Forrester’s Targeted-Attack Hierarchy Of...Forrester’s information Security Maturity Model october 6, 2014 targeted-attack Hierarchy of needs, Part 2 July 24, 2014 Determine the

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

Forrester’s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilitiesby Rick Holland, January 7, 2015

For: Security & Risk Professionals

Key TaKeaways

Targeted attacks are The New NormalForrester defines a targeted attack as one in which a threat actor is targeting a specific organization. The intentions and capabilities of threat actor groups obviously vary, and not all targeted attacks are state-affiliated. There are two common attack vectors seen in targeted attacks: phishing and watering holes.

Use Forrester’s Targeted-attack Hierarchy Of NeedsTargeted attacks are going to happen, and you must prepare for them. The first four basic needs of Forrester’s Targeted-Attack Hierarchy of Needs are: 1) an actual security strategy; 2) a dedication to recruiting and retaining staff; 3) a focus on the fundamentals; and 4) an integrated portfolio that enables orchestration.

essential Needs Precede Prevention and DetectionDevelop a strategy for defending your environment before you make investments. Focus on the first four needs and ensure that your leadership understands that your goal is to build resiliency to quickly respond and recover from targeted attacks.

www.forrester.com

© 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & riSk ProFeSSionalS

wHy ReaD THis RePORT

Targeted attacks continue to plague organizations, and these intrusions damage the brand, customer loyalty, and margins. Preparing for and responding to these attacks requires a focused and resolute strategy. We designed Forrester’s Targeted-Attack Hierarchy of Needs to give S&R professionals a framework to accomplish this. Part 1 of this report focuses on the core needs required for defending your environment against targeted attacks; it lays the foundation for a resilient security strategy. Part 2 dives into prevention, detection, and response, all of which will fail if you ignore the fundamental needs. This is an update of a previously published report; Forrester reviews and updates it periodically for continued relevance and accuracy

table of contents

Targeted attacks Undermine Customer Trust and Company Profits

To Fight Back, Use Forrester’s Targeted-attack Hierarchy Of Needs

WHat it MeanS

address The essential Needs Before Prevention and Detection

supplemental Material

notes & resources

Forrester interviewed four vendor and five user companies, including crowdStrike, Fireeye/Mandiant, General Dynamics Fidelis cybersecurity Solutions, and Verizon.

related research Documents

assess your Security Program With Forrester’s information Security Maturity Modeloctober 6, 2014

targeted-attack Hierarchy of needs, Part 2July 24, 2014

Determine the Business Value of an effective Security Program — information Security economics 101october 2, 2012

Forrester’s Targeted-attack Hierarchy Of Needs: assess your Core Capabilitiesassessment: the Security architecture and operations Playbookby rick Hollandwith Stephanie Balaouras, chris Sherman, kelley Mak, and Josh Blackborow

2

5

12

12

January 7, 2015

www.forrester.com

http://www.forrester.com/go?objectid=RES56671







http://www.forrester.com/go?objectid=BIO2756





Forrester’s targeted-attack Hierarchy of needs: assess your core capabilities 2

© 2015, Forrester Research, Inc. Reproduction Prohibited January 7, 2015

TaRgeTeD aTTaCKs UNDeRMiNe CUsTOMeR TRUsT aND COMPaNy PROFiTs

The year of the breach has transitioned to the decade of the breach, as cybercriminals seemingly have the ability to compromise organizations at will. Far too many companies first learn of their breaches after security reporter Brian Krebs has written about it.1 In addition, within the reams of NSA documentation leaked by former defense contractor Edward Snowden is the revelation that state-affiliated adversaries have developed astounding cyberespionage capabilities. In fact, with adversary capabilities at an all-time high, we are in a golden age of cyberespionage. Despite our significant investment in resources, we seem to be taking one step forward and two steps back.

Target is yet another breach in a long line of high-profile breaches. The Target intrusion and subsequent loss of 70 million credit cards is precisely what a company doesn’t want to have happen at a time when customers have become incredibly powerful. Social media has magnified the voice and extended the reach of every customer, and technology has made it remarkably easy for every customer to buy from anyone at any time anywhere.2 To attract and retain customers, you must provide a superior customer experience at every step of their engagement, which you underpin with trust. When customers lose confidence in an enterprise’s commitment and ability to protect their privacy and personal data confidence, there is erosion of trust and of the customer relationship.

The breach had a significant impact on Target and its customers. Target’s stock fell almost 14% after reports of the breach surfaced in December 2013. Year over year Q4 profits were down by 46%. Target incurred $146 million in data-breach-related expenses. Gregg Steinhafel, former chairman, president, and chief executive officer of Target, knew that to be successful in the age of the customer, Target must rebuild trust with its customers.3 On Target’s Q4 2013 earnings call he said:

“We have put the welfare of our guests at the center of every decision we’ve made. . . . We continue to listen to our guests, and we know that this incident and recent security breaches at other companies have shaken their confidence in both Target and the US payment system more broadly.”4

Targeted attacks are The New Normal

No executive from any company or agency wants to have to make a statement like this. The attack against Target was just one of many attacks focused on a specific organization. There has been a dramatic increase in targeted attacks since 2005 (see Figure 1). In 2014 alone, CyberFactors tracked 594 targeted attacks and just 45 broad attacks.5 One of the hallmarks of a state-affiliated targeted attack is the zero-day exploit. In a recent Ponemon Institute/IBM Trusteer study, 68% of the respondents indicated that zero-day attacks are their organization’s greatest threat.6

The semantics of targeted attack discussions are important, so to be clear, Forrester defines a targeted attack as one in which a threat actor is targeting a specific organization. Forrester groups threat actor groups into state actors, hacktivists, and cybercriminals.7 The intentions and capabilities of threat actor groups obviously vary, and not all targeted attacks are state-affiliated. State-affiliated




actors have capabilities that far exceed any other threat actor group, but over time, other threat actors do adopt their techniques. There are two common attack vectors seen in targeted attacks: phishing and watering holes.

Figure 1 Targeted Attacks

Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited.107121

68% of IT and IT securitypractitioners who have involvement indefensive efforts to prevent or detectAPTs launched against theirorganizations say zero-day attacks aretheir organization’s greatest threat.†

More than 78% of all attackstied to state-af�liated espionageemployed phishing.‡

0Day

Targeted attacks outnumberand outpace broad attacks*

PII

IP

Compromised websites:• The Council on Foreign

Relations• Thirty Nine Essex Street• US Department of Labor

Watering hole/strategic webcompromise

*Source: CyberFactors, a wholly owned subsidiary of CyberRiskPartners and sister company of CloudInsure†Source: Ponemon Institute, “The State of Advanced Persistent Threats,” Ponemon Institute Research Report,December 2013 (http://buildingtrust.trusteer.com/Ponemon_Study_December_2013).

‡Source: “2014 Data Breach Investigations Report,” Verizon(http://www.verizonenterprise.com/DBIR/2014/).

0200400600800

1000 Number oftargeted attacks

Number ofbroad attacks

’03 ’14




Phishing attacks: Unsuspecting Users Take The Bait

In a phishing attack, threat actors use email and/or social media to trick users into revealing confidential information or to click on a malicious file or web link. Phishing works, and as a result, all threat actor groups use this attack vector, so it’s important to understand some of the ways each group has employed it in the past:

■ Hactivists use phishing. The Syrian Electronic Army (SEA) leveraged phishing to gain access to the credentials of a Melbourne IT reseller account. From there, the SEA gained access to the DNS records for The New York Times, Twitter, and The Huffington Post. The SEA was then able to redirect that traffic to their site.8

■ Criminals use phishing, too. Cybercriminals leverage phishing in their banking malware campaigns. In October, the United States Computer Emergency Readiness Team issued an alert on the Dyre malware that targets user account credentials. Banking malware seeks to harvest the banking credentials in order to steal funds.9

■ Phishing is key for espionage attacks. The 2014 Verizon DBIR states that spear phishing remains the “most prolific” method for gaining access to a targeted environment. Seventy-eight percent of espionage attack vectors leveraged spear phishing email attachments.10 A group of security researchers, led by Novetta Solutions, identified a suspected Chinese espionage group, Axiom, which leveraged phishing as an attack vector to install their malware tools.11

watering Hole attacks: Turn Users’ Trusted websites against Them

Watering hole attacks, also known as strategic web compromise (SWC), occur when threat actors compromise websites that will subsequently infect their actual targets. Upon visiting the site, a zero-day exploit compromises the unsuspecting visitor. The threat actors use the newly infected target as a launching point for intrusions against the targeted organization. Some notable watering hole attacks include:

