All Rights Reserved 33

SIMPLIFY: Knowledge & Capability

Security Knowledgebase
Secure articles
• Event systems
documentation
• SOPs documentation
• Key contacts lists
• Post Incident Review
documentation

© 2016 ServiceNow All Rights Reserved 34

FIVE BEST PRACTICES FOR SIMPLIFYING SECURITY OPERATIONS

Single System Service Automate Visualize Knowledge &

for IT & Mapping Your Capability
Security
Security Security
Criticality Runbook Track Progress,
Posture
Collaborate Find Gaps &
& Cross
Optimize
& Prioritization reference
Communicate Prefetch
© 2016 ServiceNow All Rights Reserved 35
SERVICENOW: ENTERPRISE SECURITY RESPONSE

Security Incident Vulnerability Threat Workflow & Deep IT

Response Response Intelligence Automation Integration

Enterprise Security Response

© 2016 ServiceNow All Rights Reserved 36

 Simplify Security Operations -
Detect, Prioritize and Respond

THANK YOU
Bryce Schroeder - Sr. Director Security and Risk Practice
bryce.schroeder@servicenow.com
©2016 ServiceNow All Rights Reserved 37
©2016 ServiceNow All Rights Reserved 38