Automation and Enterprise Security Response: Are We There Yet?
As RSA 2017 drew to a close, over 60 security executives gathered for a power lunch and panel discussion on Enterprise Security Response: The New CISO Imperative at W San Francisco Hotel. Led by Marci McCarthy, CEO and President of T.E.N., the discussion with security leaders from Aflac, SunTrust Bank, Fifth Third Bank, Malwarebytes, and ServiceNow quickly delved into a whole host of topics–including the current challenges with security response to the benefits and risks associated with automation, concrete steps for bridging the current security response gaps, and even a healthy debate on future response strategies.
Panelists (Left to Right):
Julie Talbot-Hubbard SVP, Head of Information Security Operations, SunTrust
Gary Warzala, CISO, Fifth Third Bank
Tim Callahan, SVP, Global Security, CSO, Aflac Worldwide Headquarters
Justin Dolly, VP, Chief Security Officer & CIO, Malwarebytes
Sean Convery, VP and GM, Security Business Unit, ServiceNow
Here are my top ten (+1) personal take-aways:
- Get good at post-mortems: Triaging and prioritizing security incidents based on severity and impact is critical for effective response. However, Tim Callahan at Aflac Worldwide Headquarters stressed the need to get really good at post-mortems, capture lessons learned from responses, and create a good library of how you treat different types of incidents.
- What’s mine is not yours. Tailor your security response: “My high value assets are not the same as your high value assets. You need tailored responses that are specific to your organization’s needs. And that often means relying on teams spread across IT and other geographies,” said Justin Dolly at Malwarebytes.
- 201 days to discover a breach? No dice with the Board: Marci let the oft-quoted statistic from the Ponemon Institute’s 2016 Cost of a Data Breach Study hang in the air for a few brief seconds. The response from the panelists was mixed. While some acknowledged we’d come a long way–from over 300 days according to studies released in prior years–others like Gary Warzala from Fifth Third Bank underlined the fact that most boards expected it done in minutes, not days or months. With the surge in account takeovers and credential harvesting attempts, you have to be able to rapidly prioritize and deal with threats, he said. Using a CMDB to understand risk and prioritize what gets done and in what order is a huge benefit, according to him.
- The truth, and nothing but the truth. But let’s not get all fire and brimstone with the Board: When asked about how they reported to the board, the answers were pretty consistent. “If you don’t have credibility, you have nothing,” according to Gary Warzala at Fifth Third Bank. He also talked about the need to find the inherent risk by business line, break out controls by business line, and focus the conversation with the board around understanding if a level of risk is acceptable or not. And if it isn’t, it makes getting buy-in and investment to drive risk down easier.. Justin Dolly at Malwarebytes concurred, “Integrity is the corner stone. The unbridled truth.” However, he was quick to caution, “It can’t be all fire and brimstone though.”
- The Board expects, nay demands, global views of security posture: While trying to display the security health across business and geographies can be hard, Tim Callahan at Aflac Worldwide Headquarters expounded the importance of providing the Board with a global view of your security posture. Developing a maturity scale across businesses and geos and showing quarter-over-quarter progress gives the Board comfort. It also helps garner their respect when you demonstrate that you have a plan should you be breached – and practice it. Sean Convery weighed in with insights from CISOs from some of his conversations at RSA 2017 including the need for dashboards with a cogent top-down view and perhaps reevaluate what you measure, sighting the example of a global financial CISO who was questioning the merit in tracking events per second to measure risks to assets.
- Let’s get offensive – with automation – The discussion on automation and security response drew out some interesting differences in perspective. Tim Callahan cited the need for a “more offensive posture. So we can see ahead before it (incidents) hits us…we detect it, we know how we are being targeted, and then take proactive steps to block it, often automated.” The key is to use automated incident response to keep fighting the fight on the outside, as you get closer to the core, the margin for error is a lot lower.
