©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Put  Analytics  And  Automation  At  The  Core  Of  SecurityJoseph  Blankenship,  Senior  Analyst

October  18,  2017

We  work  with  business  and  technology  leaders  to  develop  customer-­obsessed  strategies  that  drive  growth.

3©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

4©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Analyst  BioJoseph  (aka  JB)  supports  Security  &  Risk  professionals,  helping  clients  develop  security  strategies  and  make  informed  decisions  to  protect  against  risk.  He  covers  security  infrastructure  and  operations,  including  security  information  management  (SIM),  security  analytics,  security  automation  and  orchestration  (SAO),  distributed  denial  of  service  (DDoS),  and  network  security.  His  research  focuses  on  security  monitoring,  threat  detection,  insider  threat,  operations,  and  management.Joseph  Blankenship,  Senior  Analyst

Forrester

5©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

My  Challenge  For  Today

6©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Agenda

› The Evolving World

› Cybersecurity Has To Evolve

› Analytics And Automation

› Starting Your Automation Journey

› Rules of Engagement

› Wrap-Up

7©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

The  Evolving  World

8©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

People  And  Technology  Continue  To  Evolve

www.vexels.com/vectors/preview/71108/evolution-­of-­human-­work-­silhouettes

9©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Delivering  A  5  MB  Hard  Drive  In  1956

1.25in

.94in

.08in  thick

10©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Smartphones  Replaced  A  Host  Of  Devices

11©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Concerts  Have  Evolved

12©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Remember  Telephone  Operators?

Image  Source:  www.flickr.com/photos/jill_carlson/11085936793,  www.flickr.com/photos/70251312,  

13©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Cybersecurity  Has  To  Evolve

14©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

51%  of  firms  were  breached  in  the  past  12  months.

48%  of  Enterprise  Firms  Suffered  2+  Breaches  in  2017

15©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Top  Data  Types  Breached

Base:  614  global  network  security  decision-­makers  whose  firms  have  had  a  security  breach  in  the  past  12  monthsSource:  Forrester  Data  Global  Business  Technographics  Security  Survey,  2017

41%

34%

29%

28%

26%

22%

20%

16%

8%

Personally  identifiable  information  (name,  address,  phone,  Social  Security  number)

Authentication  credentials  (user  IDs  and  passwords,  other  forms  of  credentials)

Account  numbers

Intellectual  property

Corporate  financial  data

Website  defacement

Payment/credit  card  data

Other  personal  data  (e.g.,  customer  service  data)

Other  sensitive  corporate  data  (e.g.,  marketing/strategy  plans,  pricing)

“What  types  of  data  were  potentially  compromised  or  breached  in  the  past  12  months?”

16©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Security  Analysis  Is  A  Manual  Activity

Source:  Forrester’s  Security  Operations  Center  (SOC)  Staffing

17©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Too  Many  Alerts  /  Too  Few  Analysts

Source:  Forrester’s  Security  Operations  Center  (SOC)  Staffing

18©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Attacker  Dwell  Time  Still  Averages  99  Days  

› Dwell  times  have  dropped  from  146days  in  2015  to  99 days  in  2016›While  this  is  a  substantial  improvement,   it’s  still  far  too  long

2017  FireEye  M-­Trends  Report

Obligatory  Picture  Of  Guy  In  Hoodie  With  Ones  And  Zeroes

19©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

The  lack  of  speed  and  agility  when  responding  to  a  suspected  data  breach  is  the  most  significant  issue  facing  security  teams  today.

Source:   Forrester’s  “Rules  of  Engagement:   A  Call  to  Action  to  Automate   Breach   Response”   report.

20©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Infrastructures  Are  Increasingly  Complex

21©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Organizations  can't  handle  increased  complexity  with  manual  processes.

