Emerging Technologies & the State of the SOC. John Kindervag, Vice President and Principal Analyst

Transcription

1

2 Emerging Technologies & the State of the SOC John Kindervag, Vice President and Principal Analyst

3 2014 In Review 2015 Forrester Research, Inc. Reproduction Prohibited 3

4 2015 is bad too! 2015 Forrester Research, Inc. Reproduction Prohibited 4

5 Companies are Naïve about Compromise Q4. How many business-impacting attacks or breaches has your organization experienced (whether publicly announced or not) in the past 12 months? Q6. How were these attacks or breaches discovered? Select all that apply More than % 7% Internal detection Internal detection External detection External detection Other third-party 40% 30% 16% 4% 73% % Q5. What is the likelihood your IT systems have been compromised within the past 12 months and you are unaware? % Highly likely Somewhat likely 4% 11% None 21% 45 respondents at orgs. that did not experience an attack Not that likely Highly unlikely 27% 58% Base: 180 IT security decision-makers at US, UK, German, and Brazilian-based companies that have implemented or evaluated SIM/SIEM or security analytics technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September Forrester Research, Inc. Reproduction Prohibited 5

6 Thinking about creating a SOC? Source: ((CC BY-SA 2.0) 2015 Forrester Research, Inc. Reproduction Prohibited 6 6

7 SOC Operations are Complex Source: Security Operations Center (SOC) Staffing, August Forrester Research, Inc. Reproduction Prohibited 7

8 SOC Operations are Overwhelming Source: Security Operations Center (SOC) Staffing, August Forrester Research, Inc. Reproduction Prohibited 8 8

9 Staffing an SOC is expensive Source: April 20, 2010, SOC 2.0: Virtualizing Security Operations Forrester report 2015 Forrester Research, Inc. Reproduction Prohibited 9

10 SOC Core Technologies Past Present Future SIM/NAV Security Analytics Automated Response Data Insights Action Actionable INTEL (is not action) 2015 Forrester Research, Inc. Reproduction Prohibited 10

11 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 11

12 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 12

13 Security Operations Center 1.0 Source: NASA ( Forrester Research, Inc. Reproduction Prohibited 13

14 Full time staff is dedicated to threats Q24. Does your organization have a centralized team within the security organization responsible for threat detection and response (e.g., SOC, CIRC, CIRT, incidence response team)? Yes, we have a team of full-time staffers with primary responsibility for threat detection and response Yes, we have a team of full-time staffers to address threat detection and response, but it isn't their primary responsibility Yes, we use a combination of full-time staffers and an MSSP to address threat detection and response 17% 28% 36% No, but we outsource threat detection and response to an MSSP 5% No, but we plan to have a dedicated team within the next 12 months 8% No, but we plan to fully or partially outsource threat detection and response within the next 12 months No, and we have no plans to form a team or outsource 2% 4% Base: 180 IT security decision-makers at US, UK, German, and Brazilian-based companies that have implemented or evaluated SIM/SIEM or security analytics technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September Forrester Research, Inc. Reproduction Prohibited 14

15 SOC 2.0 is virtual SOC 2.0 is not a place. SOC 2.0 is not a big projection screen. SOC 2.0 is not a fancy motorized chair. SOC 2.0 is a PHONE. SOC 2.0 is a BROWSER. SOC 2.0 is a PERSON. SOC 2.0 is INFORMATION. SOC 2.0 is SOCIAL Forrester Research, Inc. Reproduction Prohibited 15

16 Building SOC 2.0 Identify core people. Not typical SOC engineers Training and experience Identify core technologies. Security Analytics Security Information Management (SIM) Network Analysis and Visibility (NAV) Forensics and Sandboxes 2015 Forrester Research, Inc. Reproduction Prohibited 16

17 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 17

18 We need to move from a culture of need to know to a culture of need to share. BAE Systems Source: November 19, 2009 Harnessing Social Networking To Drive Transformation Forrester report 2015 Forrester Research, Inc. Reproduction Prohibited 18

19 The social SOC Strategic partners: SANS MITRE Threats and attacks Managed svcs. partners Vendor tech support VARs and consultants Leverage the hacker ethic. Strategic Commercial partners Corporate network Corp VSOC Ad-hoc SOC cloud Publicly available information Bill Joy s Law: No matter who you are, most of the smartest people work for someone else. Source: April 20, 2010, SOC 2.0: Virtualizing Security Operations Forrester report 2015 Forrester Research, Inc. Reproduction Prohibited 19

20 Companies must embrace social SOC Traditional SOC costs are high. Staffing Transaction costs Labor elasticity is an issue. It leverages existing skilled resources. The social SOC is scale-free. Companies will collaborate because operational costs will plummet. Threat Intelligence Sharing 2015 Forrester Research, Inc. Reproduction Prohibited 20

21 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 21

22 We are drowning in data and starving for insight. Global Bank 2015 Forrester Research, Inc. Reproduction Prohibited 22

23 Security Analytics Leverages Big Data Reporting and Presentation Engine Data Analytics Engine IT Big Data Store 2015 Forrester Research, Inc. Reproduction Prohibited 23

24 Multiple data sources are collected for SA Q17. From which data sources does your organization currently collect, parse, query, and analyze data in your security analytics solutions? From which sources would you like to collect and analyze data? Currently collect and analyze Would like to collect and analyze Currently collect, but don't analyze No plans/need Security device logs Server logs Network device logs Database logs Database activity monitoring tools Network flow data Network traffic metadata Application logs Endpoint security status and logs Full network packet data Cloud applications Other SYSLOG sources Data from other SIMs 55% 59% 53% 58% 47% 47% 36% 48% 46% 38% 31% 34% 31% 29% 30% 21% 34% 30% 25% 26% 21% 30% 28% 38% 25% 27% 19% 16% 16% 16% 21% 25% 27% 33% 12% 2% 14% 2% 16% 5% 17% 4% 18% 3% 4% 8% 8% 7% 6% 6% 9% 7% Traditional log management/sim NAV NAV Base: 99 IT security decision-makers at US, UK, German, and Brazilian-based companies that have implemented security analytics technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September Forrester Research, Inc. Reproduction Prohibited 24

25 Link to Action with Insight Insights team All Data Right data Insights-to-execution process Effective actions Possible Actions Security Analytics Source: April 27, 2015, Digital Insight Is The New Currency Of Business Forrester report 2015 Forrester Research, Inc. Reproduction Prohibited 25

26 Security analytic-generated data improves insight Q21. How often is security analytic-generated data used to improve estimates of the likelihood and impact of threats during risk assessments? Rarely 8% Regularly 52% Occasionally 39% Base: 100 IT security decision-makers at US, UK, German, and Brazilian-based companies that have implemented security analytics technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September Forrester Research, Inc. Reproduction Prohibited 26

27 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 27

28 We want to move faster but Q28. What are the desired outcomes from increasing your organization s security? Select all that apply Faster response to attacks and suspicious activity 72% Greater visibility into threats and network activity 47% Improved understanding of risks specific to our organization 41% Better collaboration and alignment between security and the business 41% Base: 180 IT security decision-makers at US, UK, German, and Brazilian-based companies that have implemented or evaluated SIM/SIEM or security analytics technology Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, September Forrester Research, Inc. Reproduction Prohibited 28

29 Security processes are too manual! Insight Automate! Action 2015 Forrester Research, Inc. Reproduction Prohibited 29

30 Source: Forrester Research, Inc. Reproduction Prohibited 30

31 Define Policy to automate response Declared Policy Sec Analytics 2015 Forrester Research, Inc. Reproduction Prohibited 31

32 Define Policy to automate response Declared Policy Sec Analytics IT Data 2015 Forrester Research, Inc. Reproduction Prohibited 32

33 Define Policy to automate response Declared Policy Data Identity Sec Analytics IT Data 2015 Forrester Research, Inc. Reproduction Prohibited 33

34 Response Index Engine Define Policy to automate response Declared Policy Data Identity Sec Analytics IT Data 2015 Forrester Research, Inc. Reproduction Prohibited 34

35 Confidence Level Response Index Low High Alert, Report and Stop Alert and Report No Response Low Impact High 2015 Forrester Research, Inc. Reproduction Prohibited 35

36 Response Index Engine Define Policy to automate response Data Identity Declared Policy Sec Analytics High RIE Engine: If conf = x then block, else report Automatic Response Because the response is defined by declared policy, Sec is empowered to act. IT Data Low Report 2015 Forrester Research, Inc. Reproduction Prohibited 36

37 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 37

38 We Have Entered The Age Of The Customer October 2013 Competitive Strategy In The Age Of The Customer 2015 Forrester Research, Inc. Reproduction Prohibited 38

39 Age of the Cutomer Transform the customer experience Turn big data into business insights Age of the Customer Embrace the mobile mind shift Become a digital disruptor 2015 Forrester Research, Inc. Reproduction Prohibited 39

40 Prevention is Dead? Intrusion Breach Prevention Detection 2015 Forrester Research, Inc. Reproduction Prohibited 40

41 Future Security Operations must be Virtual Social Action Oriented Automated Customer Obsessed 2015 Forrester Research, Inc. Reproduction Prohibited 41

42 Panel: Secrets of the SOC - Ask the Experts Your Burning Questions 3:45 PM Room E353A David Gray, RSA, ACD Practice Consultant Laura MacDonald, EMC Corporation, Sr. Manager, CIRC Strategic Services Kevin Maffett, State Farm Insurance, Compliance Director Kevin Young, Adobe Systems, Manager, Security Operations 2015 Forrester Research, Inc. Reproduction Prohibited 42

43 Thank you John Kindervag +1 forrester.com