SECURITY OPERATIONS IN GOVERNMENT BREAKING DOWN WHAT YOU NEED TO KNOW GOVLOOP POCKET GUIDE 2017
SECURITY TEAMS OF
TOGE
SECOPS LINKS THE Y AND OPERATIONS F AN ORGANIZATION
GETHER
FOREWORD FROM SERVICENOW Federal agencies and their cybersecurity teams are in constant defensive mode to ensure that their systems are not compromised. Add to that the challenges of managing a seamless and secure federal IT enterprise in complex environments – all of that makes navigating the balance between security and functionality a difficult feat. Agency operations teams must work diligently to keep systems working for internal and external use, while security teams must ensure systems are safe, up to date 02
and compliant with federal standards. One group is focused on security, while the other wants to ensure the system is at optimal performance. But such competing priorities and lack of integration between security and operations threaten to create gaps in security posture. This leaves agencies all the more vulnerable to cyberattacks. It’s up to governments to build bridges and consensus between the security and operations
teams. To do that, agencies must focus on improving security operations, or SecOps, a management approach that connects security and operations teams to create more visibility in networks and promote shared accountability. Additionally, SecOps helps teams work together by sharing processes and tools. This ensures agencies don’t have to sacrifice security to maintain uptime and system performance. SecOps allows for improved contextual awareness that encompasses the security and operational facets of an organization. With SecOps, agencies can be more proactive in making cybersecurity decisions while maintaining commitment to agility and peak system performance. As agencies look to implement SecOps, more will be turning to cloud adoption as an extension of their security environment.
But agencies should be cautious as they do so because many commercial cloud providers can’t provide holistic visibility and controls for data. That’s why it’s important to look for cloud-based technologies that can automate workflows, add capabilities for security incident response and incorporate threat intelligence. With SecOps and the right cloud platforms, you can expect security analysts to communicate better with IT operations teams working from the same platform. They can easily hand off tasks in an agile manner while maintaining agencywide visibility into the task at hand. Use this pocket guide to learn more about the importance of SecOps to government, how the right platform and tools can improve your SecOps approach and how your agency can expand and take security to the next level. 03
CONTENTS Foreword
02
Executive Summary
05
Definition of SecOps in Government
06
SecOps by the Numbers
08
Today’s SecOps Landscape
10 04
Industry Spotlight: Maintaining Agility Without Sacrificing Security
12
SecOps in Action
14 16
Cheat Sheet
EXECUTIVE SUMMARY Government agencies are barraged with more than 10,000 cyberthreats every day. Not only do agencies need equipped cyber professionals to manage and counter these threats, they also need IT operations professionals to ensure systems are at peak performance. At the same time, not every threat is critical and not every threat needs to be managed the same way. As a result, government leaders need to help their cyber professionals sift through the threats and ignore the less critical ones while mitigating the ones that actually matter.
The best way to do this is by improving security operations – connecting security and operations teams to create more visibility in your agency’s networks. This relationship allows security and operations teams to work better together in identifying the types of security threats facing networks, prioritize responses accordingly and make sure systems and services are running smoothly for all end users. This pocket guide will provide an overview of security operations in government. We’ll explain what SecOps is, why it matters and offer tips for agencies to apply SecOps to their IT and cybersecurity teams. We’ll also provide insights from SecOps use cases to help move your agency’s strategies forward. 05
DEFINITION OF SECOPS IN GOVERNMENT WHO’S INVOLVED WHAT IS IN SECSECOPS? OPS? In this section, we’ll break down exactly what SecOps means and its importance to government.
06
Security and operations, or SecOps, is a management approach that links the security and operations teams of an organization together to work with shared accountability, processes and tools.
You have two teams that need to deliver two separate but integrated missions. First, the security team is there to oversee security of the agency and prevent hackers as well as malicious insiders from accessing sensitive government data and systems. Second, you have the operations team, which is responsible for maintaining uptime, stability and performance for current systems and deploying new services.
WHY DOES GOVERHOW MENT DOES SECOPS NEED WORK? SECOPS?
WHY IS SECOPS IMPORTANT TO GOVERNMENT?
SecOps bridges the gap to connect security and operations teams. When an agency embraces SecOps methods, security employees can no longer simply hand off results from a vulnerability scan to operations team members and call it a day.
SecOps helps ensure that government agencies don’t have to sacrifice security to maintain a commitment to agility. They can meet new service-delivery models that enable an agency to move faster with an automated, coordinated and more secure approach to enable continuous innovation.
The goal is to keep both teams engaged in the process and provide real-time visibility into what changes need to be made, as well as the possible impact of those changes to other parts of the business of the agency. SecOps increases collaboration between the security and operations teams with holistic visibility into risks, impacts and operational plans.
When security and operations teams are siloed and don’t have an effective way to transfer and consume information, agencies can struggle to quickly remediate vulnerabilities. On average, it takes 193 days from the time an agency is aware of a vulnerability to the time it’s fixed. This can be costly to government not only in time and money but also in public trust.
07
SECOPS BY THE Why is SecOps growing in importance and use? What impact can SecOps have on organizations? These statistics will help give a brief account of SecOps by the numbers and provide context for why it’s so important to government.
NUM DATA BREACHES ARE INCREASING IN OCCURRENCE AND COSTS
11,032,013
total records containing sensitive information were compromised in 2016 (Source: Privacy Rights Clearinghouse Chronology of Data Breaches database)
5,648,349
total government/military records have been compromised so far in 2017
$4M
is the average price of a data breach as of 2016 (Source: 2016 Ponemon Institute Cost of a Data Breach Study)
$7.7M
is the average annualized cost to detect, respond to and mitigate a breach (2016 Cybersecurity Trend Report from Ponemon Institute for Hewlett Packard Enterprise)
08
MBERS CURRENT TACTICS ARE INEFFICIENT
SECOPS BECOMING INCREASINGLY IMPORTANT
93%
52%
70%
64%
60%
82%
of security operations center managers reported being overwhelmed by alerts and unable to triage all potential cyberthreats (Source: 2016 McAfee Lab Threats Report)
of security alerts are ignored due to staffing and workday restrictions (Source: 2017 Swimlane Report)
of firms surveyed indicate that security and operations are dysfunctional across both organizations (Source: 2016 SecOps Report)
1/3
of organizations spend at least half of all incident-response time on manual processes, leading to inefficiencies and delays (Source: Enterprise Strategy Group Report)
of organizational leaders say with SecOps, accountability for security breaches has increased for operations teams (Source: 2017 2nd Annual IT Security and Operations Survey)
of organizations prioritize protecting against and responding to known security threats over other tactics
of organizations plan to invest more in security over the next 12 months
47%
of organizations have increased responsibility for operations to ensure remediation is applied within established service-level agreement
09
TODAY’S SECOPS LANDSCAPE In this section, we’ll discuss the ways government is currently working toward achieving SecOps with a focus on a crucial threepillars approach, recommended by ServiceNow. We’ll also touch on why people are so important to the equation, and how agencies can create a workplace culture conducive to executing SecOps.
Government agencies are continually refining their security profiles by applying SecOps to their risk-management frameworks. This approach provides a disciplined and structured process that integrates information security and risk-management activities into the system development lifecycle. Such approaches give agencies the flexibility to apply their already constrained resources toward their most valuable data assets. More and more government agencies are turning to the SecOps approach to better connect their security and IT teams, respond faster and more efficiently to threats and get a definitive view of their security posture. A fundamental question that agencies must ask when it comes to security is: “Are we secure, and are things getting better or worse?” While there is no simple answer, most agencies struggle to establish baseline metrics for their security posture that they can track over time. Without this understanding, they lack the ability to strengthen the infrastructure and improve their response. That’s why, when applying SecOps, agencies must incorporate this three-pillar approach in both their strategy and cloud platform:
10
01 02 03 SECURITY INCIDENT HOLISTIC RESPONSE PLATFORM Security incident response simplifies identification of critical incidents and provides workflow automation tools to speed up remediation. To speed up response and allow your security team to spend more time addressing complex threats, security incident response automates basic tasks, including approval requests, malware scans and retrieval of running processes. All of this is done from one platform.
Using a holistic platform, agencies can quickly prioritize vulnerable items and attain business context to help security teams determine if critical systems are at risk. A holistic platform also provides a comprehensive view to both security and operations teams of all vulnerabilities affecting a given service, as well as the current state of all vulnerabilities affecting the agency.
Using security incident response, security and operations teams can track all activities in an incident lifecycle, from analysis and investigation to containment and remediation. Once an incident is closed, assessments are distributed across the teams and a time-stamped post-incident review is automatically created as a historical audit record.
When critical vulnerabilities are found, a holistic platform can help teams automatically initiate an emergency patch approval request. Once approved, orchestration tools can apply the patch and trigger an additional vulnerability scan to ensure the issue has been resolved. These scans can be viewed and monitored across all security and IT teams.
But to fully leverage the SecOps approach as well as the three pillars, agencies must prioritize the most important part of the equation: people. Studies indicate that as much as 80 percent of data breaches are caused by human error. To decrease the occurrences of such errors, government agencies must focus on helping their staffs identify, eradicate and even mitigate security incidents. SecOps can help security and IT teams adopt a proactive approach that enables them to ensure tasks are done quickly, properly and in an automated manner.
THREAT INTELLIGENCE
Security operations includes a threat intelligence application to help incident responders find the indicators of security compromise and hunt for low-lying attacks and threats. Threat intelligence can automatically search for relevant information when an indicator or observed attack is connected to a security incident. Using artificial intelligence (AI) and machine learning, threat intelligence allows security responders to stay ahead of cyberthreats. When a new vulnerability or attack vector is recognized, threat intelligence can assist security professionals to quickly detect those threats and identify relevant indicators.
The challenge with actually implementing SecOps is that, for many agencies, this requires significant cultural and technological shifts. The security and operations teams have to address their conflicting priorities, and leaders must step in to make sure everyone’s accountable for ensuring the agency and its users are protected. At the same time, security and IT have to start working from the same platform and invest in automated technologies that reduce time spent on manual tasks.
11
INDUSTRY SPOTLIGHT MAINTAINING AGILITY WITHOUT SACRIFICING SECURITY An interview with Bob Osborn, Chief Technology Officer, and Brian Crosby, Enterprise Architect, Federal Sector, ServiceNow As government agencies increasingly turn to SecOps, they are also turning to the cloud and seeking the assistance of commercial cloud service providers to successfully migrate their platforms. Agency leaders will also need to continue refining security-
12
based techniques to lower their risk profiles. More importantly, agencies should view cloud adoption as an extension of their own security environment rather than completely surrendering visibility of their environments to vendors and cloud service providers. The challenge from a security operations standpoint is when agencies migrate to cloud, it can be difficult translating the right data between operations. They need contextual awareness and visibility of their entire infrastructure. Agencies should look to multiinstance cloud and capabilities where IT and security professionals can have holistic visibility and control of their data in newer platforms.
To discuss how agencies can best leverage SecOps and fully harness multi-instance capabilities, GovLoop sat down with Bob Osborn, Chief Technology Officer, and Brian Crosby, Enterprise Architect in the Federal Sector at ServiceNow. ServiceNow provides multi-instance cloud solutions to help agencies harness a holistic architecture for their security and operations teams. When cloud services first went live in the late ‘90s, the architecture was built on database systems originally designed for making airline reservations, tracking customer service requests and running financial systems. These database systems, however, were built on multitenant clouds where users share the same software and infrastructure.