- When a whole database goes amiss? What’s a panel discussion without some humor, even if we’re talking about something that’s as heavy as security response strategies. One of the panelists drove home the the need to get smart when it comes to distinguishing quickly between external and internal threats. You have to be able to quickly recognize internal mistakes and prioritize responses accordingly–he used the example of a misclassified “threat” when an employee moved a database by mistake and no one had no clue. That drew laughter and head nods from the audience.
- “Aha” moment at RSA – From automated processes to automated decision-making. What about people? – This was probably one of my favorite parts of the discussion – getting into the guts of automation. Where are we today with automation in security response? When it comes to automation, how far is too far? I really liked the “aha” moment that Gary Warzala at Fifth Third Bank shared: “When you think of attacks like ransomware, we’ve got to think about not just automating processes but go beyond and automate decision-making.” As an industry, he observed that we are at the “crawl” stage of the crawl-walk-run evolution in security response. Completely agree.
Sean Convery from ServiceNow weaved in his real-world experiences assisting global CISOs take their first steps in the automation journey. He recommends starting with “non-destructive tasks”. For instance, getting your security runbook into a workflow, creating tasks for different stakeholders, and then evaluating the steps you can safely automate. Much of the discussion he’s had with CISOs this week at RSA has been around automating steps on the remediation side so you can clearly document and articulate what happened. With ServiceNow, the advantage is that everything is in the cloud – once you lay out your runbooks as automated workflows, you begin to gather data over time around the decisions you made in different situations, and can proactively offer that up as guidance to your security analysts the next time you encounter a similar situation.
Julie Talbot-Hubbard from SunTrust had good advice stressing the need to understand and implement countermeasures and know who owns them before automating responses. She highlighted the need to “adequately test and know your counter measures. If you automate without that, you could cause an outage.”
Tim Callahan from Aflac recommended the use of a confidence rating mechanism to make decisions around automation. As the confidence factor gets lowers, use a person for analysis. At the end of the day, you are making a risk-benefit decision and there can be consequences. But the beneft
- Good asset management is critical, especially if you have outsourced providers: This was another good reminder from Julie Talbot-Hubbard at SunTrust. When dealing with outsourced providers, it becomes especially critical to have really good asset management. You need to know which assets support critical business processes and which teams to engage.
- Security and IT teams – broken relationship? Not an option: Gary Warzala at Fifth Third Bank suggested cyber crisis response management workshops as a best practice, perhaps getting the board and even the regulators involved. He found the two-day exercise they conducted at the Bank immensely valuable as it helped them get to know their IT partners better, while practicing their response processes. They’ve done DDoS simulation attacks to see how the NoC works with the cyber teams, and other exercises that bring the cyber team, fraud team, NoC team, and even representatives from vendors together. Great idea!
Tim Callahan added some interesting color around the reporting structure of IT teams dedicated to security response. He finds that it helps to create a portable organization and embed response teams within IT, keeping them on the security books and cost center.
Sean Convery from ServiceNow had a slightly different perspective from his conversations with both CISOs and the operational folks. He’s seen many examples of a broken relationship when you get down to the operational level within Security and IT teams – and it needs attention. He cited the example of a large software company spending nearly 40% of their incident response process time is trying to determine the owner of an IP address! One of the biggest healthcare brands has 10 people dedicated to serving as a liaison between security and IT teams–what if you could improve those handoffs and processes?
- Bots and Machine learning in Security Response? – Tim Callahan from Aflac talked about the future of threat intelligence and response platforms. Machine learning and bots are already being used in business processes (e.g., in claims processing) to learn what humans do. There’s promise. And there’s certainly an appetite to explore their applicability in automating security response.
Plenty of astute observations, healthy skepticism, passionate discourse, and “aha” moments–all packed into 90 minutes was a great way to wrap up the RSA Conference. The message was loud and clear – getting enterprise security response right is not optional. Embracing automation, trust with the Board, and strong relationships between Security and IT teams into security response programs is critical. To learn more about how ServiceNow can help you craft an effective security response program, visit www.servicenow.com/sec-ops