22©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Increasing  Complexity  Necessitates  The  Use  Of  Automation

Source:  Reduce  Risk  And  Improve  Security  Through  Infrastructure  Automation Forrester  report

23©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Analytics  And  Automation

24©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

25©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Security  Analytics  Enables  Better  Detection

Source:  Forrester’s  Vendor  Landscape:  Security  Analytics  (SA)

26©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Automation  Will  Speed  Response

› Alert  triaging

› Context  gathering› Containment

› Remediation

27©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Automation  Isn’t  A  Four  Letter  Word

› Historically,  security  pros  have  shied  away  from  automation• Risk  of  stopping  legitimate  traffic  or  disrupting  business• Need  for  human  analyst  to  research  and  make  decisions

28©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Base:  1,700  Security  technology  decision-­makers  (1,000+  employees)Source:  Forrester  Data  Global  Business  Technographics  Security  Survey,  2017

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Complexity  of  our  IT  environment

Changing/evolving   nature  of  IT  threats  (internal  and  …

Compliance  with  new  privacy  laws

Day-­to-­day  tactical  activities  taking  up  too  much  time

Building  a  culture  of  data  stewardship

Lack  of  budget

Lack  of  staff  (the  security  team  is  understaffed)

Unavailability  of  security  employees  with  the  right  …

Inability   to  measure  the  effectiveness  of  our  security  …

Other  priorities  in  the  organization   taking  precedence  …

Top  10  Enterprise  Security  Challenges

29©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

State  that  using  automation and  orchestration  tools  to  improve  security  operations  is  a  high  or  critical  priority.

Base:  1,169  Security  technology  decision-­makers  (1,000+  employees)Source:  Forrester  Data  Global  Business  Technographics  Security  Survey,  2017

68%

30©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Security  Is  Evolving  To  Be  More  Automated

31©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

#1  Security  Productivity  Tool

32©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Analysts  Also  Swivel  Chair  Between  Tools

33©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

We  Already  Have  LOTS  Of  Security  Tools

Source:  Momentum  Partners

34©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

More  tools  =  more  security

alerts

35©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

36©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Automation  Will  Help  Break  Down  Silos

37©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Automation  will  help  analysts  become  more  productive,  but  will  not be  a  replacement  for  human  analysts.  

38©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Starting  Your  Automation  Journey

39©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Crawl,  Walk,  Run

›What  are  the  tasks/processes  ready  for  automation  today?

• Repetitive,  manual  tasks• Low-­risk  processes  like  investigation,  context  building,  and  querying

› Build  a  strong  foundation,  then  work  on  more  advanced  automation

• Complicated  processes• Remediation  activities

40©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Targeted  Attack  Hierarchy  of  Needs

Source:  Forrester’s  Targeted-­Attack  Hierarchy  Of  Needs:  Assess  Your  Core  Capabilities  report

41©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

42©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Rules  Of  Engagement

43©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Automating  Response

› Automating  security  is  a  business  requirement

› Security  is  behind  other  parts  of  the  business

Source:  Forrester’s  Rules  Of  Engagement:  A  Call  To  Action  To  Automate  Breach  Response

44©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Automation  Requires  Defined  Rules  Of  Engagement

› To  enable  automation,  security  teams  must:• Know  the  business

› Understand  key  systems  and  data

• Establish  policies  for  automating› When  to  automate› When  to  send  to  a  human  analyst

• Build  consistent  processes› Bad  process  =  garbage  in  /  garbage  out

› Policies  based  on  business  requirements• Protect  toxic  data  – IT’S  ALL  ABOUT  THE  DATA• Build  policies  based  on  data  risk

A  Formula  For  Defining  Toxic  Data

45©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Rules  Of  Engagement

Source:  Forrester’s  Rules  Of  Engagement:  A  Call  To  Action  To  Automate  Breach  Response

46©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Wrap-­Up  And  Next  Steps

› Security  teams  lack  the  speed  and  agility  to  stop  breaches• Inadequate  tools  and  slow,  manual  processes  impede  progress• Complex  environments  require  automation

›We  have  to  make  better,  faster  security  decisions• Security  analytics  tools  help  make  that  happen• Ability  to  automate  is  dependent  on  more  accurate,  improved  detection

› Automation  can  deliver  faster  response• Build  a  foundation  before  increasing  complexity• Define  rules  of  engagement  for  automation

FORRESTER.COM

Thank  you©  2017   F O RREST ER.  REPRO DUCTI ON  PRO HIB ITED.

Joseph  Blankenshipwww.forrester.com/Joseph-­Blankenship@infosec_jb