Changing the approach to security automation and cooperation

Sean Convery shares his experience and insights on how security leaders can improve security automation, coordination with other teams, and boost their posture

gears cylinder
Credit: Thinkstock

How effective is your understanding of what assets have? What about knowing where each asset is? Or who is responsible for handling the asset when you need to handle an incident?

How can you properly protect the company if you don’t know what (and where) to focus on?

Most consider knowledge of company assets – including location, ownership, and custodian(s) – an essential first step of security. Otherwise, how do you know what you’re protecting. Without that, what are you automating?

Sean Convery of ServiceNow

Sean Convery of ServiceNow

I recently talked with Sean Convery (LinkedIn), VP and GM, ServiceNow Security Business Unit. Responsible for delivering solutions to key information security challenges, Sean is focused on helping enterprise organizations maximize the effectiveness of security teams while improving and understanding their security posture.

Two things stood out to me during the conversation: Sean has a lot of useful insights that benefit security leaders, and ServiceNow is expanding to address security issues. This captured my attention because it likely signals an easy win for security leaders in organizations that already use ServiceNow.  

Here are the five questions Sean and I discussed.

How does an expertise in workflow and process automation benefit security teams?

By bringing order to the chaos. Security teams typically use emails, spreadsheets, phone calls and other manual processes to receive and analyze a steady stream of alerts from siloed security systems. More than 90 percent of the IT and security professionals Enterprise Strategy Group (ESG) recently surveyed confirmed they rely these on manual processes, even though they realize doing so limits their incident response effectiveness and efficiency levels. 

ESG also found that this reliance on manual tasks likely aggravates the divide between the IT and Security teams. The two groups are often disconnected and their goals unaligned. Fixing most security incidents or threats requires more effective collaboration between these teams. Buying more software to detect potential threats cannot adequately address these issues.

Replacing manual processes with automated workflows and systems management capabilities provides IT and security professionals with a single platform for responding to security incidents and vulnerabilities. An organization can significantly reduce the time it takes to identify and contain incidents and vulnerabilities, and reduce overall risk.

Let’s talk about assets. We have to know what we have in order to protect it. What have you learned about discovering and mapping assets in a way that benefits security?

The hybrid IT infrastructure has become the norm as enterprises continue to migrate apps and information stores to public and private clouds, yet keep some systems in the data center. The network has become so complex and difficult to manage and secure, and that makes it easier for attackers to slip in unnoticed. According to the Ponemon Institute, it takes enterprises an average of 206 days to spot a breach and an average of 69 days to contain it.

A lack of business context for the affected service or resource further exacerbates the problem by treating all threats equally, making it difficult to focus security teams on high priority attacks. Frankly, they struggle to answer the fundamental question. “Are we secure, and are things getting better or worse?” because they are unable to establish baseline metrics for their security posture that they can track over time. Without this understanding, they lack the ability to strengthen the infrastructure and improve their response. The results are an overflow of events, inefficient security operations, and missed attacks that increase the risk of data loss or theft.

Implementing automated workflow and systems management capabilities enables you to map threats, security incidents and vulnerabilities to business services, IT infrastructure and even the owner of the asset. This mapping enables threat prioritization based on business impact, ensuring security teams are focused on what has the most impact to the business.

Everyone talks about automation. A lot of people end up automating themselves more work. What do security leaders need to think about to get automation right?

First, you can’t automate what you don’t understand.  If they haven’t yet done so, the first steps are to establish baseline metrics for their security postures they can track over time, and develop an incident response action plan that addresses an organization’s unique business services and IT architecture. This provides the response blueprint not just for IT and security, but also for other relevant departments such as legal or corporate communications.

The automated response workflow can be customized to the exact specifications of an organization’s security response run-book. For organizations that do not have one yet, they can follow the National Institute of Standards and Technology (NIST) best practices for security incident handling. Response coordination and requests that require multiple dependent tasks executed by multiple teams can be automatically created and assigned based on the incident attributes to ensure adherence to the response action plan and keep everyone in the loop. This reduces manual errors or missed communication steps when responding to an incident, increasing productivity and effectiveness.

The platform should track all activities in an incident lifecycle from analysis and investigation to containment and remediation of the incident. Upon closure of the incident, assessments are distributed across the team and a post incident review (PIR) documenting all incident related activities is automatically created as an historical audit record.

The team should realize some important time- and cost-savings benefits immediately. For example, streamlined remediation enables security incidents and vulnerabilities to automatically trigger patching and configuration changes. No more manual processes. Additionally, automating basic jobs improves the bandwidth of the security analysts and response teams to respond more efficiently to attacks and incidents. Teams reduce the time required to identify and contain incidents and vulnerabilities, ultimately reducing an organization’s overall risk.

How does this approach improve the ability to measure security?

Because IT and Security are using a single platform from the creation of an incident to the post-incident review, every aspect of remediating security issues can be measured. This holds the overall organizations accountable to solve problems quickly and simple executive dashboards can clearly communicate security posture and how the organization’s security posture is trending.

ServiceNow Security Operations provides a standard interface layer that allows virtually any security element or threat data feed to integrate into the combined solution and create or provide context on an incident. Organizations get role-based dashboards, providing real-time trending data necessary to understand whether an organization is effective in securing their enterprise. It also includes an executive dashboard showing team productivity, existing gaps and overall security posture.

This lets security teams leverage their existing investments in their security infrastructure and tools while augmenting the information and correlation and alerting from those tools with rich business context. Security information and event management (SIEM) solutions, vulnerability and threat assessment tools, analytics engines, and advanced intrusion detection systems easily integrate with the ServiceNow platform and can trigger incidents or map to records in Security Operations.

The broader ServiceNow platform delivers additional enterprise capabilities that teams can leverage right away such as built-in service level agreement (SLA) thresholds, skills based routing, notifications, advanced workflow, and live collaboration. The platform also isolates security events from the rest of the system, ensuring that sensitive security incident data remains confidential.

What can a security leader do today to get started in the right direction?

Although organizations are heavily invested in the latest detection and vulnerability technologies, they’ve neglected a critical step -- formalizing their teams’ incident response and connecting it with IT.

So there are two key takeaways for security leaders: you cannot rely on emails, phone calls and spreadsheets to manage security incidents and vulnerabilities for today’s hybrid IT architectures; and you need to bridge the long-standing gap between their security teams and IT operations. Manual processes, cross-team hand-offs, and siloed point solutions hinder the security team’s ability to efficiently respond to attacks or assess and remediate vulnerabilities. The lack of business context for the affected service or asset further exacerbates the problem by treating all threats equally, making it difficult to focus security teams on high priority attacks with the greatest impact to the business.

Creating workflows and implementing process automation, whether they work with us or not, is critical to effective security response, streamlining remediation and clearly measuring their security postures.

Insider: Hacking the elections: myths and realities
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies