Strategies for
Integrating Your
Cyber Security and IT
Service Management
Process and Systems
Prepared by:
John Bilinski
ITSM Tools Architect
G2SF
8/21/2018
Cyber Threat Analysis and Reporting Today
• 69,000 Cyber reports per year
• Manual sifting of intelligence and
incident reporting to identify
impacts on devices, systems,
networks, or services
• 80% of available time and
manpower is spent to associate
specific threat, vulnerability, or
technical indication of malicious
activity to a specific device or
endpoint that supports system,
network, or services to include
identify system owner, location, and
support organization.
2
The Problem
Experts are unable to prioritize cyber defense activities due to an incomplete
understanding of risk.
Organizations try to defend their
key cyber terrain against threats
targeting their network
Net defenders can’t calculate risk
due to incomplete insights about
the intersection of assets, threats,
and vulnerabilities
Data from threat analysts,
information assurance, and IT
management is not correlated
3
Correlation Challenges between Threats and
Infrastructure Data
The Elephant in the room facing most security organizations is the ability to
correlate threat information in real time with asset and configuration data to
provide actionable cyber intelligence.
4
Bridging the Gap
• Security professionals require:
 Complete understanding of IT
Infrastructure to determine risks
 Efficient ways to correlate threat
information with organizationspecific information regarding the
infrastructure, the assets within the
infrastructure, their location,
vulnerabilities and associated
ownership
• A well defined CMDB contains this
information
Bridging the gap between Security Threats
and Infrastructure data using the CMDB
5
Why the CMDB Fills the Gap?
What is on the network, what offline, what is in inventory?
Where are my assets?
Who is using the asset?
Who supports the asset?
Who owns the asset?
When does maintenance expire?
Where is the contract for the Asset?
*User Managed Data
Discovered Data
Hardware &
Software
Contracts
Computer System
Configuration Items (CIs)
License
Certificates
User Managed
Asset Data*
CMDB
CPUs
Operating
Systems
Software
Products
Organizations
& UIC Data
People
(Active Directory)
6
The Ideal End State
SOLUTION
Automate the manual, time-consuming tasks to correlate threat intelligence,
information assurance, and IT management data to accelerate decisions and actions.
1
2
3
4
OBSERVE
ORIENT
DECIDE
ACT
Automate the discovery
and collection of cyber
intelligence and reports
Automate the collection
of information about
targeted assets/systems
Prioritize decision
making and identify
effective mitigations
Orchestrate the creation,
testing, and deployment
of countermeasures
7
An Integrated Enterprise Cyber Threat Analysis
Solution
• Cybersecurity and Service Management professionals should work together to
automate the manual and time intensive process of correlating threat information
with an organization’s asset information by developing interfaces between the
Configuration Management Data Base (CMDB), ITSM tool suites, and the cyber
security tool suite.
• By building an interface between the CMDB, discovery, ITSM tools, and a threat
intelligence platform, security professionals are able to automatically obtain, ingest,
parse and extract actionable information from cyber intelligence and incident
reporting, and then correlate this information with the data maintained within the
organization’s CMDB.
• This capability significantly enhances the cybersecurity professional’s ability to
calculate mission risk and determine vulnerability exposure and then act more
expeditiously.
8
Phase I – CMDB Common Data Model to
Include Security Specific Attributes
• An Enterprise Common Data Model contains CI definitions and provides appropriate policy and
direction regarding the types of CIs to be included or excluded from the CMDB
• The objective is to maintain a balance between providing relevant CIs and CI information necessary
to ensure maximum service availability.
• The level of detail must be balanced to ensure that you are capturing data that is of value while
filtering out the noise that may create CI maintenance challenges
• What is needed to support security operations in the CDM
1. Ensure that each configuration item type is properly identified and represented with the base
class and attributes necessary to perform security operations
2. For each CI type identify common attributes and unique attributes for specific CI Data that is
provided from your threat and vulnerability detection systems.
9
Step II – Integrating with External Data Sources
• Integration adaptors are used to retrieve data from external
discovery and scanning tools, transform source data into
data that can be used by the CMDB, and populate source
data into defined datasets in the CMDB
• Basic Steps necessary to populate the CMDB with external
data
1. Review the data source’s database table and view
structure and build the desired database queries.
2. Build scripts and transformations that will retrieve the
data and populate the Atrium CMDB.
3. Load the external data into staging dataset in the CMDB
and analyze the data
10
Step III – Normalizing and Reconciling Data
• Normalization is used to merge
discovered data with non-discovered
data and to promote the data to the
production data set.
• Reconciliation is used to flag data
changes and ensure no duplication of
data.
• The Reconciliation Process identifies the
Discovered and Scanned CI Data and
relates to the Production CI by matching
the unique identifier
• The process then appends/merges the
Production CI record with the additional
attributes of the discovered/scanned
data.
11
Step IV Service Dependency Mapping
• Discovery is a critical part of any enterprise
CMDB
• Discovery and Service Dependency Mapping
provides a visual map of all CI that are used in
the delivery of a service
• Data contained in a Service Dependency Map
provides Security and Cyber Operations
professional insight to the possible impacts of
threats and vulnerabilities could have on the
Security Posture of an organizations network
or critical business services
12
Integration of Tools to Determine Vulnerability
Exposure and Calculate Mission Risk
# 1 – Threat Assessment
Data integrated with asset
and configuration
management information
in the CMDB
Incident
Ma na gement
Threa t
Assessment
Da ta ba se
Problem
Ma na gement
CMDB
# 5 – Mitigation tasks tracked
in ITSM system through
incident, change, and
problem tickets
# 4 – Risk Assessment and
Security Posture determined
based on threat identification
then mitigation tasks
identified.
Cha nge
Ma na gement
# 2 – Continual discovery
of asset and configuration
data reconciled into the
CMDB
Example Discovery Tools
§
§
§
§
Example Security Scanning
Tools
§
§
§
§
De c ision Support
through Da shboa rd,
Reporting a nd
Ana lytic s
BMC Discovery
Universal Discovery
SCCM
Tanium
Tenable
ACAS
Intrusion Detection
Virus Scanning
# 3 –Threat Assessment Data and
CMDB Data correlated and analyzed
for comprehensive threat
identification.
13
Benefits of an Integrated Solution
•
•
•
•
•
•
•
•
•
Reducing the time that analysts spend discovering, collecting, and vetting Indicators of Compromise
(IOC) reporting information.
Enabling analysts to identify the relationships between cyber intelligence and potential Configuration
Items (CIs) within the CMDB that might be impacted by a reported threat.
Isolating which CIs and systems have configurations that are at risk of exploitation and the impact to
services in support of the mission.
Increasing the time analysts spend investigating, understanding, planning and prioritizing threat
defenses and risk management activities.
Allowing analysts to spend more time determining the operational impact of malicious cyber activity
on targeted CIs and executing threat mitigation and risk management activities.
Reducing the turnaround time between cyber event reporting and execution of mitigation activities
that prevent a security breach or service disruption.
Tracking the number and types of assets that are vulnerable to threats as systems are patched.
Identifying the last security scan and security patch date of all assets.
Increasing visibility regarding the full impact of vulnerabilities by identifying risk exposure of assets
that are:
–
–
–
Deployed within the protected enclave and/or exposed to the Internet
On the shelf in inventory, but not deployed
Mobile assets that are known to be deployed, but not currently visible on the network
14
Please complete
your session
evaluation in the
FUSION app.
Session #: