Six Weeks to Security Operations The AMP Story Mike Byrne Cyber Security AMP 1
Agenda Introductions The AMP Security Operations Story Lessons Learned 2
Speaker Introduction NAME: Mike Byrne TITLE: Consultant FUNCTION: Enterprise Cyber Security COMPANY: AMP EXPERIENCE: 18 Years experience in the technology industry, 15 years in Cyber Security and Risk Management. EXPERTISE: Architecture, Governance, Operations, Management Consulting, and Program Management. ACHIEVEMENTS: Delivered ServiceNow Security Operations in 6 weeks, including Security service catalogue. CURRENT PROJECTS: Driving continuous improvement of Cyber at AMP. 3
My Company Name: AMP Industry: Financial Services Market Focus: Financial services company in Australia and New Zealand with superannuation and investment products, insurance, financial advice and banking products Company s Primary Products/solutions: Banking Investment management Financial planning and advice Insurance and superannuation Company-wide Initiatives Grow internationally Create a customer-centred culture Regulatory Compliance & risk management Become more efficient by changing the way we work and use technology 4
Objectives and What You Will Learn Objectives Provide insight to the AMP ServiceNow Security Operations deployment What you will learn Why we implemented ServiceNow Security Operations Understand the environment and challenges facing AMP Learn about how AMP deployed ServiceNow Security Operations in 6 weeks Key outcomes and lessons you may apply for your initiatives/projects 5
Context Setting the stage Industry trends Attacks - more frequent, more sophisticated Information - growing rapidly, across multiple channels and physical boundaries Focus Shift to prevent and protect, not detect and remediate Competitive pressures Brand and Trust Digital transformations Cloud first initiatives Legacy processes Push for analytics & standardisation Desire for more Data driven decisions Program drivers and goals Single system of record Integrate to automate then orchestrate Improve visibility, reduce risk exposure and increase efficiency 6
Goals and Challenges PREVENT IMPROVE DETECT RESPOND Immature processes End-to-end Vulnerability Management Managing Security Incidents Inconsistent Resolution with no visibility of impact STRATEGY AND GOVERNANCE TRANSFORMATION CYBER DEFENSE DIGITAL RESPONSE SERVICES Pre-Breach Attributes: Comprehensive in breadth (Target Operating Model) Benefits driven from strategy through execution Information driven approach Attributes: Security transformation Informed by technology strategy Long-term engagement delivery Business-outcome focused Attributes: Technical assessments Security Operations & Monitoring Incident response Security analytics Attributes: Post Breach Digital evidence preservation and cyber investigations services Post-Breach analysis and mitigation 7
Enhanced Time to Detect and Respond Solution at a Glance Actionable Intelligence - Solving the right problems at the right time Basic Incident Ticketing Incident Response Definition Integration with core security systems Process and Accountability Defined Value-based Prioritisation Visibility and Reporting Prioritisation by Impact KPIs, Reporting and SLAs Noise Reduction Enhanced data enrichment tied to incidents Context-driven detection Automate data gathering tasks Threat intelligence integrated with Incident Response Time to Detect per event reduced Automated Response Actions for Proactive Measures and Countermeasures Integrated Change Request and History Compress the time to contain and remediate incidents Enable visibility for changes and task fulfillment across teams Easily handle common attacks to improve response closure Circles of Trust for Peer Intel Sharing Dynamic Workflow to Educate and Enable Teams Security Information Network for intel and attack method updates Automated querying of internal and supplier environments Educational expert systems and best practice sharing Security Operations Maturity 1 Basic Operations 2 Visibility and Performance 3 - Context and Enrichment 4 - Automated Remediation 5 Actionable Intelligence 8
Solution Strategy or Approach or Methodology Detecting modern day vulnerabilities and threats is vital, however the struggle to implement efficient and effective collaboration between security and IT is critical Process & Workflow Tooling Refinement and Automation Service Level & Insight Role of ServiceNow Reviewed and analysed existing processes against ServiceNow Security Operations suite functionality and identified gaps Designed and implemented ServiceNow Security Operations vulnerability response, security incident response and threat intelligence applications Linked ITSM incident process to security incident response enabling a central repository for all incidents with automation to create a Security incident from ITSM based on Category eliminating dual entry Security Incidents and Vulnerabilities pose risk and usually require IT Change. Enabled threat intelligence capability to obtain immediate information around indicators of compromise ServiceNow played an important role in bridging the gaps between IT & Security, with its exceptional workflow management, ability to define standard requests and assign Service Levels to workflow. Reduce silo behaviors by taking a comprehensive approach that targets the identified gaps with proven methods and a good practice, tailored solution identify and take key business units on the journey with you. Key elements of the approach: Defining a mutually agreed Operating Model between Security & IT that covers responsibilities, processes and agreed service levels; Work towards an integrated and aligned landscape of tooling and automation, reducing overlap; Establish a single workflow automation tool across Security & IT for all processes; Effective Change Management to align the business and Cyber Security. Integrations with leading security tools ensure timely detection, enrichment of data and better Prioritisation. 9
Solution Timeline 2017 Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Hyper Care System Design Kickoff Exec Review Release Coding Code Improvement Integration Testing 10
Value Outcomes A decrease of 60% Response Time 3 6X FASTER Vulnerability Response Time Months to Minutes Response Security Incident Response Time 11
Lessons Learned 1. Cleary define metrics and outcomes from the start 2. Don t assume CI information is of good quality 3. Better integration and features with Qualys 4. Break the business in slowly with only critical and high vulnerabilities first. 12
Our Next Steps Evolve our Threat Intelligence Disrupting the cyber criminal ecosystem Continued Orchestration Risk reduction and threat prevention by context and priority Published Cyber Services More Cyber Services on service catalogue 13
Top Takeaways 1 2 3 Contextualisation Solving right problems at the right time Visibility Informed Action Automation Faster everything... 14
Thank You Mike Byrne Enterprise Cyber Security Consultant AMP 15