Design–TAGCyberLLCFinance–M&TBankAdministration–navitendResearch–TAGCyberLLCLeadAuthor–Dr.EdwardG.AmorosoResearchers–LiamBaglivo,MattAmoroso,MilesMcDonaldFacilities–WeWork,NYCTAGCyberLLCP.O.Box260,Sparta,NewJersey07871Copyright©2018TAGCyberLLC.Allrightsreserved.Thispublicationmaybefreelyreproduced,freelyquoted,freelydistributed,orfreelytransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystemwithoutneedtorequestpermissionfromthepublisher,solongasthecontentisneitherchangednorattributedtoadifferentsource.Securityexpertsandpractitionersmustrecognizethatbestpractices,technologies,andinformationaboutthecybersecurityindustryanditsparticipantswillalwaysbechanging.Suchexpertsandpractitionersmustthereforerelyontheirexperience,expertise,andknowledgewithrespecttointerpretationandapplicationoftheopinions,information,advice,andrecommendationscontainedanddescribedherein.NeithertheauthorofthisdocumentnorTAGCyberLLCassumeanyliabilityforanyinjuryand/ordamagetopersonsororganizationsasamatterofproductsliability,negligenceorotherwise,orfromanyuseoroperationofanyproducts,vendors,methods,instructions,recommendations,orideascontainedinanyaspectofthe2018TAGCyberSecurityAnnualvolumes.Theopinions,information,advice,andrecommendationsexpressedinthispublicationarenotrepresentationsoffact,andaresubjecttochangewithoutnotice.TAGCyberLLCreservestherighttochangeitspoliciesorexplanationsofitspoliciesatanytimewithoutnotice.

September7,2017TotheReader:This2018TAGCyberSecurityAnnual–Volume1:OutlookforFiftyCyberSecurityControlsisacompanionguidetothereportofsimilarnameissuedlastyear.Iwilladmitthatitwastemptingtotakelastyear’sreportandtweakafewwords,addsomenewdescriptions,andmaybedrawacoupleoffreshdiagrams–andcalltheresultanewreport.Luckily,thatlazyoptionpassed,andinstead,Ispentanhourofeachdayforthepastsixmonthswritinganewbook.So,ifyouthoughtyou’dgetoffeasy,thenforgetit:Youhavesomereadingtodo.ThisnewvolumecomplementstwoothernewvolumesissuedaspartoftheTAGCyberSecurityAnnualseriesandavailabletoyouasfreePDFdownloadsathttps://www.tag-cyber.com/.IsupposeonecoulddebatewhetherourTAGCybermaterialisuseful,butthereisfullconsensusthatourmaterialisvoluminous.Asalways,weofferourreportsatawhoppingpriceoffree,butIsuspectthatifweeverdecidetosellthesemassivevolumes,wewillsetpricingbasedondollars-per-pound.Theprocessusedtocreatethisvolumehadmuchincommonwithlastyear’sapproach.ThemostobvioussimilarityisthatIonceagainreceivedalotofhelp.Likelastyear,Icarefullyselectedandreachedouttoaselectgroupofcybersecuritytechnologyvendors–mostofthemnewthisyear–andaskedthattheyinvestthetime,energy,andresourcestohelpmelearntheirspecialty.ThesewonderfulDistinguishedVendorsarelistedonthenextpage–andIhopeyou’llreachoutandlearnfromthemaswell.Yourtimewillbewellspent.Also,likelastyear,Ispenthoursandhoursandhours(andmorehours)withenterprisesecurityprofessionalsandChiefInformationSecurityOfficers(CISOs)fromeverysectorinbusinessandgovernment.Iinvitedthemtodinners,Icajoledthemintoweeklydiscussionsessions,andIcorneredthemateveryconference.Ithinksomenowheadtheotherwaywhentheyseemeapproaching.Butthisisnecessary,becausecybersecurityonlycomesintofocuswithmanydifferentperspectives.Evenwithinthesamecompany,Ioftenheardifferentanswerstothesamequestion.So,therearenoshortcuts.Anawesomenewinputthisyearwasthegroupofpayingcustomers(yes,that’sright)forwhichmygrowingTAGCyberteam–LiamBaglivo,MattAmoroso,andMilesMcDonald–providedcybersecurityconsulting.Torespecttheirprivacy,Iwon’tnamethecompanieshere,buttheyprovidedamazinginsightsintocurrentviewsonbestpracticesincyberdefense.Theseclientsincludedtwobanks,asoftwarecompany,agovernmentsupportteam,atechcompany,anon-profit,andamedicaldevicecompany.Assistingontheirprojectswasenormouslyhelpfulinthecreationofthisvolume.MyannualcaveatonbiasmuststartwithAT&T,whereIservedforthirty-oneincredibleyears.IcontinuetobelievethattheexpertteamthereisdoinggroundbreakingworkinsoftwaredefinednetworkingunderJohnDonovan,anditisridiculousformetotrytoappearunbiased.Mycommentsonmanagedsecurityservicesofferaglowingvisionofself-provisioned,virtualizedsecurityviacloudandSDN,andifthatappearstoalignwithAT&T’sapproach–well,thenIadmitthealignment.Ispentyearshelpingtodesignthatwork,soIcannotuntanglemyself.Ihave,however,carefullyremovedmyselfthisyearfromallmajorboards.IlovedmyyearwithM&TBankasanIndependentDirectorontheirCorporateBoard,buttherelationshiphasbeenredesignedasseniorconsultative.ThatisonefinegroupofpeopleupinBuffalo,andIhopeyouusetheirbankingservices.IalsosteppeddownfromtheNSAAdvisoryBoardsothatIcouldwriteopenly,publishmorefreely,anddevotetheproperamountoftimerequiredforthisresearch.Thatgovernmentboardincludedanawesomegroupofamazingvolunteersandcivilservants–andIwisheachofthemwell.Myacademicaffiliationsremainintact,albeitperhapsmoreintense.Icontinuetoteachtwocoursesperyearinamassivelecturehalltoabouttwo-hundredgraduatestudentsattheStevensInstituteofTechnologyannually.I’vealsoacceptedapositionasaResearchProfessoratNYU,whereIfocusoncooperativelearning,government-fundedresearch,andcyberawarenesseventsforexecutives.Finally,IcontinuetoserveasaSeniorAdvisortotheAppliedPhysicsLabatJohnsHopkinsUniversity,whereIsupportagroupofridiculouslysmarttechnologists.Anyway,enoughaboutme:It’stimethatyoudiveintothis2018TAGCyberSecurityAnnual:Volume1–OutlookforFiftyCyberSecurityControls.Asyoureadthebook,myadviceistousetheFeynmanself-summarizationtechniquetoabsorbthematerialusingasharpenedTiconderoga,afreshlinedpad,andanopenmind.Ihopethisbookisusefultoyou.Dr.EdwardG.AmorosoChiefExecutiveOfficer,TAGCyberLLCFultonStreetStationonBroadway

2018TAGCyberDistinguishedVendorsEachofthevendorslistedbelowinvestedtheirvaluabletime,resources,andmoneyinthedevelopmentofthevolumeyouhaveinyourhands.Theywerecarefullyhand-selectedbasedontheuniqueness,importance,andrelevanceoftheirofferingtoChiefInformationSecurityOfficer(CISO)teamsfromthenearly1500vendorswecovereachyear.Iwouldlistthemallasco-authorsifthatwasfeasible–butofcourse,itisnot.Instead,theyarelistedbelowalphabetically,withabriefnoteofthanksfortheiruniqueinsight,friendship,andsupportoftheglobalcybersecurityindustry.Itgoeswithoutsayingthatanyunexpectederrorsinthisvolume,orrecommendationsthatmightultimatelyproveincorrect,areentirelymyfault–nottheirs.Hereisthelist,withawordortwoabouttheirfineleaders:4iQ–Ilovedworkingwiththe4iQteamthisyear,includingMonicaPalandJulioCasal.Thedigitalriskmonitoringandidentitythreatintelligenceservicestheyproviderepresentoneofthemostimportantcontributionsinourcybersecurityindustry.Agari–ItwasadelightworkingagainwithPatPetersonandthenewAgariCEORaviKhatod.TheAgariteamhelpedmeunderstandemailsecurityperhapsbetterthananyothergroup–andIamsoappreciativeoftheirassistance. AlienVault–RogerThorntonissuchawonderfultechnologist,alwaysavailabletoexpertlyhelpexplainsomeaspectofadvancedcybersecurity.MythanksgotoRogerandtheentireAlienVaultteamfortheirpartnershipwithTAGCyber.Appthority–DomingoGuerrawasgenerouswithhistimehelpingtoexplainhowappriskcanbeextendedtoholisticmobilitymanagement.PaulStich,asalways,continuestobesuchawonderfulcontributortoourcybersecurityindustry. ArborNetworks–BrianMcCannandhisteamcontinuetodosuchagreatjobreducingDDOSriskandhelpingtoassurebusinesscommunications.TheArborteamisfirstclassandalwaysgreathostsforvisitstoBoston.Ataata–ItwasadelightgettingtoknowMichaelMadon,CEOofAtaata,andtoimmerseinhisoriginalandamazingcontent.Hisfinesubscription-basedcontentofferingprovidesanaccurateglimpseintothefutureofsecurityawareness. AT&T–ThesecuritycommunityatmyformeremployerhasbeensoincrediblyhelpfultotheTAGCyberteaminareassuchasMSS,SDN,NFV,andevolvingthreat.TheGovernmentSolutionsteamhasalsobeenadelighttoworkwiththisyear!AttivoNetworks–TusharKothariandhiscapableteamatAttivocontinuetoimproveandadvancethestateoftheartinmoderncyberdeceptionfortheenterprise.ThesupportandfriendshipoftheentireAttivoteamaresoappreciated. BayshoreNetworks–FrancisCianfroccaisoneofmyfavoriteindustrypartners.Hisenthusiasm,knowledge,andgoodhumoraresuchwonderfulassetstotheIoT/OT/ICSindustry.Thankyou–Francis,forourmanydetaileddiscussions!BlackridgeTechnology–WhenJohnHayesandMikeMiracleexplainedfirstpacketauthenticationtome,Iwastotallyblownawaybytheconcept.Thisisafinegroupwithdeeptechnicalexpertiseandexperience–andIamsogratefulfortheirhelpthisyear.Bromium-SimonCrosbyisoneofthegreatpioneersintheuseofvirtualizationtechnologytoprotectendpointresources.He’sbeenwillingtoassisttheTAGCyberteamfromthebeginningandit’sanhonortobeassociatedwithhisfinecompany.Capsule8–JohnViegaandDinoDaiZoviaretwoawesometechnologistswithenoughexperienceandexpertisebetweenthemtopopulatefivecompanies.ItwashardnottoplayfavoriteswithsuchanincredibleLinuxsecuritystart-upfromBrooklyn.CIXSoftware–SameerMalhotraisafriendandJerseyneighbor,andhispeoplehavebeensogenerousexplainingtheirareaandhelpingmetounderstandthebestwaytoprotectsoftwareapplications.Iamsogratefultotheteam.CloudPassage–CarsonSweet’sconceptforcloudsecurityalignstightlywithmyownthinking,soitwasnaturalformetogravitateinthatdirectionforassistance.EverytimeIchatwithCarsonandtheCloudPassageteam,Ilearnsomethinguseful.ContrastSecurity–ItwassuchanamazingprivilegetogettoknowJeffWilliamsandtheContrastSecurityteam.Theyhaveamazingcredentialsandtheyreallyknowwhattheyaredoing.Iamsogratefulfortheirvaluabletimeandpartnership.CrowdStrike–GeorgeKurtz,DmitriAlperovitch,andShawnHenrymightbeoneofthestrongestexecutivetechnicalmanagementteamsincybersecuritytoday–orpossiblyever.Iappreciatetheirfriendshipandon-goingsupport.CyberadAPT–KirstenBaywassogenerouswithhertime(includingadayspentatNYUinBrooklynformystudents).Sheisoneofthefineleadersinourindustry,andIsoappreciateherteam’spartnershipthisyearwithTAGCyber.CyberArk–TheCyberArkteamwassogenerouswiththeirtimethisyear,helpingmetounderstandoneofthemostneglectedaspectsofcybersecurity–namely,privilegedaccountmanagement.Thankstothefineteamfortheirwonderfulsupport.Cybereason–IwassopleasedtoseeSamCurryrecentlyjoinCybereason,justmakinganexcellentcybersecuritycompanythatmuchbetter.I’velearnedsomuchfromtheCybereasonteamonvitaltopicsincludingthebestwaystoavoidransomware.Cylance–IamgratefultoStuartMcClureandMalcolmHarkinsfortheircontinuedsupportofTAGCyber.Withouttheirkindassistanceexplainingadvancedalgorithms,machinelearning,andartificialintelligence,thisreportwouldnotexist.Cytegic–ItwaswonderfulgettingtoknowElonKaplan,amanwithaneclecticbackgroundincludinganadvanceddegreeinorganizationalpsychology.Histeam’splatformapproachtoriskmanagementisagreatcontributiontoourindustry.Cyxtera–I’vebeenfriendswithDavidKeasey,LeoTaddeo,andothermembersoftheCyxterateamforyears,andIconsidertheirnewcompanyoneofthebrightspotsinourindustrywithaworld-classapproachtosoftwaredefinedperimeters.DeepInstinct–Fewpeopleunderstandmachinelearning,artificialintelligence,anddeeplearningone-tenthaswellasEliDavidunderstands,explains,andappliesthetechnologytocybersecurity.Iappreciateallhisteamdoesforourindustry!

DigitalDefense–IwassopleasedtoseeLarryHurtadoandhisteamapplytheiryearsofexperienceandexpertisetoanewworld-classplatformforenterprisevulnerabilitymanagement.Iappreciatehisteam’scontinuedsupport!E8Security–IndustryveteranMattJonesandhisfinetechnicalandmarketingteamsatE8Securityaresoknowledgeableonbehavioralintelligenceandanalytics,andtheywereamazinglysupportiveofTAGCyberthisyear.Fireglass–IenjoyedgettingtoknowGuyGuznerandhisteamatFireglassanditwaswonderfultoseetheSymantecacquisition.Isolationissuchapowerfultechniqueforpreventingmalwareanditwasexcitingtolearnfromtheexperts!Fortinet–KenXieisoneofthefinestandmostcapableCEOsinourindustry.WeallowemuchtoKen,MichaelXie,andtherestoftheFortinetteamfortheirclearvisionandstrongcontributionstocybersecurityprotectionofourglobalinfrastructure.GlobalDataSentinel–TheGlobalDataSentinelteammightbeoneofthemostexperiencedgroupsI’veencounteredinmycyberanalysiswork.IenjoyedmyinteractionswithAlfPoor,JohnGalinski,andtherestofthemanagementteam.GuidanceSoftware–PatrickDennisandhisteamofferedwonderfulinsightsintothesynergiesbetweencyberinvestigativesupportandendpointsecurity.AnthonyDiBellowasparticularlyhelpfultothisreport.Thankstotheteam!IronNetCybersecurity–EverytimeIvisittheIronNetteaminMarylandunderthedirectionofretiredGeneralKeithAlexander,Ireturnwithsucharenewedsenseofprideatthefinepeopleandtechnologythecompanyexemplifiesforourindustry.JavelinNetworks–ItwasthrillingtolearntheJavelinapproachtoActiveDirectorysecurity,whichIbelieveisperhapsthemostneglectedaspectofIToperationsprotection.RoiAbutbulandhisteamweresokindtoexplaintheirtechnologyindetail.Lookout–MobilesecurityisoneofthemostimportantaspectsoftheCISOportfolio,andLookouthasbeenagreatleaderinthisareafromtheinception.IamindebttoJimDolceandhisteamforthison-goingsupportofourworkatTAGCyber.Lumeta–ReggieBesthasalwaysbeenwillingtositdownandexplainthefineworkhisteamdoesatLumeta.SanjayRaja,morerecently,hasbeenagreatpartner.I’msoproudtocontinueworkingwithsuchanawesometeam!MenloSecurity–IsoenjoyedworkingcloselywiththeMenloSecurityteamthisyear,includingPoornimaDeBolle,whoissuchafinetechnologist.Ifindisolationtobeoneofthebrightspotsinourindustry,oneIhopeallCISOswilladoptmorereadily.NIKSUN–IconsiderParagPruthitobenotonlyagreatcontributorandrepresentativeofourindustry,butalsoaninspirationforhisvisionofhowcyberprotectionsmustevolve.TheNIKSUNstoryisagreatone,andIamsoappreciativeofalltheydo.Panaseer–ItwassuchapleasuremakingfriendswiththePanaseerfolksfromtheUK.Theyweresokindwiththeirtimeandenergy,spendingmultiplehourswithmeexplainingtheirapproachtoadvancedenterpriseriskmanagement.PingIdentity–Likelastyear,Pingwassogeneroustohelpmeinoneofthemostcomplexaspectsofcybersecurity.PatrickHardingspenttimewithmeinNewYork,providingdeepinsightsintomodernIAM.ThankstothePingteam!Prevalent–ItwasgreatmakingfriendsthisyearwiththePrevalentteam,myNewJerseyneighbors.JonathanDambrotisatrueexpertwhenitcomestomanagingriskinthirdparties,whichmaybethehighestcontributortoenterpriseattackstoday.Prevoty–Irarelyusethephrase“readdeal”whenreferencingatechnologyandmanagementteam,butthePrevotygroupisjustthat.KunalAnandisatruerisingstarinourindustry,andIlovegettingtogetherwithhimtolearnaboutsoftwaresecurity!RiskIQ–LouManusoshasbeensogenerouswithhistimethisyear(includingbravingtheBrooklynsubwaysystemforourmeetings).TheworkatRiskIQisworld-class,anddigitalthreatmanagementhasbecomeessentialforeveryCISOteam.RiskSense–IwassoimpressedthisyearwithSrinivasMukkamalaandhisfineteamatRiskSense.IlearnedsomuchthisyearfromtheRiskSensegrouponautomatingriskmanagementintoaworld-classplatform.Thankstotheteamfortheirsupport! Securonix–SachinNayyarhasassembledoneofthefinestteamsinthecybersecurityindustry.IlearnedsomuchthisyearfromSecuronixaboutadvancedanalytics,withthebonusthattheyunderstandIAM-basedanalysisaswellasanyone!SertintyOne–TheSertintyONEteamisascapable,helpful,andknowledgeableasanyI’veencounteredinourentireindustry.GregTaylorsetsamoodinthatcompanythatservesasamodelforallofus–andIamsoappreciativeoftheirgreatsupport.Skycure–I’vehadthegreatpleasuretobefriendswithAdiSharabani,andconsiderhimoneoftheleadingexpertsinourfield.Iwassopleasedtoseetheacquisitionthisyear,andbelievetheSkycuresolutionwillcontinuetogrowinitseffectiveness. SkyhighNetworks–RajivGuptaisoneofthemostcapableCEOsinourbusiness.EverytimeheandIsitdown,Icomeawaywithtwentypagesofnotes.MysincereappreciationtoRajivandtheSkyhighteamforalltheirsupporttoTAGCyber!Skyport–Itissuchadelighttorunintotrulynovelsolutionsinourindustry,andso,itwasthrillingtolearnabouttheSkyporttechnologyfromMichaelBeesley.Iloveddiggingintoandlearningthedetailsofhypersecuredinfrastructurethisyear!Sqrrl–TheSqrrlteamiscapable,energetic,andgiftedintheirunderstandingofhowbesttosupportthecyberhunterworkingwithdatainaSOCfocusedonUEBAandotherindicators.Iamsogratefulforallthetimetheyspentwithmethisyear!Symantec–Idon’tthinkIcansayenoughabouthowmuchIvaluemyfriendshipwithGregClark,HughThompson,andtheSymantecteam.Idoubtyoucouldeverfindamorecapableandknowledgeableexecutiveteam.Iappreciatetheirsupport!Synack–TheSynackteamhasbeensohelpfultomeoverthepasttwoyears,helpingmeseethefutureofvulnerabilitydiscoveryusingvettedteamsofexperts.AislingMacRunnelswentwaybeyondthecallofdutywithheradviceandassistance!TenFour–BruceFlitcroftisoneofthemostenergeticCEOsinthebusinessanditwasexcitingtohaveafontrowseatasherebrandedhisfinecompanytoTenFourthisyear.Hisutilitymodelhaspowerfulimplicationsforsecurityatthenetworklevel.Tripwire–ItissuchaprivilegetohavetheassistancethisyearofsuchacapableteamfromtheiconicTripwirebrand!IlovetheirfocusonareturntothefundamentalsandIlovedworkingwiththemonhowtheirsolutionscanassisttheCISO.TruSTAR–I’vebeenfriendswithPaulKurtzforyears,andIcanattesttohispersonalconvictionsaroundtheimportanceofthreatinformationandintelligencesharing.HeandhisteamareassetstoourindustryandIappreciatetheirfinesupport.

vArmour–TimEadesandhisteamatvArmour,includingMarcWoolwardandMarkWeatherford,weresogenerouswiththeirpersontimethisyear.Theyarealwayswillingtositdownface-to-faceandhelpmelearnmoreaboutvirtualizedsecurity.VectraNetworks–TheapplicationofmachinelearningandAItocybersecurityisagreatbrightspotinourindustry,andVectradoesitaswellasanyone.IappreciatetheirtimeandassistancetoTAGCyber,andIlearnedsomuchfromtheirfineteam!VMWare–AlexTosheffisarisingstarincybersecurity,andhehelpedmeunderstandtherolethatvirtualoperatingsystemsandinfrastructurewillplayinnextgenerationcyberprotection.ItwassuchadelighttoworkwiththeVMWareteam!WaterfallSecurity–ItisimpossibletospendtimewithLiorFrenkelfromWaterfallandnotcomeawayexcitedandinvigoratedtomeetthegrowingchallengesofprotectingindustrialcontrolsystems.Keepupthegreatwork,Liorandteam!ZeroFOX–ThewonderfulteamatZeroFOXunderJamesC.FosterwasgenerouswiththeirtimeandassistancetoTAGCyber,helpingusbetterunderstandthebestwaytoaddresssocialanddigitalrisks.ThankstotheZeroFOXteam!

2018TAGCyberSecurityAnnualVolume1:OutlookforFiftyCyberSecurityControlsPreparedbytheTAGCyberSecurityAnalystsTeamLead:Dr.EdwardG.AmorosoIntroductionToassisttheenterprisecybersecurityteaminthereductionofrisk,TAGCyberhasidentifiedandpublishedfiftycontrolsthatmustbeaddressedinanyeffectiveorganizationalprotectionprogram.Thesecontrolsaredepictedusingatabulardiagramthatmanyusershavecometorefertoastheperiodictableofcybersecuritycontrols:

Figurei.TAGCyberPeriodicTableofFiftyCyberSecurityControlsThefiftycontrolsareintroducedandexplainedinVolume1ofthe2017TAGCyberSecurityAnnual,alongwithdetailedcross-referencelistingsofworld-classcybersecurityvendorssupportingeachcontrol.ReadersareadvisedtotakesometimetoreviewthatvolumetobuildfamiliaritywiththeTAGCyberapproach.ItisavailabletoyouasafreePDFdownloadathttps://www.tag-cyber.com/.Thepurposeofthisvolumeistoprovideadetailed2018outlookoneachofthefiftycontrolsforbothenterprisepractitionersandcybersecurityvendors.Eachofthefiftycontroloutlookswasdevelopedtohelpsecurityteamsoptimizetheirprograms.Manywonderfulframeworksexistthatprovidetipsandguidanceforexistingprograms,buttheTAGCybercontrolsmatchupwiththespecific,day-to-day,practicalissuesthatariseforenterprisesecurityorganizations.Theoutlooksinthisvolumewerewrittenundertheassumptionthattheenterprisesecurityteamisunsatisfiedwiththeeffectivenessoftheirexistingapproach.Wehavetriedtocapturea

generalviewofhowmostteamsareeitherplanning,orshouldplan,acomprehensiveimprovementoftheircybersecurityecosystem.Thisgeneralviewisbestcapturedbyitssimplemoniker:Explode,Offload,andReload.

Figureii.Explode,Offload,andReloadMethodologyByexplode,weimplythateveryenterprisesecurityteammustimmediatelybreak-upanddistributetheexistingflatperimeter-protectednetwork.Byoffload,weimplythateveryenterprisesecurityteammustthenvirtualizetheresultdistributedworkloadsintoaserviceprovider-supportedcloudandnetworkinfrastructure.Byreload,weimplythattheresultantnewset-upmustthenbeprotectedwiththebestnewsecuritysolutionsavailable.Readersmustunderstandthatouroutlooksareuselesstoanysecuritypractitioner,technologydeveloper,complianceauditor,orothercyberindustryprofessionalwhodoesnotbuyintotheTAGCybermethodology.Eachoftheoutlooksassessesappropriatenessandreadinessofagivencontroltosupportdistribution,virtualization,andprotectionupgradeinthecontextoftheevolvingenterprise.Ifyouloveperimetersandmainframes,thenthisbookisnotforyou.Thesectionsbelowfollowdirectlyfromtheperiodictableofcontrols.Eachsectionbrieflyintroducestheassociatedcontrol,andthenoffersanoutlookbasedonourmethodology.Specificguidanceisofferedforenterprisesecurityprofessionalsandcybersecuritytechnologyproviders.Thisguidecanbereadstand-alone,orcanbeusedasacompaniondocumenttotheoriginalTAGCyberSecurityAnnual.Vendorlistingsforeachcontrolareahavebeenupdatedfor2018.Control1:IntrusionDetectionandPreventionSystemsIntrusiondetectionandpreventionsystems(IDPS)arecybersecurityfunctionalcontrolsthataredesignedtodetectandmitigatecyberattacks.Suchfunctionalityissufficientlybroadandgeneraltocomplicateaneasydefinitionofthiscontrol.Thiswasnotalwaysthecase,ofcourse,sinceearlyintrusiondetectionsystems(IDS)involvedsensorsinnetworksandhoststhat

collectedindicatorsforcorrelativeprocessing.DefiningIDSwassimplethen.Today,enterprisesecurityteamsshouldviewmodernIDPSasconsistingofthreefundamentalapproaches:

• TraditionalIDPS:TraditionalIDPSnetworkandhostappliances,nowmostlyvirtual,collectsignature-basedindicatorsandprovideoptionalmitigation.

• AdvancedIDPS:AdvancedIDPSuseclevermethodssuchasvirtualizeddetonationtoidentifyseriousandsubtleconditionssuchasadvancedpersistentthreats.

• Deception-BasedIDPS:Deception-basedIDPSdemonstrategreatpromiseinusingcreativelures,traps,andhoneytodetectandultimatelymitigatethreats.

ThetechniquesusedintheseIDPScategoriesincreasinglyrelyontheuseofmachinelearning,deeplearning,andartificialintelligence.Whilethesemethodsarewell-establishedmeansforapplyingheuristicmathematicalreasoningtocomputingproblems,theirproperapplicationincybersecurityproductsisnon-trivial.Somesolutionsappeartodothiswell,whereasothersmightbeusingthetermstoadvancemarketinggoals.GeneralOutlookThegeneraloutlookforIDPSinvolvestransitionfromastand-alonefunctionin1998toincreaseduseasafunctionintegratedintoothersecuritycomponents.IDPShasalsoundergonetransitionfromamoregeneralizedattackdetectionfunctiontoonethatinvolvesmoredomain-specificcapability.FirstgenerationIDPSfrom1998to2007wascharacterizedbyearlyintroductionofhost-basedintrusiondetectionsystems(HIDS)andnetwork-basedintrusiondetectionsystems,bothofferedashardwareappliancesusinggeneralintrusionsignatures.SecondgenerationIDPSfrom2007to2016wascharacterizedbyintegrationwithnext-generationfirewalls(NGFW),earlyintroductionofbehavioraldetectionalgorithms,earlyuseofsimpledeceptiontechnology,andthebeginningsofvirtualizationforcloudworkloads.ThirdgenerationIDPS,whichbeginsin2016andcanbepredictedaccuratelythrough2025willinvolveheavyimplementationinInternetofThings(IoT),mobileandcloudinfrastructure,generallyaslighter,virtualizedappliances,runningincloudoperatingsystemswithsoftwaredefinednetwork(SDN)support,andmoreeffectiveuseofdeception.

Figure1.2018IntrusionDetectionandPreventionSystemOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookishigh,giventheratherclearmomentumtransitionthatison-goingtoday.Thevisualdrop-offinthegraphicshowingtransitionbacktomorestand-alonefunctionsshouldnotbeviewedasanegativetrend,butratherasamoreappropriatemeansfordeliveryofattackdetectionfunctionsusingspecificvirtualappliances.Stand-aloneprocessinglendsmorenaturallytovirtualservicechainsandtothedevelopmentofflexible,defense-in-depthcloudsecuritygauntletsfoundinmicrosegmentsandcloudaccesssecurityarchitectures.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtodiligentlyensurefullandpropercoverageinallthreeareasofIDPS,includingtraditional(signature),advanced(virtual,behavioral),anddeception-based,sinceeachareaoffersuniqueandnecessaryprotections.Domain-specificenvironmentssuchasindustrialcontrolwillbenefitfromtheadditionaldomainoptionsforIDPS,especiallywheremorestandardindustrialcontrolprotocolssuchasModbusandCANbusarebeingused.IDPSfunctionalitymustbeconnectedtoreasonableback-endsupportinfrastructureforthreatanalysis,evenifthisrequirespartnershipwithasuitablemanagedsecurityservice(MSS)provider.AdviceforSecurityTechnologyVendorsIDPSsecuritytechnologyvendorsshouldrecognizethatthegenericfunctionstheypreviouslysupportedwillcontinuetobecomecommoditized.Initsplace,domain-specific,stand-alone,virtualizedIDPScapabilityusingadvancedalgorithmswillgeneratesales.VendorsshoulddifferentiatetheirIDPSproductsbasedonspecific,targetedcapabilities,becauseIDPSfunctionalitywillbecomesufficientlyubiquitousthatgeneral,signature-basedfunctionsdetectingwell-knownattackswillgothewayofcalculatorsandflashlights.Thatis,theywillbecomevirtualizedandintegratedintoothercomponents.Deceptionwillcontinuetogrowinrelevanceandthebestvendorswilllearntodealwithspecificbusinesscharacteristicstoensuretargetbelievability.ListofSupportVendorsAlcalvio–ThroughacquisitionofShadowNetworks,Alcalviocreatesvirtualnetworkswhereprogrammerscansimulateattacks.AlienVault–AlienVaultisaSIEMvendorthatincludesIPSsecurityfunctionsinitscrowd-sourcedcybersecuritycapabilities.AttivoNetworks–AttivoNetworksprovidescustomerswithdeception-basedattackdetectionandpreventioncapabilities.Bricata–Bricataoffershighperformanceintrusionpreventionthatoperatesatlinespeedwithalargenetwork.BluVector–BluVectorprovidesadvancedthreatdetectionsolutionsincludingacapabilitybasedonartificialintelligence.CheckPointSoftware–CheckPointSoftwareofferssolutionswithIPSasanintegratedfeaturesorstand-alonecapability.Cisco–Cisco’sintrusiondetectionproductshelpedtoestablishtheenterpriseIPSmarketinthemid-1990’s.CoreSecurity–CoreSecurityprovidesanadvancedplatformforrealtimenetworkdatacollectionandsecurityanalytics.Cymmetria–Cymmetriaoffersdeception-basedcomputingtodetectingadvancedcybersecuritythreats.DBNetworks–DBNetworksprovidescontinuousmonitoringandattackdetectionfordatabaseinfrastructure.DeepInstinct–DeepInstinctemploysdeeplearningtodetectadvancedrealtimeAPTinendpoints,servers,andmobiles.Endian–EndianprovidesawiderangeofUTM,firewall,VPN,andrelatedsolutions,manywithintegratedIPScapability.enSilo–enSiloprovidesadvanceddataexfiltrationdetectionsolutionsforenterprisecustomersexperiencingabreach.ExtremeNetworks–ExtremeNetworksoffersanIPSbasedonitsEnterasysacquisitionyearsago.FireEye–FireEyeprovidesAPTdetectionandpreventionthroughdatacollectionandvirtualdetonationofsuspiciouspayloads.Fortinet–FortinetofferstheFortinetIntrusionPreventionSystemwiththeabilitytocustomizesignatures.

HPE–TheTippingPointproduct,acquiredbyHPE,wasoneoftheearliestintrusionpreventionsystemsinourindustry.Huawei–HuaweiisamajorChinesetechnologyandnetworkproviderthatincludesIPSsolutionsforenterprise.IBM–SolutionproviderIBMoffersitsSecurityNetworkIntrusionPreventionsystemappliancespoweredbyX-ForceR&D.Idappcon–Idappconoffersin-linenetworkintrusiondetectionsolutionswiththeabilitytowriteSnort-basedsecurityrules.Illusive–IllusiveprovidesIDSutilizingdeceptionbasedontheexperienceoftheprincipalsworkinginIsrael’seliteUnit8200.Intrusion–IntrusionhasbeenofferingarangeofIDSandIPSsolutionssince2000.IronNetCybersecurity–IronNetisanetworkmonitoringandsecurityanalyticsfirmprovidingstate-of-the-artattackdetection.JavelinNetworks–ThecompanyusesdeceptiontoprovideadvancedActiveDirectoryprotectionforenterprise.LightCyber–LightCybersupportsadvancedbehavioralattackdetectionthroughitsMagnaplatform.MetaFlows–MetaFlowshasdevelopedintrusionpreventiontechnologybasedonin-lineSnortoperation.Intel–McAfee,previouslyIntel,offersintrusionpreventionsystemproductswithsignatureandsignature-lessinspection.Niara–Niaraprovidesasecurityanalyticsplatformthatsupportsforensicsandbasicrealtimeattackdetectioncapabilities.NIKSUN–NIKSUNcansupportpacketcaptureandanalysisatextremelyhighnetworkcapacityrates.NSFOCUS–NSFOCUSincludesintrusionpreventioncapabilitiesinitsanti-DDOSproductandservicesuite.Onapsis–OnapsisprovidesautomatedsecurityassessmentandattackdetectionservicesforSAP.PaloAltoNetworks–PaloAltoNetworksprovidesarangeofembedded,integratedsupportforIPSinitssecurityproducts.PrivacyWare–PrivacyWareoffersadvancedintrusionpreventionandWebapplicationsecuritysoftwareforMicrosoftIIS.Radware–TheDefenseProNetworkIntrusionPreventionisintegratedwithDDOSandSSL-basedattackprotection.ReversingLabs–ReversingLabsprovidesautomatedsupportfordetectingmalwareinfiles,web,andemail.Seculert–Seculertprovidesavirtual,cloud-basedplatformthatisaccessibletotheenterpriseviaAPIs.Securonix–Securonixprovidesaplatformforcollectingandanalyzingcybersecurityintelligenceforthreatdetection.Snort–Snortconsistsoffreeintrusiondetectionsoftwareusedinacademic,research,andinnovativeenvironments.SS8–SS8extendsitsexpertiseinlawenforcementdatacollectionandintosupportformodernIPSbasedondeepinspection.Symantec–Symantecoffersmaturenetwork-basedIPSprotectionsolutionsaspartofitswiderangeofsecurityofferings.TrapXSecurity–TrapXprovidecyberattackdetectionthroughcamouflagedmalwaretrapsanddeceptivecomputing.TrustedMetrics–TrustedMetricsoffersanintrusiondetectionsystemwithadvancedthreatandmalwaredetection.TrustWave–Thewell-knownsolutionproviderincludesIPScapabilitiesinitsrangeofITsecurityofferingsforenterprise.VectraNetworks–Vectraprovidesadvanced,realtime,AI-basedcontinuousmonitoringofnetworks.Veedog–TheVeedogsolutionoffersmalwarepreventionthatsandboxessuspiciousfilesandscreensthemforproblems.WebrootCyberFlowAnalytics–WebrootacquiredtheCFAadvancedbreachdetectionproductforenterprisecustomers.Control2:DataLeakagePreventionSystemsDataleakageprevention(DLP)systemsarecybersecurityfunctionalcontrolsthataredesignedtodetectbothaccidentalandmaliciousreleaseofproprietaryorsensitiveinformationtoanyunauthorizedentity.Whensuchoperationinvolvesinadvertent,accidentaldataleakage,DLPsystemsexistonthemarginsofsecurityandinformationtechnology(IT).Increasingly,however,DLPsystemsareexpectedtodetectmaliciousactivityinvolvingtheexfiltrationofdatatoexternalsources.Thesearetoughmarchingordersforanysecuritycomponent.Today,enterprisesecurityteamsshouldviewDLPasconsistingoftwomaintechnicalapproaches:

• EndpointDLP–FunctionalityisembeddedinendpointssuchasPCs,mobiles,andevencloudworkloadstodetectandoptionallyblocksensitiveinformationtransferacrossnetworks,USBconnections,andothermeans.

• GatewayDLP–Functionalityisembeddedingateways,bothlogicalandphysical,todetectandoptionallyblockinformationtransfer.Gatewaysarebecomingincreasinglyvirtual,andhaveexpandedtoincludeadjacentmechanismssuchasapplicationprogramminginterfaces(APIs)betweensoftwareprocesses.

ThetechniquesusedinDLPstartedwithsimplepatternmatchingonafewphrasessuchas‘proprietary’or‘confidential’thateachorganizationwouldusetodetectdataleakage.Thismethodquicklyexpandedtoincludematchingonnumericpatterns,sometimesusingregularexpressiondefinition.Thegoal,obviously,wastodetectcreditcardnumbersandUSsocialsecuritynumbersbeingsentinappropriately.Suchtechniqueshavebeencomplicatedbyencryptionandcomplexarchitecturalset-upswiththird-parties,hybridclouds,andmobiledevices.Hence,themodernDLPvendorwilltakeamoreholisticapproachtodetectingleakage,oftencombiningtraditionalmeanswiththeuseofbehavioralanalytics,machinelearning,andotheradvancedpredictivealgorithms.GeneralOutlookThegeneraloutlookforDLPinvolvestransitionfromanobservational,reactivesolutiontoonethatusesbehavioralmethodstopreventleakage.Architecturalpositioningwillshiftfromcentralizedgatewaysandendpointstoamoredistributedhybriddeploymentfocusedoncloudworkloaddataleakage.FirstgenerationDLPfrom1998to2007wascharacterizedbyphrase-matchingmethodsonendpointsandnetworkstodetectnon-maliciousinformationtransfer.SecondgenerationDLPsystemsfrom2007to2016begantoincorporatemoreadvancedalgorithms,includingmachinelearningandregularexpressionparsing,todetectmoresubtleleaks.ThirdgenerationDLP,beginningin2016andadvancingto2025,shouldbeexpectedtocontinuetheiralgorithmicimprovementusingmachinelearningtoproactivelypreventadvanced,subtledataleakageattemptsfromvirtualizedcomputingstructuressuchashybridcloudworkloads.AsperimetergatewaysdissolveandasphysicalPCandmobileendpointsbecomesoftware-defined,behavioraldeterminationofdataleakagewillbecomefullyvirtual.

Figure2.2018DataLeakagePreventionSystemOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookishighgiventheclearmomentumviewsthathavebeenestablishedintheDLPmarketoverthepasttwodecades.ThesuggestionthatphysicalendpointPCandmobiledeviceswillbecomesoftware-defined(likeyourcalculatorandflashlight)canbejarringtosomeobservers,butshouldbenonethelessexpected,giventhepredictablepatternforhowtechnologyprogresses.

AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtofocustheireffortsinthreeareas:First,theymustrevisitandimproveondataclassificationdefinitionsacrosstheenterprise.Thistaskisalwaysdonepoorly,includinginmultilevelsecurityenvironmentsingovernment,andthisisunfortunate,becauseproperDLPisnotpossiblewithoutproperdefinitions.Second,theymustoptimizeexistingDLPdeploymentsthatarelikelytobescatteredacrossgatewaysandendpoints.Formostcompanies,thisisamess,anditwillcontinuetobeforsometime.Third,andthisisthegoodnews,enterpriseteamsshouldbeginreviewingandtestingtheuseofDLPincloudmicrosegments,cloudaccesssecuritybroker(CASB)tools,softwaredefinednetwork(SDN)applications,andothervirtualizedcomputingentities.ThisisthefutureofDLP,asapowerfulembeddedcapability,soit’stimenowtobeginlearninghowtoorchestratesuchcollectivedataleakageprocessing.AdviceforSecurityTechnologyVendorsDLPsecuritytechnologyvendorsshouldrecognizethatthegenericfunctionstheypreviouslysupported,especiallyfornon-maliciouspatternmatching,willcontinuetobecomehighlycommoditized.Initsplace,domain-specific,stand-alone,virtualizedDLPcapabilityusingadvancedalgorithmswillbecomethenorm.ItwillbechallengingforDLPvendorstoorchestratedynamicpolicychanges,buildadistributedsnapshotofleakagerisk,andpreventadvancedattacksacrossmultiplecloudworkloads.DLPvendorswhoignorethisobviousshifttohybrid-cloudbased,SDN-orchestratedvirtualizationwillbecomeextinctinthenextdecade.ListofSupportVendorsAbsoluteSoftware–ThroughitsacquisitionofPalisadeSystems,thecompanyoffersenterpriseDLPsolutions.Axway–AxwayprovidessecurefiletransferandemailsecuritysolutionsincludingsupportforDLP.BHCLaboratory–BHCisacybersecurityconsultingandtrainingfirminEstoniathatincludesarangeofDLPproducts.BooleServer–BooleServerisanItalianencryptionsoftwarefirmthatincludesDLPforadvanceddataprotection.CATechnologies–CAoffersenterprisecybersecuritycapabilitiesincludingdataleakageprevention.CenterTools–TheGermancompanyoffersITsecurityanddataprotectiontoolsincludingDriveLocksoftwareforDLP.CheckPointSoftware–CheckPointoffersDLPsolutionsforon-premiseorvirtualdeployment.CipherCloud–CipherCloudsupportsDLP-basedcybersecuritycompliancesolutionsforpublic,hybrid,andprivateclouds.Cisco–ThecompanyofferstheCiscoIronPortproductforhighperformanceprotectionofemailandWebdata.Comodo–SecurityfirmComodoacquiredtheMyDLPdatalosspreventionsoftwaresolution.CoSoSys–CoSoSysincludesdatalosspreventionfunctionalityaspartofitsendpointsecurityofferingsforenterprise.DataLocker–Kansas-basedDataLockerincludesaUSB-basedDLPprotectionsolutionwithdigitalrightsmanagement.Deep-Secure–Deep-Secureprovidesnext-generationcontentinspectionforitsfirewallandrelatedenterpriseproducts.DeviceLock–DeviceLockofferstheDeviceLockDLPsolutionforprotectingpersonalandbusinessdata.DigitalGuardian–DigitalGuardianoffersnext-generationDLPtocontroldata,enforceegresspolicies,andmore.FidelisCyberSecurity–FidelisisaleaderinprovidingcybersecuritysolutionsincludingsupportforenterpriseDLP.Forcepoint–TheForcepointsecurityofferingsincludeaDLPModuleinitsTRITONAPXproduct.Fortinet–AdvanceddataleakagepreventionfunctionalityfortheenterprisecanbeconfiguredusingtheFortiGateproduct.GajShield–TheGajShieldnext-generationfirewallappliancesincludeadvanceddataleakagepreventionfunctionality.GroundLabs–TheEnterpriseReconsolutionfromSingapore-basedvendorincludessensitivedatadiscoveryandmanagement.GFISoftware–GFISoftwareprovidesarangeofadvanceddataleakageprotectionanddataawarenessforportabledevices.GTBTechnologies–TheCalifornia-basedfirmoffersenterprisedatalosspreventionandcybersecuritysolutions.HPE–TheHPEnterpriseAtallainformationprotectionandcontrolsolutionincludesdataleakageprotectionfunctionality.IBM–GlobaltechnologyfirmIBMoffersdatalosspreventionproductsaspartofitsDataSecuritysuiteofsolutions.InfoWatch–RussianfirmInfoWatchofferscustomerstheTrafficMonitorEnterpriseintegrateddatalosspreventionsystem.Intellinx–Intellinxoffersanadvanceddataleakagepreventionsolutionaspartofitsoverallsetofenterpriseproducts.JIRANSOFT–JIRANSOFTprovidesarangeofSaaS-baseddataleakagepreventionsolutionsforthemodernenterprise.

McAfee–RecentlyspunofffromIntel,McAfeecontinuesasaleaderinenterprisecybersecurityincludingDLP.Microsoft–MicrosoftincludesarangeofadvanceddatalosspreventionaspartofitssuiteofsolutionsincludingOffice365.Mimecast–UK-basedfirmMimecastprovidesdatalosspreventionforemailtosupportgovernance,risk,andcompliance.Minereye–ThisIsraelistart-upsecuritycompanyappliesmachine-learningcontrolstoprotectcompaniesfromdataloss.Intelisecure–ThroughacquisitionofPenturain2015,Intelisecurenowprovidesamanageddataleakagepreventionservice.Proofpoint–Proofpointincludeshigh-quality,advancedDLPfunctionalityinitsadvancedemailsecurityfilteringtechnology.RSA–Thecybersecuritypioneeringcompanyincludesdatalosspreventioninitscybersecuritysuiteofenterprisesolutions.RUAG–RUAGprovidesaDLPProductfortheenterprisethatisreferredtoasAdaptiveDataLossPrevention.SilverSky–NowpartofBAESystems,SilverSkyoffersemaildataleakagepreventionsolutionsforenterprisecustomers.Skyhigh–Skyhighoffersacloud-basedsecuritysolution,includingdataleakagepreventionforenterprise.Sophos–Sophosincludesadvanceddatalosspreventioncapabilitiesinitssuiteofcybersecurityprotectionsolutions.Somansa–Thecompany,locatedintheUSandMexico,offersDLPfornetwork,email,andotherenterprisesystems.Spambrella–Spambrellaofferscloud-baseddatalosspreventionsolutionsforcustomersaspartofitsemailfilteringservice.Symantec–Thecybersecurityfirmincludesadatalosspreventioninitsoverallcybersecuritysuiteofenterprisesolutions.TrendMicro–TrendMicroincludesdatalosspreventioninitsextensivecybersecuritysuite.Trustwave–TrustwaveoffersadvanceddatalosspreventionsolutionsthroughitsacquisitionofVericeptin2009.Zecurion–ZecurionprovidesmobiledatalosspreventionsolutionsforenterprisethataddressBYODinitiatives.ZixCorp–ZixCorpintegratesitsemailencryptionproductwithdatalosspreventionfeatures.Control3:FirewallPlatformFirewallplatformsseparatenetworks,orothercomputingenvironments,toenforceadesiredsecuritypolicy.Mostfirewallplatformsresideongatewaysbetweennetworks,butsomeresideonendpointstoenforcemorelocalpolicies.Firewallplatformoperationisdefinedbyasetofrules,usuallyadministeredusingvendor-providedtools.Notethatwereferencefirewallsasplatformsheretohighlighttheintegratedsetofcapabilitiesfoundinmostmodernfirewalls.Readersalreadyknowthatfirewalltechnologycontinuestowintheawardformostexplanatorytaxonomies–withsomepointingtotwomaincategoriesoffirewalls,somepointingtothreemaincategories,somepointingtofive,andonandon.Ourviewisthattheenterprisesecurityteamwillwanttodifferentiatefirewallplatformsbasedonthefollowingsevencriteria:

• StatelessPacketFilter–Thesearesimplefirewallcomponents,oftenimplementedinrouters,thatprovideenterprisesecurityteamswithfilteringthatcanbedeployedquicklyandatlowcost.

• StatefulApplicationGateway–Thesearemorecomplexfirewallproductsthatincludeapplication-levelfunctionalitysuchasproxiesandthatarealsosimpletodeploy,andatrelativelylowcost.

• Next-GenerationPlatform–Thesearemoremodernandpowerfulfirewallplatformswithanimpressivesetofintegratedsecuritycapabilitiesandfeatures,especiallyattheapplicationlevel.

• SharedNetwork-BasedPlatform–Thisisafirewallplatformthatresidesinanetwork,usuallyaspartofamulti-customer,sharedmanagedservicefromasecuritysolutionprovider.

• VirtualAppliance–Thisisafirewallpolicyenforcementcapabilitythathasbeenvirtualizedtoruninacloudoperatingsystemoftenaspartofamicro-segmentedarchitecture.

• FirewallPlatformSupportTools–Thesearefirewallsupportcapabilities,usuallyfocusedonassistingfirewalladministratorswiththeirgrowingnumberofrulesetsandpolicymanagementobligations.

Notethatendpointfirewallsrequiredifferentmanagement,andarebestviewedseparatelyaspartofaprotectionsolutionforPCs,servers,mobiles,IoTdevices,andthelike.Itgoeswithoutsayingthatfirewallswillcontinuetoserveasthebackboneformostenterprisesecurityarchitectures.Toillustrate,justaskanyChiefInformationSecurityOfficertosketchtheirarchitectureonawhiteboard,andtheywillstartdrawingfirewallsandnetworks.Thisimpliesthatregardlessofwhetherthefirewallplatformisstatelessorstateful,packet-levelorcircuit-based,simplegatewayorcomplexnextgenerationplatform,locally-managedorserviceprovidercontrolled,orphysicalorvirtualized–thefirewallwillremainatthecenterofeveryenterprisesecuritysolutionfortheforeseeablefuture.GeneralOutlookThegeneraloutlookforfirewallplatformsinvolvestransitionfromhardwareappliancestomorevirtualsolutions,andthesinglegatewaynatureofmostolderenterprisenetworkswillcontinuetoevolvetodistributed,cloud-basedsystemswithmultipleworkloadsrequiringfirewallprotection.Firstgenerationfirewallsfrom1998to2007combinedabasicfive-tuplepacketfilteringmethodologywithearlyproxyfunctionsintoasimplegatewaysolution.Thecapacityrequirementsforsuchfirewallscertainlyexpandedduringthisperiod,butremainedmodestbytoday’sstandards.Secondgenerationfirewallsfrom2007to2016includedthemassivegrowthofnext-generationfirewallsolutionswiththeabilitytodynamicallylearnhowapplicationsworked.Duringtheperiod,however,thecomplexityoftheperimeterapproachproducedspectacularcollapsesformostenterprisesecurityteams,andthefirewallgatewaycouldnotkeepupwiththeexpandednumberofrules,features,andgateways.Italsodidnothelpthatcapacityneedsgrewconsiderablyduringthisunfortunateperiod.Thirdgenerationfirewalls,from2016to2025,havetheobligationtofixtheproblemofnon-workingperimeters.Theywilldothisbyembracingdistribution,virtualization,andsimplification.Expecttoseesimplervirtualfirewallcapabilitiesthatself-tailortotheneedsofaspecificcloudworkload.ExpecttoseevirtualfirewallcapabilitiesthatcanworkinthedifficultterrainofIoTandindustrialcontrolprocessing.Alsoexpecttoseeamassiveincreaseindistributedfirewalldeploymentsintomicro-segmentedenvironmentsoncloudoperatingsystemssuchasOpenStack.Inaddition,aslargenetworkgatewaysaredistributedandvirtualized,thecapacityneedsforenterprisefirewalls,whichbeganmodestlyandthenexpandedduringthesecondgeneration,willnowbecomereducedonceagaintomoremodestsizes–althoughtheaggregatecapacityinatypicalenterprisewillbecomemuchgreater.

Figure3.2018FirewallPlatformOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookishigh,butthepowerfulfirewallindustrymightnotenjoyallaspectsofthisevolution.Existingfirewallhardwaremightcontinuetoamortizeontheorganization’scapitalbooksforyearsintothefuture,andteamsmightbehesitanttoimmediatelyreplacethem.Despitethis,theobviouscollapseoftheenterpriseperimeterineverysizenetworkwilldrivedistribution,virtualization,andsimplificationfasterthananyonemightcurrentlyexpect.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtotakeasmuchtimeaspossiblethisyeartolearnthevariousoptionsthatareavailableforfirewallplatformprotectionastheperimeternetworkevolves.Basicunderstandingoffive-tupletechnologyisinsufficientinthecomingyearstodealwiththemyriadofdecisionsthatwillberequiredtooptimizefirewallplatformselection,installation,andmanagement,especiallyfornext-generationsolutions.Thisisadifficulttimeforenterpriseteamswithadissolvingperimeter,soitistimetostudy,learn,andabsorbeverythingavailableregardingfirewallplatformtechnology.Teamsshouldalsotaketimetounderstandevolvingoptionsfromserviceprovidersfornetwork-basedandcloud-residentvirtualfirewallcapabilities.AdviceforSecurityTechnologyVendorsIDPSsecuritytechnologyvendorsshouldrecognizethattheperimeterismeltingquickly,andwiththischangewillcomegreaterdemandfordistributed,virtualfirewallsolutions.Vendorsarewarnedthatthehistoryoftechnologyteachesusthatthesechangessometimescomeinachoppymanner,ratherthanasasmoothtransition.Traditionalhardwareproductsthatresideonaperimetermightbepayingthebillsforvendorstoday,butthiscanchangeinaheartbeat–sofirewallplatformvendorsmustbecarefulnottowaittoolongbeforerethinkingtheirtechnologyapproach.Thenextdecadewilldemandsimpler,domain-specificfirewalltoolsthatarelight,virtual,anddistributed.Vendorswhomissthistransitionwillsuffertheconsequences.ListofSupportVendorsAlgoSec–AlgoSecprovidesadvancedtoolsforsupportingenterprisefirewallpolicymanagementandoperations.

BarracudaNetworks–Barracudaprovidestoolsforfirewallpolicymanagementandoperationsintheenterprise.BlackridgeTechnology–Thecompany’sfirstpacketauthenticationprovidesadvancednetworkaccesscontrolforenterprise.CalyptixSecurity–TheCalyptixteamofferstheAccessEnforcerfirewallaspartofitsunifiedthreatmanagementsolution.CheckPointSoftware–CheckPointSoftwarewasthefirstmajorfirewallvendorandremainsaforceinthefirewallmarket.Cisco–Ciscocomplementstheirofferingswithafirewallproductforpremiseandnetwork.Clavister–TheClavisterteamprovidessoftwareandappliance-formatfirewallandVPNsolutionsforbusiness.Comodo–Comodoincludesafreefirewallfordownload,whichfocusesonPCsecurityprotections.Deep-Secure–Deep-SecureisaUK-basedcompanyprovidingcybersecuritysolutionsrangingfromDLPtofirewalls.Dell–DellofferstheSonicWallfirewallsolution,whichintegrateshardware,software,andservicesintoacommonplatform.Endian–Endianprovidesaunifiedthreatmanagement(UTM)solutionthatincludesenterprisefirewallcapabilities.F5–F5isasuccessfulnetworksolutionsproviderwithanextensiverangeofsecuritycapabilitiesincludingfirewallsolutions.Forcepoint–In2015,RaytheonacquiredandspunofftheformerWebsense,aspartofForcepoint.Fortinet–Fortinetoffersasecurityfabricofpremiseandnetwork-basedfirewallandrelatedenterprisesecurityproducts.GajShield–GajShieldprovidesnext-generationfirewallcapabilitywithdataleakagepreventionandcloudsecuritysupport.gateprotect–NowapartofRohde&Schwarz,gateprotectoffersarangeofnext-generationfirewallandUTMproducts.HillstoneNetworks–HillstoneNetworksprovidesnextgenerationfirewallcapabilitieswithintegratedbehavioralanalytics.Huawei–HuaweiisaChinesecompanythatprovideshighqualityfirewallappliancesincludinghighperformanceoptions.Juniper–NetworksolutionproviderJuniperofferstraditionalandnext-generationfirewallsolutionsfortheenterprise.Kerio–TheKerioteam,nowapartofGFISoftware,offersapersonalfirewallandfirewallfunctionalityinitsUTMsolution.ManageEngine–TheManageEngineteamoffersasuiteofenterprisenetworksecurityproductsincludingfirewalls.NetAgent–JapanesefirmNetAgentprovidesawiderangeofeffectivefirewallsolutionsforuseinthemodernenterprise.PaloAltoNetworks–PaloAltoNetworksofferssolutionsforapplication-awarefirewallandendpointsecurity.Sangfor–TheSangforteamoffersanextgenerationfirewallsolutionwitheffectivesupportforSSL/VPNapplications.SmoothWall–ThefreefirewallsolutionSmoothWallisavailablefordownloadanduseinprotectinganenterprisenetwork.Sophos–Sophosprovidesarangeofnetworksecuritysolutions,somebasedontheAstaroandCyberoamacquisitions.Tufin–Tufinprovidesasecuritypolicyorchestrationtohelpfirewalladministratorsensureanoptimalfirewallruleset.vArmour–vArmouroffersadistributed,virtualizedfirewallfordatacentersandenterprisewithorchestration.VenusTech–Chinesefirm,VenusTech,offersnetworksecuritysolutionsforenterpriseincludingfirewalls.WatchGuard–WatchGuardprovidesaunifiedthreatmanagement(UTM)platformwithfirewallcapability.Control4:NetworkAccessControlNetworkAccessControl(NAC)consistsofsecuritymechanismsdesignedtoprotectalocalareanetworkfrommalwareorotherinfectionsthatmightresultfromallowingconnectivitybyaninsecuredevice.NACsecuritymechanismsincludethefollowingthreecategoriesofprotectionfunctionality:

• Pre-ConnectivityProtections–Thisinvolvesanypre-testing,analysis,inventory,patching,scanning,orotherchecksthathelpdeterminesecuritysuitabilityofagivendeviceforconnectivitytothelocalareanetwork.

• QuarantineProcessing–Thisinvolvesanyintermediatetesting,analysis,mitigation,patching,orotherquarantine-basedprotectionsthataredesignedtoimprovedeviceintegritybeforeconnectivityisallowed.

• Post-ConnectivityProtections–Thisinvolvesanypost-connectivityupdates,mitigations,scans,patches,orotherenhancementsthataredesignedtoreducemalwareriskafteradevicehasbeenpermittedtoconnecttoalocalareanetwork.

NACdevelopedattheintersectionofflat,perimeterprotectedenterprisenetworkswithunmanaged,non-company-controlleddeviceaccess.Thevalidconcernwasthatbyallowinguntrustworthydevicestoconnecttoalocalareanetwork,theresultmightbeimmediateand

comprehensivelateralpropagationofmalwaretoallotherconnecteddevicesandsystems.Thisapproach,memorializedinstandardssuchasIEEE802.11,hadimmediatechallenges,includingthepracticalproblemofPCscanningtakingmuchlongertocompletethananyuserwouldbereasonablyexpectedtowaitfornetworkentry.Morerecently,withthedissolutionoftheperimeter,andtheadvanceofcloud-basedmobiledeviceusage,theNACchallengehasshiftedtothevirtualhybridcloudinfrastructure.Thatis,thedesireremainsthatdevicescannotintroducemalwaretothevirtualizedorganizationalnetwork.Forthisreason,basicentryandadmissionconditionscontinuetobeanimportantrequirement.GeneralOutlookThegeneraloutlookfornetworkaccesscontrolinvolvestransitionfrommoremanualdetectionandquarantinefunctionstohighlyautomatedcapabilitiesthatperformsimilarfunctionsmorerapidlyandefficiently.TraditionalLAN-basedNACforPCsusinghardware-basedcontrolswillshifttowardvirtualized,hybridcloudaccesswithsupportforPCs,tablets,mobiles,andotherdevices.FirstgenerationNACfrom1998to2007wascharacterizedbysimplePCpolicycontrolstodetectbasicpatchingandvulnerabilityconditionsbeforeentrywouldbepermitted.ManyfailedprojectsensuedbecausetheNACgoalwassoclear,butimplementationwassomuchmorecomplex.SomeorganizationseventriedtoprovideNACusinginventoriesofmediaaccesscontrol(MAC)addresses,butthisapproachnevercaughtonmoregenerally.SecondgenerationNACinvolvedimprovedpolicycontrolswithself-assistedremediationinquarantines.NACsolutionsbegantorecognizetheshifttocloudandincreaseduseofmobiledevicesintheenterprise.ThirdgenerationNAC,startingin2016andevolvingto2025,willexperienceatotaldissolutionfromtheenterprise,andanalmosttotalvirtualizationtocloud.Quarantineswillbenefitfromthevirtualization,andsimplercloudworkloadswillbeeasiertoanalyzefromanintegrityperspective.Theshifttocloudwillbringallhardware-basedNACsolutionsforphysicalLANstoaclose,butwillopenmanynewopportunitiesforvirtualizedNACcontrols,includingdynamicallycreatedquarantinesthatcanlearnthesituationandadjustprocessingtoitsuniquecharacteristics.

Figure4.2018NetworkAccessControlOutlook

TheTAGCyberdegreeofconfidenceinthispredictiveoutlookismoderatelyhigh,withtheonlyhesitationherebeingtheunpredictablenatureofthecloudmarketplace.NAC-likecapabilitiesmightbecomeembeddedintotheidentityandaccessmanagementforcloudservices,whichwouldresultinagreatlyreducedopportunitiesforpurevirtualNACsolutions.NACtechnologyhasbeentoughforanalyststocallinthepast,sothisoneremainsabituncertain.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtofollowtwopathsinthecomingyears:First,theymustnotneglecttheimportanceofNAC-basedpolicyenforcementforunmanageddevicesiftheycontinuetooperateaperimeter-basedlocalareanetwork.Itwouldbeeasytoforgetthatamidstallthetalkaboutcloudservices,day-to-dayenterprisenetworksecuritymustcontinuetooperate.Second,theymustalsobegintoplanfornewimplementationsofNACpolicyinthepresenceofvirtualizationanddistributedXaaSusage.DiscussionswithNACvendorsshouldalwaysincludediscussionofthisrapidlyapproachingreality.AdviceforSecurityTechnologyVendorsNACsecuritytechnologyvendorsshouldrecognizethattheirexistinglocalareanetwork-basedhardwaresolutionswillnotbeviableformorethanafewadditionalyears.Thisisnotbadnews,becausetheintensityofNACpolicywillnotonlyremainintheenterprise,butwithhybridcloud,NACobjectivesmightintensify.Thiswillrequirethatproductsolutionsadjusttothenewarchitecture,perhapswithcloserrelationshipsformedwithmobilesecurity,cloudsecurity,andremoteaccesssolutionproviders.ListofSupportVendorsArubaNetworks–ArubaNetworks,nowpartofHP,providestheClearPassPolicyManagerNACsolutionfortheenterprise.Auconet–SanFrancisco-basedAuconetincludesanetworkaccesscontrolsolutionforenterprisecustomers.Avaya–TelecommunicationsvendorAvayaprovidesarangeofnetworkaccesscontrolsolutionsfortheenterprise.BradfordNetworks–BradfordNetworksprovidesaNACsolutionfortheenterprisecalledNetworkSentry/NAC.Cisco–CiscoembedsNACfunctionalityintoitsLANsolutionsforenterpriseviatheCiscoNACAppliance.Endian–TheItalianfirewallandIPSvendorincludesNACsolutionsaspartofitsenterpriseoffering.ExtremeNetworks–ExtremeNetworksoffersNACaspartofitsnetworkingandsecurityproduct.ForeScout–California-basedForeScoutprovidesaNACsolutioncalledForeScoutCounterACTfortheenterprise.GreatBaySoftware–GreatBaySoftwareprovidesarangeofnetworkaccesscontrolsolutionsforenterprise.Impulse–ImpulseprovidestheSafeConnectnetworkaccesscontrolsolutionfortheenterprise.InfoExpress–InfoExpressprovidesauniquepeer-to-peernetworkaccesscontrolsolutionformobiledevicesandlaptops.Juniper–JuniperembedsNACintoitsEXSeriesEthernetSwitchproduct.Macmon–Thesmallcompany,headquarteredinBerlin,providesfullIEEE802.1xNACsolutions.PacketFence–PacketFenceprovidesanetworkaccesscontrolsolutionforitsenterprisecustomers.Portnox–TheIsraelicompanyprovidesitsPortnoxNACnetworkaccesscontrolsolutionfortheenterprise.PulseSecure–PulseSecureisaspin-ffofJuniperandprovidesamobilityandBYOD-supportingNACsolutionforenterprise.SnoopWall–SnoopWallacquiredtheNetBeatnetworkaccesscontrolsolutionfortheenterprisefromHexisin2014.StillSecure–StillSecureprovidestheSafeAccessnetworkaccesscontrolsolutionfortheenterprise.TrustWave–SecurityserviceproviderTrustWaveprovidesamanagednetworkaccesscontrolsolutionfortheenterprise.UnitedSecurityProviders–TheSwisscompanyoffersavarietyofnetworkaccesscontrolsolutions.ViaScope–LocatedinSouthKorea,ViaScopeoffersintegratedIPaddressmanagement,DHCP,andNACsolutions.Control5:UnifiedThreatManagement

UnifiedThreatManagement(UTM)integratescommonsecuritygatewaysfunctionssuchasfirewall,intrusiondetectionandprevention,dataleakageprevention,andantivirusfilteringintoacommonapplianceproduct.Smallandmid-sizedbusiness(SMB)organizationshavetendedtoprefertheuseofUTMsolutionsbecauseoftheirmanagementconvenienceandrelativelylowcost.SomeUTMsolutionsoffermorefine-graineduser-levelidentity-basedprotectionthanthelesseffectivesourceIPaddress-basedgranularityofatraditionalfive-tuplefirewall.AnadditionaladvantageofUTMsolutionsisthattheysupportawiderangeofcomprehensivevisibility,auditing,reportingrequirements,asregulatorycreepcontinuestodriveadditionalsecuritycomplianceobligationsdownintoSMBorganizations.GeneralOutlookThegeneraloutlookforunifiedthreatmanagementinvolvestransitionfromunevendeploymentandcoverageacrossSMBorganizationstomuchmorecomprehensivedeploymentandcoverage,althoughinamorevirtualizedmanner.Acorrespondingtrend,however,isthattheseSMBbuyerswillbemovingtheircentralizedenterpriseLANstomoredistributedhybridcloudset-ups,whichwillrequireconsiderableadjustmenttothepackaging,installation,design,andoperationofUTMsolutions.FirstgenerationUTMsfrom1998to2007involvedbasichardware-oriented,integratedgatewayfunctionalitythatsavedrackspaceandpower.SecondgenerationUTMsolutionsfrom2007to2016continuedtoaddintegratedoptionstothehardwareappliance,andcontinuedtobeanexcellentmaintenanceandlowcostoptionsformanygroups.ThirdgenerationUTM,from2016to2015,willexperiencedramaticchanges–perhapsasmuchasanycybersecuritysolutiononthemarketplace.SMBorganizationsareembracingcloudfasterthananyotherbuyingsegment–hence,theywillhavelessneedforUTMgatewayhardware,butmuchmoreneedforintegratedsecurityfunctionalitytosupportperimeter-less,software-basedhybridcloudarchitectures.

Figure5.2018UnifiedThreatManagementOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookishigh,sinceevidenceofSMBadoptionincloudisclearandsignificant.Sincesomanydifferentsecuritysolutionproviders

havetheireyeonthisspace,however,itisnotclearthatallUTMsolutionproviderswillproactivelyadjusttheirstrategytodealwiththenewSMBarrangement.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteams,especiallyinSMBmarkets,whoenjoytheirexistingUTMshouldworkwiththeirvendortoidentifyacloudstrategy.VirtualizinganexistingUTMisharderthanitsounds,simplybecauseUTMhardwareplatformsweredesignedtobringmanyfunctionstogetherintoasingle,physicalpoint.Distributedcloudvirtualization,incontrast,isdesignedtodojusttheopposite.UTMusersandbuyersshouldthusconsideroptionsinadjacentmarketssuchascloudaccesssecuritybroker(CASB).AdviceforSecurityTechnologyVendorsUnifiedthreatmanagementsecuritytechnologyvendorsshouldrecognizethattheSMBmarkethasalreadyshifteddramaticallytocloud.AnyUTMvendorthathasnotalreadyproactivelyadjusteditsstrategytodealwiththisshiftisprobablytoolatetomakesufficientchangesnow.Certainly,aphysicalappliance-basedenterprisegatewaymarketwillremainforsomeusers,andUTMvendorsmighthavetheoptionofchargingpremiums,asisoftenseenforstubbornusersoflegacytechnology.Buttherealgrowthwillcomeincloud–andthatisnotupformuchreasonabledebate.ListofSupportVendorsBarracudaNetworks–BarracudaNetworksprovidesitsX-seriesUTMsolutionaspartofitsfirewallproductportfolio.CalyptixSecurity–CalyptixSecurityoffersaunifiedthreatmanagementsolutionfocusedonsmallandmediumsizedbusiness.CheckPointSoftware–CheckPointincludesamatureandadvancedUTMproductoffering.Cisco–Ciscooffersall-in-oneUTMsecuritysolutionforSMBdesiringsimplemanagementwithaccuratethreatintelligence.Dell–DellincludesaunifiedthreatmanagementofferingforitscustomersundertheirSonicWallbrand.Endian–Endianoffersanopensource,unifiedthreatmanagementsolutionwithfirewallandIoTsecurity.Fortinet–FortinetincludesanextensiverangeoffirewallandgatewaysecuritysolutionsintheirUTMoffering.gateprotect–gateprotectisaGermancompanythatoffersunifiedthreatmanagementandnext-generationfirewallsolutions.GuardSite–GuardSiteprovidesUTM,SSL-VPN,andfirewallsolutionsundertheWatchGuardbrand.Juniper–Juniper’sSRXseriesisamongthehighestratedUTMsolutionsforcapacityandthroughput.Kerio–Thecompany,partoftheGFISoftwarefamily,offersitsKerioControlNGSeriesUTMsolutionforenterprise.NetPilot–NetPilotisaUK-basedcompanyofferingaUTMsolutionwithcontentfilteringandsecurecloudconnectivity.MyDigitalShield–MDSisasecurity-as-a-serviceproviderwithaunifiedthreatmanagementoffering.SecPoint–LocatedinDenmark,SecPointoffersacloudprotectorUTMsolutionforenterprise.Sophos–SophosmarketsaUTMsolutionforsmallandmediumsizedbusinessbasedonCyberoamacquisition.TopsecScience–TopsecScienceisaChinesecompanyofferingarangeofinformationsecuritysolutionsincludingUTM.TrustWave–TrustWaveincludesunifiedthreatmanagementinitscomprehensivesolutionofferings.VenusTech–Beijing-basedcompany,VenusTech,offersnetworksecuritysolutionsincludingUTM.WatchGuard–WatchGuardprovidesaUTMapplianceincludinganti-Spam,malwaredetection,andintrusionprevention.Control6:WebApplicationFirewallWebapplicationfirewall(WAF)solutionsprotectHTTPapplicationsfromcyberattacksincludingwell-knownmethodssuchasSQLinjectionandcross-sitescripting,aswellasnewzero-dayexploitsthatmightgeneratemoresubtleindicators.WAFtoolstypicallyprotectserversinafamiliarreverse-proxyarrangement.Asthesecurityindustryhasprogressedinrecentyears,WAFsoperateadjacenttosimilarfunctionsincludingintrusiondetectionandpreventiontools

andwebsecuritytools.WAFs,todate,havebeenprimarilypackagedashardwareappliancesorserverplugins,butthegoaltovirtualizeintocloudoperatingsystemsisincreasing.WAFsrequireanunderstandingoftheapplicationsbeingprotected,andthiscanresultintailoringforthespecificapplicationprotocolbeingused.GeneralOutlookThegeneraloutlookforwebapplicationfirewallsinvolvestransitionfromhardwareappliancestovirtualizedcloudcapabilities.SinceWAFsoperateattheapplicationlayer,theyaremoreintimatelyconnectedtotheassociatedsoftwaredevelopmentlifecycle.Correspondingly,WAFshavehadtoadjustfrommoretraditionalsoftwarelifecycleswithlessfrequentchangestomoremodernDev/Opslifecycleswhichinvolvefrequentapplicationchanges,sometimesonadailyorevenhourlybasis.FirstgenerationWAFsfrom1998to2007involvedhardwareappliancesthatweredesignedtohandlecommonattacksbasedonasmallsetofsignatures.SecondgenerationWAFsfrom2007to2016werecharacterizedbyanimprovedsetofattacksignatures,includingsomezero-dayexploitdetection.Duringthisperiod,WAFsexperiencedthefirsthybridcloudapplicationsrequiringprotection,whichchangedhowtheWAFreverseproxieshadtobedeployed.Third-generationWAFsfrom2016to2025shouldexpecttoseeamuchlargersetofsignaturesandbehavioralprocessingsolutions.ThetransitiontohybridcloudwillrequireWAFstovirtualizeintocloudorSDNinfrastructure.ThecompleteadoptionofDev/OpswillresultinWAFdevelopersandmaintainerstohavetodealwithhighratesofapplicationchanges.

Figure6.2018WebApplicationFirewallOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookismoderatelyhigh,basedonaclearmomentumview,butslightlycouchedbythelesspredictablenatureofsoftwareapplicationevolution.TheadjacencyofsomanycomparablesecuritysolutionswillalsoputpressureonWAFstodifferentiatetheirvalue,versussimilarfunctionsinrelatedproducts.AdviceforEnterpriseSecurityTeams

EnterprisesecurityteamsareadvisedtoworkwiththeirexistingorplannedWAFvendortodiscusshowapplication-specificprotectionsmightevolvewithinevitablechangesinhowapplicationswillbedeliveredtotheenterpriseinthenextfewyears.Supportfordatacentervirtualization,cloudhosting,andmobiledeviceaccessmustbecentraltotheplanningdiscussion.AchallengeforsecurityteamsisthatHTTPprotectioncapabilitywillbeavailableinsomanymoreproductsthanpreviously.CASB,micro-segmentedsecurity,distributedfirewalls,andothertoolswillincludewebsecurityprotocolsolutions.AdviceforSecurityTechnologyVendorsWAFsecuritytechnologyvendorsshouldrecognizethatthetraditionalarrangementofplacingaWAFapplianceinthereverse-proxystreamforenterpriseapplicationswillgivewaytocloud-hostedapplicationsaccessedviabring-your-own-device(BYOD)mobiles.Perhapsmoreimportantly,however,WAFsolutionswillrequiresupportforrapidDev/Opschangestoapplicationsatafrequencypreviouslyconsideredimpossible.ThiswillrequirethatvendorsintegratetheirtoolwithDev/Opslifecyclemanagementcapabilitiessuchasconfigurationandversioncontroltools.ListofSupportVendorsAdNovum–Switzerland-basedAdNovumprovidesnevisProxyreverseproxyandWAFsolutions.Akamai–AkamaioffersitscustomerstheKonawebapplicationfirewall,whichprovidesalwayson,scalableprotection.AlertLogic–AlertLogicofferscustomersamanagedSecurity-as-a-Servicewebapplicationfirewall.Applicure–ApplicureofferscustomersthedotDefenderenterprise-classwebapplicationfirewallsolution.A10Networks–SanJose-basedA10NetworksprovidesitsThunderTPDwebapplicationsecurityproductline.BAESystems–ThroughtheiracquisitionofSilverSky,BAEprovidesaWAFsolutionaspartofitscloudsecurityservices.BarracudaNetworks–BarracudaNetworksoffersWAFproductsolutionsforsmall,medium,andlarge-scaleapplications.BeeWare–BeeWaremakeswebapplicationsecuritysolutionsforcustomersonAmazonWebServices.BinarySEC–BinarySECofferstheEasyWAFwebapplicationfirewallsolutionforprotection,acceleration,andstatistics.Brocade–ThetechnologycompanyfromSanJoseoffersBrocadeVirtualwebapplicationfirewallsolution.Citrix–Thewell-knowncloudvirtualizationcompanyoffersitsCitrixNetScalerAppFirewallsolutionforcustomers.CloudFlare–CloudFlare’swWAFincludesfeaturessuchasastrongdefaultrulesetandcustomizedLayer7defense.ControlScan–ControlScanincludesaWAFsolutionaspartofitsMSSandDDOSsecurityservicesforSMBs.DBAPPSecurity–WebapplicationsecurityfirmDBAPPSecurityofferscustomerstheDAS-WAFsolution.Dell–DellprovidesitsextensivecustomerbaseanadvancedwebapplicationfirewallcalledSonicWall.DenyAll–DenyAllisaFrenchsecurityvendorofferingaWAFapplianceaspartofitsnext-generationwebsecuritysolutions.Ergon–Swisscompany,Ergon,providescustomerswithanenterprisewebsecuritysolutioncalledAirlockWAF.F5–F5providesitsBIG-IPfamilyofsolutionsincludingaWAFdesignedforwhiteandblacklisting.5nineSoftware–Thesmallcompanyoffersthe5nineWAFwithMicrosoftserverintegrationandsupportforHyper-V.Fortinet–Aspartofitsproductline,FortinetoffersenterprisecustomerstheFortiWebWAFsolution.ForumSystems–ForumSystemsprovidesanAPIgatewayacrosswebapplications,services,andinfrastructure.Imperva–ImpervaofferscustomersarangeofadvancedwebapplicationfirewallsolutionsincludingSecureSphere.KEMPTechnologies–KEMPintegrateswebapplicationfirewallfunctionswithloadbalancingoffers.NinjaFirewall–EmbeddedinWordPressandapplicabletoPHP,theNinjaFirewallisessentiallyawebapplicationfirewall.NSFOCUS–NSFOCUSoffersaWAFwithcoordinatedblacklistandwhitelistcapabilitiesaspartofitsDDOSsecurityoffering.PentaSecurity–Koreanfirm,PentaSecurity,offersawebapplicationfirewallproductcalledWAPPLES.Port80Software–Port80SoftwareincludestheServerDefenderVPhost-basedwebapplicationsecuritysolution.PositiveTechnologies–PositiveTechnologiesfocusesonretailPOSandincludessecurityandWAFcapabilitiesforitscustomers.PrivacyWare–PrivacyWareofferswebapplicationfirewallandintrusionpreventionsoftwareforMicrosoftIIS.QratorLabs–QratorLabsisaRussianfirmthatprovidestheWallarmWAFsolutionsovertheQrator.Qualys–Thewell-knowncybersecuritycompanyQualysincludesanext-generationcloud-basedWAFsolution.Radware–Techfirm,Radware,offersenterprisecustomerstheAppWallwebapplicationfirewall.Riverbed–RiverbedprovidestoolsforwebcachingandoptimizationoftrafficwithWAFcapabilityembedded.ShakaTechnologies–ShakaTechnologiesincludestheIshlanguwebapplicationfirewallproduct.SiteLock–Arizona-basedSiteLockoffersenterpriseitscustomerstheTrueShieldwebapplicationfirewall.

Sophos–SophosincludesenterpriseWAFsolutionsaspartoftheCyberoamandAstaroacquisitions.Sucuri–ThesmallcompanylocatedinDelawareprovidesitsCloudProxywebapplicationfirewallsolution.Sungard–Sungardincludesmanagedwebapplicationfirewallsolutionsaspartofitsavailabilityservicesforbusiness.Symantec–Symantecincludeswebapplicationfirewallcapabilityasanintegratedcomponentofitssuiteofofferings.TrustWave–TrustWaveprovidesawebapplicationfirewallapplianceforrealtimecontinuoussecurityprotection.UnitedSecurityProviders–UnitedSecurityProvidersincludestheUSPSecureEntryServerforwebsecurity.Wallarm–LocatedinRussia,Wallarmoffersawebapplicationsolutionfordefendingwebfront-endsandAPIs.Zscaler–Thewebsecurityfirmincludescloud-basednext-generationfirewallcapabilityincludingWAF.Zenedge–ZenedgemarketsaWAFcapabilityembeddedintheZenEdgeDDOSprotectionsolution.

