SESSION ID: SBX4W5 SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE Dara Such VP & Publisher, Security Networking and IoT TechTarget @darasuch
What we ll cover today State of SecOps: Findings from TechTarget Incident Response Priorities Survey (March-April 2018) Where are we today What your peers are evaluating Team buying dynamics Panel discussion with experts leading the charge in this space
Introduction Malcom Harkins Chief Security & Trust Officer Rich Barger Director of Security Research Mike Scutt Senior Manager, MDR Operations Dara Such VP & Publisher, Security Media 3
What you ll learn today SESSION OBJECTIVES: Understand what organizations are doing today to be more resilient & responsive to attacks Understand the need for and impact of new prevention, detection & response tools Be better equipped to justify incident response resources in your own organization 4
Global content footprint delivers digital dominance on key security topics SearchSecurity SearchCompliance SearchCloudComputing SearchCloudApplications SearchCloudSecurity SearchMobileComputing SearchITOperations SearchEnterpriseAI SearchCIO SearchSDN SearchNetworking #1 Advanced Threats #1 Identity Management #1 Incident Response #1 Threat Intelligence #1 SIEM #1 Cyber Security #1 GDPR Compliance #1 Intrusion prevention #1 Data loss prevention 5 2.7 million+ ranking technology keywords, 1,000+ in the top 10 specific to security 50,000+ Security articles on our network including news, Buyers Guides, expert tips and more. 7,500+ active accounts researching incident response topics across our network
Editorial content Cloud incident response: What enterprises need to include in a plan How to buy the best incident response tools for your enterprise Improved threat detection and incident response Incident response tools can help automate your security How cybersecurity risk fits into enterprise risk management Why security incident management is paramount for enterprises Building an intrusion detection and prevention system for the cloud 6
State of SecOps & Incident Response Survey About the research you will see today Fielded March April 2018 421 Global respondents, geo-balanced Company Sizes 100-999 employees 40% 1,000-10,000 employees 32% 10,001+ employees 29%
Quick breakdown of this audience 39% have experienced a breach and of those who have experience these types: Ransomware Phishing Malware DDoS Advanced Persistent Threat Insider breach 22% 19% 29% 38% 37% 41% Additionally, 56% have a Security Operations Center in their organization 38% have a formal incident response plan in place 28% have a specified incident response team lead in the event of a breach TechTarget Incident Response Pulse Survey Worldwide n = 195
What s driving change in today s Security Operations Center? 1. Adoption & mainstreaming of transformational tech exposes new attack surfaces 2. Rise in sophistication, volume and range of attack types 3. Skills gap & security budgets restrict the impact of SOC and traditional security frameworks Data Management AI Ransomware Cloud GDPR Skills Gap Data Protection Internet of Things Machine Learning Digital Transformation DevOps Big Data Hyperconvergence Containers Platform thinking Predictive Analytics Software Defined Hyper-scale Managed Services
If you fail to plan, you are planning to fail - Benjamin Franklin What is your organization s current level of incident prevention, response & management? In use now across multiple departments Not in plan at this time Near term planning (less than 12 months) In pilot/evaluation stage 18% 13% 19% 43% Orgs that employ DevOps are 33% more likely to have incident prevention/ response/ management fully in use, as compared to the average survey respondent In longer term plan (less than 24 months) 7% TechTarget Incident Response Pulse Survey Worldwide n = 195
Top challenges limiting adoption of incident prevention, response & management capabilities Lack of available talent/skills/expertise to manage or use it Lack of available budget High cost of technology Lack of business case studies/proven examples of incident Complexity of internal purchase or implementation Lack of executive buy-in Compliance Current solutions for incident response too immature/have Failure to derive value from previous incident prevention, Use case unclear or lacking None Other 3% 5% 24% 24% 23% 21% 17% 16% 13% 32% 40% 38% TechTarget Incident Response Pulse Survey Worldwide n = 195 11
What is driving your organization s efforts around incident prevention, response & mgmt. at your organization? Improve our ability to prevent or respond to a future breach or attack 67% Gain better visibility into application and network performance Improve our ability to respond to a prior breach or attack 48% 45% Prepare & comply with data privacy regulations including GDPR Increase our forensic/attribution capabilities To adapt existing management/response processes for existing DevOps environments Prepare for increased use of DevOps 19% 18% 34% 37% Other 5%
The response to this has resulted in a noisy and rapidly evolving landscape More than 200 unique vendors, MSSPs/MDR service providers Wide ranging services and capabilities crossing numerous categories of (overlapping) solutions All designed to more effectively prevent, detect and respond to security incidents using new more adaptive security methods but what IS it?