“You need multi-instance capability to bridge the gap between security and operations.” —Brian Crosby, Enterprise Architect, Federal Sector, ServiceNow
In addition to these benefits, multi-instance cloud offers: • True data isolation where hardware and software maintenance on unique instances become easier Cloud providers can build and maintain a centralized to perform. system, but this multitenant cloud has drawbacks in terms of comingled data. Because your organization • Advanced high availability where ServiceNow’s multi-instance cloud is replicated between two relies on the cloud provider to isolate your data from paired and geographically diverse data centers in everyone else’s, the data can potentially become eight regions around the world. commingled with other organizational databases or structures. When your data is not physically separate • Customer-driven upgrades allow each individual instance to be upgraded on a schedule that fits the and only relies on software for isolation, this can have security and compliance requirements according major security implications for government. to the needs of each unique government enterprise. That’s where SecOps and multi-instance platforms come in. “A lot of SecOps has evolved from a national The biggest piece of advice to agencies? “Just need,” Crosby said. “There have always been cyber warriors patching systems to make sure they’re up to get started,” Crosby said. “Don’t wait any longer date. But at first, there was this idea that you couldn’t because you can’t keep up with things going at computer speed.” have security and operations in the same toolsets. Security and operations then evolved based on the With multi-instance cloud, agencies can decrease number of devices and applications you had.” the opportunity for human error as much as A multi-instance architecture gives every agency its possible and ensure more seamless operations. own unique database, making it virtually impossible “You need to help teams identify, eradicate and for data to be commingled with any other databases. mitigate security incidents,” Osborn said. “You need multi-instance capability to bridge the gap between The multi-instance architecture is deployed on a security and operations.” per-customer basis rather than being built on large, centralized database software and infrastructure. In short, the multi-instance architecture puts users in control of their cloud. This is how the enterprise runs “The differentiator with multi-instance capabilities is you have the visibility and control over data in one its mission-critical applications. With data isolated, platform,” Osborn said. “You can then put controls in agencies can run a fully replicated environment that provides extremely high availability and upgrades place that lock the data or mask it for anyone who on their schedule. That way security and operations doesn’t have access to those data fields. You have full control over who has access to that data, and can teams can be more agile while ensuring their data is kept in the cloud safe and sound. rapidly deploy new capabilities.”
13
SECOPS
IN AC
In this section, we’ll walk through a scenario that you can use as a practical example of how SecOps works in a government setting.
Phishing attempts – where hackers obtain sensitive information such as usernames, passwords and credit card details through email – are some of the most pernicious cyberthreats out there. In fact, in 2016 alone, email posed as one of the most dangerous and efficient threats to users, with one in 131 emails containing malware. That’s the highest rate in five years. Phishing attacks occur on a daily basis and can happen at your agency at any given point in time. How can your agency use SecOps to address this potential security incident?
14
SCENARIO
NEXT STEPS
An employee believes he has received a phishing email trying to solicit sensitive agency information.
The employee then sends the email to an agency address that handles potential security incidents: phishing@example.gov. With a SecOps approach and cloud platform, a report is automatically generated once the email is submitted and scans the content for malware.
CTION AUTOMATIC INCIDENT HANDLING
The email was determined to be malicious. Now, the platform can automatically determine who else has received the email. If opened, the platform will delete the mail from the server and scan for malware and, if not opened, delete it from the mail server. The platform will then update mail server protection to block any more incoming emails from that address. Additionally, your SecOps cloud platform will help security and IT teams update firewall rules accordingly to block any URLs included in the email.
OUTCOME
By automatically handling the detection and processing of a phishing attempt, the cloud platform helped security and IT teams mitigate a potential security incident without adding to their already heavy workloads. As a result, the teams were also better able to coordinate security processes and communication with each other to detect such threats and ensure policies and preventive actions were taken.
15
CHEAT SHEET 1 2 3 Use this cheat Put sheet to help people you get started first with SecOps. SecOps requires a
pretty dramatic cultural change. Once an agency has shifted its mindset to focus on integrated tools and workflows for security and operations, be sure to communicate with all staff and stakeholders involved. Ensuring that your agency’s culture is ready to embrace SecOps will make it much easier to implement with the right approach and toolsets later on.
16
Get the right Educate the people in team about the room SecOps Before you actually can get a SecOps program off the ground, it’s important to figure out who needs to be part of the cultural shift described above. That means getting C-levels and executive decision-makers on board early. It can be as simple as the agency leader telling the team, “Make our product more secure.” Next, make sure both security and IT teams buy into the goals of a SecOps transformation. One or both of these teams will be the driving force behind the change, but both need to see how it will solve pain points and establish common ground.
Get everyone on the same page about what SecOps is and how it will work in your specific organization. This can best be done by getting out and talking to others who’ve already been through the process. A good way to start is by attending SecOps conferences in the area. Talk to other government leaders about what worked for them and what didn’t work. Use their real-world experiences to navigate your own hurdles. Making sure that everyone understands what is meant by SecOps, why the agency is moving in that direction and how it will benefit everyone in their day-today role is a great way to ensure that cultural change isn’t something that gets talked about but never acted on.
BEST PRACTICES FOR IMPLEMENTING SECOPS
4 5 6 7 Implement a buddy system
Start with Compile low-hanging your suite fruit of tools
When it’s time to start implementing SecOps, get the security and IT teams to work together in one-on-one pairs. Having individuals work together is not only effective from a speed perspective, but also gives both sides an opportunity to learn each other’s priorities, perspectives and tools.
With government agencies already having so many laws and regulations to follow, it can be overwhelming making sure any solutions implemented are compliant. Start from a small but meaningful area of security where you want to improve your agency’s posture.
Pairing people together will enhance collaboration and also make it much easier for team members to learn new enterprise tools that are being implemented. For example, teach configuration management tools the IT team uses to the security team as well.
For example, you could look to address the most common attack vectors for your agency, i.e., phishing attempts, or fix glaringly insecure processes being used at your agency, i.e., passwords being written on Post-its. Make it a goal to be at least 5 percent more secure than you were yesterday, and start with small SecOps projects.
Once you have more clarity on where to start, incorporate the three pillars approach on selecting your cloud platform and suite of tools. Make sure to include security incidence response, a holistic platform and threat intelligence. Solutions like ServiceNow’s Cybersecurity Manager can help automate your cybersecurity compliance process, ensuring you meet the baseline cybersecurity training and certification requirements for IT personnel. Additionally, your platform should provide intuitive dashboards that allow IT teams and security teams to centrally manage and view all critical and outstanding security issues with a modern, easy-to-read visual center.
Climb from low-hanging fruit to the top of the trees Once you’ve implemented smaller SecOps projects successfully, put together a security improvement plan that ranks action items from simple to complex. Rank most important to least important priorities, taking into account the things that can make the biggest differences at your agency. Incorporate continuous monitoring as early as possible. This will help your agency achieve a wide range of security objectives all at once.
17
THANKS TO SERVICENOW THEIR SUPPO IN PRODUCIN PUBLIC-SECT RESOURCE. 18
W FOR ORT NG THIS TOR
About ServiceNow ServiceNow is changing the way people work. By placing a service-oriented lens on the activities, tasks and processes that make up day-to-day work life, we help the modern enterprise operate faster, better and more scalable than ever before. As the enterprise cloud company, ServiceNow provides a service model that defines, structures and automates the flow of work, removing e-mail and spreadsheets from the process to streamline the delivery of services. To learn more visit www.servicenow.com
About GovLoop GovLoop’s mission is to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to the public sector. For more information about this report, please reach out to info@govloop.com
Connecting security and IT teams as well as top security products through automation is the future of enterprise security response.
1152 15th St. NW Suite 800 Washington, DC 20005 P (202) 407-7421 F (202) 407-7501 www.govloop.com @GovLoop