Control7:WebFraudPreventionWebFraudPreventioninvolvessecuritytechniquesthatreducetheriskofonlineaccountexploitationoncetheusercredentialsforanaccounthavebeenstolen.Insuchcases,authenticationisnolongerrelevant,soadvancedbehavioralmethodsmustbeusedtodetermineifamaliciousfraudsterhascontrolofanaccountandisattemptingtocommittheft.Somewebfraudpreventionmethodstrytoproactivelyavoidmaliciousactivity,whereasotherstrytominimizelossesafterthefraudhasalreadycommenced.Mostproductsinthisarearelyonheuristicsashints,suchasunusualwebpagetraversal,thatfraudisunderway.Thisisapowerfultechnique,becauseitcombinesobservationaltechniqueswithexperience-basedheuristicsforhowwebsitesareusuallyattackedbyfraudsters.GeneralOutlookThegeneraloutlookforwebfraudpreventioninvolvestransitionfromreactivesignaturesforsimpleeCommercetomorepreventivesolutionsbasedondiverse,behavioralattributes.Webfraudpreventionplatformsarealsomovingfromcentralizedgatewaydeploymentstodistributedset-upsacrosshybridcloudarchitecture.Firstgenerationwebfraudpreventionsolutionsfrom1998to2007involvedfocusonsimpleaccounttakeoverforeCommercewebsites.Secondgenerationwebfraudpreventionfrom2007to2016involvedmoreend-to-endfocus,includingearlybehavioralanalysis,forawiderrangeofsitesincludingbanking.Thirdgenerationwebfraudpreventionfrom2016to2025shouldexpectmoresupportforvirtualizedaccountusage,withadvancedanalyticsandmoreproactivefocusonpreventingtakeoverfraudbeforeitcommences.

Figure7.2018WebFraudPreventionOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookishigh,giventheclearmomentumviewsofhowfraudhasprogressedforonlinewebsites.Thewildcardisthatfraudstershavealwaysbeenamongstthemostcleveranddifficulttopredictgroupofmaliciousactors,sothirdgenerationpredictionsmusttakethisintoaccount.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtoensurethatanyonlinesystemsthatmightbetargetedforaccounttakeoverhavesufficientwebfraudpreventioncoverage.ThisisanareathathasbeencommonlyneglectedbyenterprisesecurityteamswhohaveoftenbeenpoorlyintegratedwithcompanyeCommerceandrelateddigitalobjectives.ThisfunctionalityshouldbearequirementforXaaSapplicationsthatmightbesusceptibletofraud,socontractsforcloudapplicationhostingprovidersshouldbedesignedaccordingly.AdviceforSecurityTechnologyVendorsWebfraudpreventionsecuritytechnologyvendorsshouldrecognizethatenterprisesecurityteamshavenottypicallyconsideredthisfunctionalityasaprimarycomponentintheirsolutionspace.Thiscomplicatesthesalesprocesssinceyear-over-yearplanningbudgetmaynotbeavailableforwebfraudprevention.Vendorswouldbewisetotargettheapplicationvirtualizationprocesstocloudasavehiclefordefiningsecurityteambuyinghabitsinthisarea.ListofSupportVendorsAccertify–Accertifyisaprovideroffraudprevention,chargebackmanagement,andpaymentgatewayproductsandservices.Agari–Agari’sDMARCprotectionsareanimportantcomponentofreducingfraudacrossemailanddomainusage.Agilence–NewJersey-basedAgilenceprovidesexception-basedreportingforretailpaymentfraudprevention.Caveon–Caveonoffersdigitalforensicsandsecurityauditservicestopreventtestfraudinschools.CyberSource–CyberSourceoffersonlinepaymentfraudmanagementacrossmultiplechannelsanddevices.Cyxtera–ThroughitslegacyEasySolutions,Cyxteraoffersanend-to-endtotalsolutionfordealingwithwebfraud.Feedzai–ThemachinelearningplatformfromFeedzaifocusesonfraudandriskfromacloud-hostedoron-sitedeployment.F5–TheF5WebFraudProtectionsolutiondetectspotentialfraudulentactivityandsecurestransactions.Forter–NewYork-basedForterprovidesso-calledfrictionlessfraudpreventionforonlineretailsystems.41stParameter–Thecompany,nowpartofExperian,offersglobalfraudmanagementsolutionsforfinancialinstitutionsFirstCyberSecurity–Thecompanyoffersindependentverificationofwebsiteauthenticitytoreducefraudrisk.

FraudCracker–FraudCrackerprovidesaplatformforreducingfraudriskthroughanonymousemployeereporting.GuardianAnalytics–GuardianAnalyticsprovidesbehavior-basedfrauddetectionsoftwareandservices.IBM–IBMofferstheIBMSecurityTrusteerfraudpreventionsolutionforadvancedmalwareandon-linefrauddetection.iovation–Thecompanyoffersdevice-basedsolutionsforauthenticationandfraudprevention.Imperva–ThecompanyoffersthreatintelligenceandfraudpreventionaspartofitsWebapplicationsecuritysolution.Intellinx–Intellinxsupportsenterprisefraudmanagementthroughdatacollectionandanalysis.Kaspersky–KasperskyFraudPreventionforEndpoint(KES)isdesignedtopreventsecurityincidentsandfraudulentactivity.Kount–KountisanIdaho-basedfirmthatprovidesanti-fraudsolutionsfore-commercemerchants.MaxMind–MaxMindoffersIPintelligenceandonlinefraudpreventiontoolsthatleverageGeolocation.MicroFocus–MicroFocusoffersarangeofenterprisesecurityproductsincludingfraudandmisusemanagement.NetworkKinetix–NetworkKinetixoffersbusinessassuranceandanti-fraudsolutionsforcarrierstoimproverevenueassurance.NoFraud–NoFraudprovidese-commerceriskmanagementthroughtransactionanalysistodeterminepassandfaildecisions.NuData–CanadianfirmNuDataoffersabehavioralanalyticsplatformforreducingtheriskofon-linefraud.PindropSecurity–PindropSecurityprovidessolutionsfordetectingadpreventingphonescamsandfraudincallcenters.RSA–Thewellknowsecurityfirmofferswebfraudpreventionthroughanappliancesolution.Signifyd–Thecompanyfocusesone-commercefraudpreventionandchargeback.ThreatMetrix–ThreatMetrixreferstoitselfasaDigitalIdentityCompany,whichemphasizestheimportantroleofidentity.Trustev–Thecompany,partofTransUnion,offerson-linefraudpreventionbasedoncontextualpatternmatching.VUSecurity–VUSecurityfocusesonintelligenttransactionanalysisforbehavior-basedfrauddetection.Webroot–InternetsecurityfirmWebrootprovidesadvancedonlinefraudpreventionforPCsandmobiledevices.Whiteops–Whiteopsprovidesasolutionforpreventingbotnetfraudinon-lineadvertising.

Control8:WebSecurityGatewayWebSecurityGatewaysolutionsprotectanenterprisefrommalwarethatmightoriginateonaninfectedorcompromisedwebsite.Thisistypicallyaccomplishedusingforwardproxiesthatprotectendpoints,reverseproxiesthatprotectservers,andthreatfeedsthatprovideup-to-datelistsofURLsforfiltering.Increasingly,websecuritygatewaysfocusonapplication-specificcontrolstoreducesecuritythreats.Websecuritygatewaysarealsoinvolvedintheenforcementofacceptable-usepoliciesforenterpriseemployeebrowsing.Performanceissueshavetraditionallybeenaconcernwhenwebsecuritygatewaysaredeployed,whichhelpsexplainwhymanyofthemoresuccessfulvendorstracetheirinvolvementinthisareatowebaccelerationsolutions.Itisworthmentioningthatwebsecuritygatewaysrepresentoneofthefirstprotectionsolutionswherealivethreatfeedisusedbyenterpriseteamstoacceptsandallowremotereconfigurationofadevice.WhilethisisgenerallylowriskforURLfeeds,thisisneverthelessaprofoundshiftfromlocalizedcontrolofallreconfigurationstowardacceptanceofliveupdatesfromtrustedpartners.GeneralOutlookThegeneraloutlookforwebsecuritygatewaysinvolvestransitionfrommoresignature-basedURLlistsasthebasisforproxyfunctionalitytoanincreasingrelianceonbehavioralprofilestodetectpotentialmalwaredownloadsfrominfectedsites.Websecuritygatewaysaremovingfromcentralizedhardwareappliancedeploymentstomoredistributed,hybridcloudproxysoftware.Firstgenerationwebsecuritygatewaysfrom1998to2007involvedsimpleURLproxiesimplementedashardwarewithfeedupdatesfromthevendor.Secondgenerationwebsecuritygatewaysfrom2007to2016includeimprovedcloud-basedthreatintelligencefromvendorswithearlyattentiontoexpandedanti-malwarecapabilityusingadvancedalgorithms.Thirdgenerationwebsecuritygatewaysfrom2016to2025willbefullyvirtualizedwith

advancedanalyticsandsupportfordistributedgatewaysacrosscloudinfrastructure.Oneshouldexpecttheirassociatedthreatfeedstoimproveinthecominggenerationaswell.

Figure8.2018WebSecurityGatewayOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookishigh,giventhefactthatvirtualizationhasalreadybeenamajorfactorinwebsecuritygatewaydesign.Collisionwithothersecuritysolutionsincloudwillproducechallengesforvendorsinthisarea.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtoworkwiththeirexistingproxyvendoronaplantocovertheinevitableprogressiontohybridandfullcloudarchitectures.ThechallengewillbedetermininghowtodealwiththecollisionthatoccurswithrelatedcloudsecurityfunctionssuchasCASBwhichareofferedseparatelyorasanintegratedprotectionfromthecloudapplicationvendor.TraditionalwebsecuritygatewaysolutionprovidershavetheadvantageofthebestavailableURLfeedswithmatureinfrastructurefordeliveryandupdate.Enterpriseteamsshouldnotdelayanalysishere,ascloudprotectionswillfundamentallyshifttherequiredproxyarrangementfromgatewayappliancestosoftwarerunningoncloudoperatingsystems.AdviceforSecurityTechnologyVendorsWebsecuritygatewaytechnologyvendorsshouldrecognizethatanyhardwareaccelerationorapplianceperformanceadvantageswilldissolvequicklywiththedissolutionoftheperimeter.Themostsuccessfulwebsecuritygatewayvendorswillfullyembracedistributedvirtualization,evenusingthatarrangementtoimprovethevantagepointfordetectingwebinfectionsandmalware.ThemostsuccessfulwebsecuritygatewayproviderswillalsocontinuetoimprovetheirURLlistsintocomprehensive,world-classthreatfeedsforenterprisecustomers.Forsomebuyers,thethreatfeedsmightbeasvaluableastheplatform.ListofSupportVendorsAcunetix–VulnerabilitymanagementcompanyAcunetixincludesadvancedsolutionsforwebsitesecurity.BanffCyber–Singapore-basedBanffCyberfocusesonpreventionofwebdefacementintheirproducts.BarracudaNetworks–ThecompanyofferstheBarracudaWebFilter,whichisacomprehensivewebsecuritygateway.BeyondTrust–BeyondTrustincludestheRetinaWebSecurityScannerforprotectionofwebapplications.

BinarySEC–TheFrenchcompanyprovidesamanagedsecuritysolutionforreducingtheriskofwebsiteattacks.Bloxx–TheBloxxSecureWebGateway,nowpartofAkamai,focusesonso-calledzero-secondprotectionforusers.CATechnologies–CAofferstheWebServicesSecurityplatform(formerlyCASiteMinderWebServicesSecurity).Celestix–TheCelestixEdgeplatformincludesarangeofadvancedwebapplicationproxycapabilities.CheckPointSoftware–Thecompanyincludeswebsecurityinitsportfolioofcybersecurityproductsandservices.Cisco–Cisco’sWebSecurityAppliance,CloudWebSecurity,andCloudAccessSecuritysupportwebsecurityprotection.Clearswift–NowpartofRUAG,theUK-basedClearswiftSECUREWebGatewayfocusesonInternetcommunications.CloudFlare–CloudFlare,basedinSanFrancisco,providesacceleration,domain,andsecurityservicesforwebsites.ContentKeeper–ContentKeeper,headquarteredinAustralia,provideswebthreatprotectionandwebfiltering.CronLab–UnitedKingdom-basedCronLabprovidesanIntegratedWebFiltersolutionforbusinesscustomers.DeepNines–TheDallas-basedcompanyprovidesaunifiedsecuritygatewaysolutionforenterprise.Distil–LocatedinArlington,thecompanyprotectswebsitesfrombotnetattacksanddatamining.EdgeWave–EdgeWaveprovidescloud-basedremotewebfilteringservicesviaanappliancesolution.FireEye–FireEyeoffersanindustry-leadingwebandnetworksecuritysolutionfordetectingandpreventingAPTattacks.Fireglass–NowpartofSymantec,thecompanyoffersbrowserisolationtechnologytostopadvancedmalware.FirstCyberSecurity–TheUKfirmincludeswebsecurityinitsportfolioofanti-fraudandcybersecuritysolutions.Forcepoint–Forcepointoffersanintegratedportfolioofwebsecuritysolutions.Fortinet–Fortinetincludeswebsecuritygatewayfunctionalityinitsextensivesecurityproductline.GFISoftware–LocatedinLuxembourg,GFI’sWebMonitorproducthelpscontrolwebactivityandavoidweb-basedthreats.iboss–TheibossCloudSecureWebGatewayPlatformoffersarangeofwebsecuritycapabilities.Imperium–NowpartofGoogle,thegroupprovidesautomatedtoolsforremovingmalwarefromwebsites.Imperva–ImpervaincludesarangeofwebsecurityprotectionsinitsWAFandDDOSofferingsforenterprisecustomers.Ingenico–IngenicooffersanXML-basedcryptographichardwaresecuritymoduleforWebapplications.Litous–LocatedinIceland,LitousprovidesarangeofwebsecurityproductsincludingtheMalwareSpider.McAfee–Industry-leadingMcAfeeofferscustomerstheMcAfeeWebGatewaysolutionforanalyzingwebtraffic.MenloSecurity–Thestart-upledbyAmirBen-Efraimincludeswebsecurityinitsuniqueisolationtechnology.Netsparker–Netsparker,locatedintheUK,offersaWebapplicationandvulnerabilityscanningsolution.Optenet–Optenet,nowpartofAllotCommunications,providescustomerswithitsmulti-tenantSecureWebGatewayproduct.PandaSecurity–HeadquarteredinSpain,PandaSecurityofferstheGateDefendersolutionforwebbrowsingsecurity.PentaSecurity–LocatedinSeoul,Pentaoffersitscustomerswebsecuritycapabilitiesinitsofferings.Port80Software–TheSanDiego-basedcompanyprovideswebsecurityinitsrangeofWAFandapplicationsecuritysolutions.PortSwigger–PortSwiggermarketsarangeoftestingtoolsandsolutionsforwebapplicationsecurity.Sangfor–SangforprovidesitsadvancedInternetAccessManagementgatewayforsecuringwebtraffic.ShakaTechnologies–TheUKfirmincludeswebsecurityinitsloadbalancing,acceleration,andrelatedfunctions.ShapeSecurity–ShapeSecurityprovidesprotectionofwebcontentfromautomatedattackssuchasbotnets.SiteLock–LocatedinFlorida,SiteLockprovidesWAFandwebsecuritycapabilitiesforcustomers.Smoothwall–OriginatingintheUK,Smoothwallprovidescontent-awarewebsecurityfilteringandgatewayfunctions.Sophos–TheSophosCloudWebGatewayofferssecurewebgatewayfunctionalityforenterprise.SpikesSecurity–LosGatos-basedSpikesSecurity,nowpartofAurionproincludeswebsecurityinitsisolationtechnology.Sucuri–SucurioffersarangeofwebsecuritycapabilitiestocomplementitsWAFandDDOSprotections.Symantec–TheSymantecWebGatewayofferscontentfilteringandrelateddatalossprotections.TinfoilSecurity–TinfoilSecurityprovidesbothwebsecurityandvulnerabilitymanagementsolutions.TotalDefense–ThecompanymergedwithUntangletoprovidesecurityforInternetbrowsingandapplicationprotection.TrendMicro–TheTrendMicroInterScanWebSecurityVirtualApplianceprovideswebsecurityfunctionality.TrustedKnight–TrustedKnight,throughitsacquisitionofSentrix,offerswebsecuritythroughitsInfinitesolution.TrustWave–TrustWaveincludeswebsecuritygatewayfunctionalitytracingbacktoitsM86Securityacquisitionin2012.Webroot–TheCalifornia-basedcompanyincludeswebsecurityinitsportfolioofendpointandInternetsecuritysolutions.WebTitan–ThecompanyofferstheWebTitanGateway,whichincludescontentfilteringandrelatedsecuritycontrols.WhiteHatSecurity–TheSantaClara-basedfirmprovidesWhiteHatSentinelforcontinuoussecurityassessmentofwebsites.Zscaler–Well-knownsecurityfirmZscalerofferscloud-basedwebsecuritygatewaysacrossitsglobalinfrastructure.

Control9:CA/PKISolutionsCertificationAuthority/PublicKeyInfrastructure(CA/PKI)Solutionsconsistofinfrastructure-levelcontrolsbasedonpublickeycryptographythatsupportstrongauthentication,encryption,

andintegrityrequirementsusingdatastructuresknownaspublickeycertificates.Publickeytechnologyhasbeeninexistenceformanydecades,andhasneverrealizeditsoriginalpromiseasadirectrevenueproducer.Instead,publickeytechnologyhasassumedabackgroundrolehelpingtosecurevariouselementsofpersonal,enterprise,website,network,andInternetinfrastructure.Thecoveragehasbeenspottytodate,with,forexample,strongsupportforwebsitesecurityviathesecuresocketslayer(SSL)protocol,butweaksupportacrossorganizationaldomainsforemail.Themostsubstantivecategories(notacompletelist)ofpresentandfutureCA/PKIbusinesssolutionsareasfollows:

• CA/PKISupportforWebsites–RunninghttpsonyourwebsiterequiresthatyouobtainanduseacertificatefromaCA,andthisisoftenyourwebhostingprovider,especiallyifyourunasmall,modestsiterequiringlowassurance.

• CA/PKISupportforNetworks–Operatingmostnetworkequipmentsuchasroutersattheinfrastructurelevelrequirestheuseofcertificatesforsecureusage,andtheattendanttaskssuchaskeymanagementareoftendonedirectlyusingtoolsfromtheequipmentvendor.

• CA/PKISupportforAuthentication–Certificatescanbeissuedandusedtoidentifydevices,suchasmobiles,oftenasasecondorthirdfactor,withhandlingsupportedbyITsystemssuchasmobiledevicemanagement(MDM).

• ProtectionofKeysandCertificates–SomeselectcybersecuritycompaniesoffercustomersadvancedprotectionsolutionsformanagingandsecuringthekeysandcertificatesthatunderlieCA/PKIofferings.

• FutureCA/PKISupportforIoT–AscomputingmovestomoreautomatedinteractionsintheIoT,industrialcontrol,machine-to-machine(M2M),andoperationstechnology(OT)realms,CA/PKIsolutionsshouldplayavital,growingrole.

AsfutureapplicationsmovetoIoT,M2M,andOT/ITorientation,thesecuritysupportofCA/PKIsolutionswillbeagoodmatch.Thismayrepresentthedirectrevenueopportunitythatcompaniesinthisareahavebeensearchingforduringthepastdecades–butthejuryisstillout.GeneralOutlookThegeneraloutlookforCA/PKIsolutionsinvolvestransitionfromadhocoperationsandassurance(rangingfromlowtohigh)tomuchmoresystematicandimprovedoperationsandassurance,wheremoreuserspayattentiontotheassurancemodeldrivingCAoperations.ThiswillbetruebecausemoreengineerswilldriveCAdecisionsforIoTandM2MversusbrowseruserscheckingassurancelevelsbeforevisitinganeCommercesite.First-generationCA/PKIfrom1998to2007involvedthesimplestsupportforSSLrunningonbrowsersandwebsiteswithpoorattentiontoassurancemodelsforbindingpublickeystocertificates.SecondgenerationCA/PKIfrom2007to2016includedmoreapplicationsforCA/PKIincludinguseinmobileauthenticationwithMDM.AnexplosionofCAsemergedduringthisperiodwithusersoftenconfusedaboutwhichonesareacceptable(mostsmallersiteownersoptedtojustworkwiththeirserviceprovider).Third-generationCA/PKIsolutionsfrom2016to2025shouldexpecttoseedramaticexpansiontomobileandIoT,withmoreemphasisonassuranceandprotection

ofkeysandcertificates.Duringthisgeneration,thegradualincreaseinapplicationoptionsforCA/PKIwillbecomeclearer,asCA/PKIsupportsatrulyvariedmixofuserandinfrastructureapplicationsacrosstheInternet,criticalinfrastructure,enterprise,andpersonal/homeuseenvironment.

Figure9.2018CA/PKISolutionsOutlookTheTAGCyberdegreeofconfidenceinthispredictiveoutlookismoderate,onlybecausepredictingCA/PKItechnologyandusagetrendshasbeensohazardous(andmostlywrong)inthepast.Ourpredictionsarethusofferedwiththefullrecognitionthatvirtuallynopundit,observer,oranalysthasbeenreliablycorrectaboutPKIfordecades.Wehopetobethefirsthere.AdviceforEnterpriseSecurityTeamsEnterprisesecurityteamsareadvisedtoreassesstheirrelationshipwithcertificationauthoritiesandPKIsolutionsproviderstodeterminereadinessfortheshifttocloudservices,virtualization,andSDNinfrastructure.TeamareadvisedtoconsolidatetheirCA/PKIrelationshipstoahigh-qualityvendorwithsupportforhighassurancepublickeybindingprocedures.Manycompaniesmightbeastoundedtofindthattheyarebuyingcertificatesfrommultiple(perhapsevendozens)ofdifferentCAs.ThisisabadapproachgiventhefundamentalroleCA/PKIwillplayinIoTandotherM2Mapplications.Nowisthetimetoselectgoodpartners–andtonotforgetthatprotectionofkeysandcertificatesinanimportantandhighlyneglectedfunction.AdviceforSecurityTechnologyVendorsWebsecuritygatewaytechnologyvendorsshouldrecognizethatsloppyoperationalproceduresandquestionableassurancepracticeswillnotbeacceptableasfewerbuyers(serviceproviders)dealwithCAandPKIsolutionprovidersformorecustomersmovingtosharedITandcloudservices.WebelievethatexcellentprospectslayaheadforthebestCA/PKIsolutionproviders,simplybecausethistechnologyissowell-suitedtothetechnologyfuturethatliesontheimmediatehorizon.Vendorswouldbewell-servedtooptimizetheirsolutionsnow,andtorevisitcustomerswhomightnothavepurchasedsolutionsinthepast.Architecturesarechanging,soPKIisbecomingmorehighlyrelevanttotheresultingdistributed,virtualized

systems.BuyerswillthusbelikelytoselectafreshsetofCAandPKIsolutionpartnersinthecomingyears.ListofSupportVendorsACCV–AgenciadeTecnologiayCertificacionElectronicaisaSpanishpublicentityprovidingCA/PKIservices.Buypass–BuypassisaEuropeanfirmthatofferscertificatestosecureelectroniccommunicationsandotherapplications.Camerfirma–CamerfirmaprovideselectronicsecurityservicesincludingPKIandauthenticationacrossSpain.Certicom–NowpartofBlackberry,CerticomisaCanadiangroupthatownsEllipticCurvecryptography.CertifiedSecuritySolutions–TheprofessionalservicesfirminOhiosupportsprojectsinvolvingidentity,access,andPKI.CertiPath–Virginia-basedCertiPathoffersaPKI-basedtrustframeworkandsetofidentityservices.certSIGN–certSIGNisaUTIcompanyprovidingarangeofPKIandcertificationservicesinRomania.ChunghwaTelecom–TheTaiwanesecompanyprovidespubliccertificationauthorityservicesforSSLandotherapplications.CNNIC–CNNICisaChineseCAthathadsomebumpyinteractionswithGoogleandotherbrowservendorsin2015.Comodo–ComodoprovidesafullrangeofSSLcertificationsolutionsforsmall,medium,andlargecustomers.Cryptomathic–TheFrenchfirmspecializesindataencryptionandCA/PKItechnologiesandservices.CVCryptovision–CVCryptovisionisaGermancompanyfocusingondataencryptionandCA/PKIsolutions.DeutscheTelekom–TheGermantelecommunicationscompanyofferscertificationauthorityandPKIservices.DigiCert–DigiCertprovideshighassurance,low-pricedSSLcertificatesalongwithcodesigningandotherPKIservices.E-Güven–Turkey-basedE-GüvenprovidesarangeofcertificationauthorityandPKI-basedservices.EntrustDatacard–EntrustprovidesCAandPKIservicessupportingtenmillionidentityandpaymentcredentialsissuesdaily.E-Tugra–Turkey-basedE-TugraiscertificationauthorityandPKIsolutionprovidersupportingSSLandrelatedservices.Gemalto–GemaltohasexpandeditscybersecurityofferingstoincludeauthenticationinareascloselyconnectedtoPKI.GeoTrust–GeoTrustprovidesforonlinecustomersecuritywithSSLandcodesigningcertificates.GlobalSign–GlobalSignoffersitscustomersafullrangeofpersonal,SSL,andcodesigningcertificates.GoDaddyGroup–Themajordomainservicesandhostingproviderissuescertificatesaspartofitsservice.HongkongPost–HongkongPostissuese-CertcertificateswithdigitalsignaturesupportfromtheHongkongPostCA.IdenTrustSSL–IdenTrustSSL,nowpartofHIDGlobal,providesarangeofstandardandmulti-domainSSLcertificates.Izenpe–IzenpeisaSpanishX.509certificateauthorityandPKIservicesorganizationownedbytheBasquegovernment.JapaneseGPKI–ThisJapaneseGovernmentPKIgroupprovidesvariouscertificationauthorityandPKIservices.Logius–LogiusisagovernmentserviceinNetherlandsofferingCA/PKIsupport.Microsec–MicrosecisthelargestHungariancertificationauthorityandPKIsupplierofelectronicsignatures.NetLock–NetLockisaHungariansolutionsproviderofferingdigitalsignature,SSL,andrelatedPKIservices.NetworkSolutions–NetworkSolutionsisaWebhostingproviderofferscertificatesaspartofitsservices.OpenTrust–OpenTrustsupportsenterpriseandcitizentrustedidentitieswithCA/PKI-basedsolutions.PrimeKey–PrimeK