Technologies/services being purchased to support incident prevention, response & management Endpoint protection platforms Endpoint detection & response platform Security Analytics DLP/Encryption tools Managed Security Services Managed Detection & Response (MRP) Visibility or auditing tools for cloud based environments Security orchestration, automation & response (SOAR) platform Cloud access security broker (CASB) Other Deception technology Non-CASB identity, access, authentication tools 15% 14% 10% 9% 7% 7% 31% 30% 34% 41% 46% 45% TechTarget Incident Response Pulse Survey Worldwide n = 195
Most important capabilities your incident response technology currently addresses 59% Prevent or minimize loss of data or unauthorized access to data 45% Reduce time from breach to detection 45% Improve efficiency of existing staff & resources 42% Reduce response time after a breach has occurred 23% Achieve compliance with GDPR or other compliance regulations 17% 7% Other Free up internal staff by shifting responsibility for incident detection, response and/or management to 3rd party TechTarget Incident Response Pulse Survey Worldwide n = 195
Investment & Budget Dynamics Investments in cybersecurity at an all-time high +$3.6 billion 2017 Top funded startups (in the last 3 years, $60M+ rounds) $180M $100M $100M $100M $70M Unicorn s ($1 billion+ valuation) Market Leaders (Traditional vendors also investing) Acquired April 2016 Acquired May 2017 Acquired November 2017 Acquired February 2018 Acquired April 2018 Acquired April 2018
State of the Union: Budgets by company size 100-999 49% 22% 16% 5% 4% 4% 1,000-10,000 31% 22% 11% 8% 11% 8% 6% 3% 10,001+ 17% 7% 7% 3% 7% 20% 13% 13% 13% Less than $10K $10K to <$25K $25K to <$50K $50K to <$100K $100K to <$250K $250K to <$500K $500K to <$1M $1M to <$2.5M $2.5M or more TechTarget Incident Response Pulse Survey Worldwide n = 195
Budgets are increasing How do you expect your incident prevention, response & management spending to change over the next 12 months? 11% Decrease 30% Stay the Same 60% expect their spending to increase by 25% or more by 10% to 24% by 1% to 9% Stay the same by 1% to 9% by 10% to 24% by 25% or more TechTarget Incident Response Pulse Survey Worldwide n = 195
Who is involved in the purchase decision making process? Rank 1 IT Ops Mgmt. 2 3 4 5 Security Ops Mgmt. CIO CISO IT Operations Staff Endpoint protection platform Endpoint detection & response platform Security analytics DLP/ encryption tools Managed Security Services Managed Detection & Response (MRP) Visibility/ auditing tools for cloud SOAR platform CASB Deception technology Non-CASB IAM tools TechTarget Incident Response Pulse Survey Worldwide n = 195
Panelists Malcom Harkins Chief Security & Trust Officer Rich Barger Director of Security Research Mike Scutt Senior Manager, MDR Operations 20
What s being monitored most widely? In your role, what components of your environment/network are you monitoring most frequently? (Choose all that apply) Endpoints Network performance On premises applications/devices Authentication Web applications Application Performance Threat Intelligence feeds SIEM event logs Network flow data User behavioral analytics Cloud based (SaaS) application Other 3% 17% 26% 46% 44% 41% 41% 40% 36% 33% 53% 59% TechTarget Incident Response Pulse Survey Worldwide n = 195
Tracking, KPI measurement pretty shallow (limiting incident intelligence) What metrics does your organization currently track associated with incident response? (Choose all that apply) Number of incidents (all) Number of incidents by type Number or type of reoccurring incidents Time to respond to incident (per incident or average) Number of incidents by source of breach Time to remediate incident (per incident or average) Number of incidents by urgency The percentage of Incidents resolved by group (i.e. Service Number or percentage of major incidents. Time to detect source of incident (per incident or average) Time to investigate incident (per incident or average) Number or size of backlog of unresolved incidents. Average cost per incident 38% 34% 33% 31% 29% 29% 28% 25% 24% 22% 43% 53% 50% Most insightful, hardest to track TechTarget Incident Response Pulse Survey Worldwide n = 195
Automation plans Which portions of your incident prevention & response plans are you considering automating? (Choose all that apply) Monitoring or analysis of threat feeds Anomaly detection Monitoring or analysis of SIEM alerts Incident investigation and detection 56% 54% 50% 49% Incident response (including recovery, quarantines, 43% Notification to 3rd parties (customers, partners, etc) 19% Other 6%
THANK YOU 24