How AMP got infosec response down from 12 weeks to one

AMP has managed to reduce the time it takes to respond to a security incident from three months to one week by ditching manual processes in favour of automation.

Rahn Wakely

AMP had previously relied on a manual network of emails, spreadsheets, phone calls and texts to kick its incident response to a threat or vulnerability into gear.

It meant it would take the cyber security team around 12 weeks to respond to a security event; a service level that AMP’s head of cyber security Rahn Wakely knew wasn’t good enough.

Integrator KPMG had just implemented incident, problem change, CMDB, service catalogue, and service request fulfilment on the ServiceNow platform for AMP’s IT team.

ServiceNow’s traditional offerings have centred on hosted software for IT services, operations, and business management. But last year it extended into the security field with the launch of a security operations platform intended to automate and help better co-ordinate security response.

As part of a standard security assessment Wakely’s team did on the IT division’s new ServiceNow installation, they discovered the existence of the security module - “an opportunity that was too good to pass up”, Wakely told the recent Knowledge17 conference.

With the help of KPMG, the new security module was stood up within six weeks. KPMG had been aware of AMP’s roadmap in terms of security operations when it put in the CMDB for IT, and so had added business criticality components on each core AMP application as well as the underlying support systems and servers, speeding up the process for the SecOps deployment.

“That allowed us to put qualifiers on when an incident came in or a threat was detected through their [FireEye and Nessus] scanning systems,” KPMG ServiceNow specialist Marilyn Nelson told this week’s AusCERT conference on the Gold Coast.

“It ingested that into the ServiceNow platform and they could determine, from all of the noise, what they needed to respond to quickly, and that kicked off security incident response.”

Hooking together IT incident response with security incident response meant the two teams could now communicate in a central location that gave visibility of the process to all those involved.

Linking the security module into AMP’s change management application similarly automated the request for change process, like when a vulnerability needed to be patched or risk needed to be mitigated.

“Automation is the key, as is visibility into what’s going on. When you’re working in emails, spreadsheets, texts and phone calls, you don’t really have that,” Nelson said.

Having a template for the services the SecOps team provides - like penetration testing, and risk and privacy assessments - for people to “click a button and order” has also been “a real time saver for us”, Wakely said. His team is currently adding another 40 services to the platform.

While AMP is now boasting a one-week turnaround for security incident response, Wakely wants to get that down to “days”.

"We're really only on the start of the journey," he said.