■ Industrial control software sites have been targeted. Researchers from AlienVault discovered rogue code on the website of an unnamed vendor whose software is used “for simulation and system engineering in a wide range of industries including automotive, aerospace, and manufacturing.” Unlike other watering hole attacks, the purpose of this attack was to gather intelligence on those visiting the website.12

■ Sophisticated attackers targeted the Thirty Nine Essex Street law firm. The energy sector has been a frequent target of watering hole attacks. Most recently, researchers at Zscaler discovered a watering hole attack against a law firm that works with energy companies. The attack against Thirty Nine Essex Street resulted in a redirect to another website pushing down the LightsOut exploit kit.13




TO FigHT BaCK, Use FORResTeR’s TaRgeTeD-aTTaCK HieRaRCHy OF NeeDs

In the spirit of Maslow’s Hierarchy of Needs, Forrester has developed a Targeted-Attack Hierarchy of Needs (see Figure 2).14 The most fundamental needs are at the bottom, and we designed the pyramid in order to build resiliency into your security program. Resiliency is precisely what you need in the age of the customer. As Fran Dramis, the chairman of the board of directors for Damballa, once told Forrester, “You cannot stop hurricanes, but you can prepare for them. Breaches are very similar.” Targeted attacks are going to happen, and you must prepare for them. Part 1 of this research will include the first four needs, and part 2 of this research will cover the final needs, prevention, detection, and response.15 Mature capabilities in these areas are fundamental in building resiliency against attackers with state-affiliated resources. If you skip straight to the final needs, you’re guaranteeing that an advanced adversary will compromise your environment and accomplish their goal.

Figure 2 The Targeted-Attack Hierarchy Of Needs


An integrated portfolio thatenables orchestration

A focus on the fundamentals

A dedication to recruiting and retaining staff

An actual security strategy

Prevention

Detectionand

response




Need No. 1: an actual security strategy

What is your security strategy, and how does it protect and enable your organization’s goals? If you don’t have a sound security strategy, you might fail at responding to commodity threats, and you will certainly fail at responding to sophisticated attacks. Many organizations focus too much on malware detection while others focus too much on the specific threat actors that are targeting them.16 Both require attention, but before we jump to buying advanced security solutions and services, we must first understand the enterprise architecture and inventory of sensitive data that we’re trying to protect. This understanding is foundational to all aspects of your operations. When developing a security strategy, you should understand that:

■ There are no silver bullets. Everyone will agree that the job of an S&R pro is challenging and, often, overwhelming. This contributes to our perpetual enchantment with new technologies that vendors “guarantee” to solve our problems. We have a long list of silver bullets, including: IDS, IPS, SIM, malware sandboxes, big data analytics, and now, threat intelligence. Say it with me: There are no silver bullets. At some point, we must stop believing that technology alone is going to solve our problems.

The Target breach is a great example. Six months prior to the intrusion, Target spent $1.6 million on a FireEye advanced malware-detection solution.17 Despite the FireEye solution sending a malware alert, Target could not stop the exfiltration of data. FireEye did alert during the exfiltration phase, but why didn’t it alert on malicious activity earlier in the attack life cycle? From the little information that is publicly available, we don’t know why. Target had failures in people, process, technology, and oversight that contributed to its catastrophic breach. The Forrester Information Security Maturity Model can be used to evaluate the maturity of all four areas, not just technology.18 If technology management sold the million-dollar investment in FireEye to senior leadership as a silver bullet that would stop all breaches, it’s no wonder the Target CIO is now out of work.

■ “Expense in depth” drives many organizations. “Defense in depth” is one of the fundamental tenets of information security, and it’s a core component of most organizations’ security strategy.19 Many organizations use this strategy to buy and buy and buy. Some vendors use this to justify whatever solution they’re selling (see Figure 3-1). “You really need this, it’s part of your defense in depth strategy,” or “This isn’t designed to replace, rather it complements your existing security controls.” In some cases, these are valid statements, but more often than not, S&R pros fail to exercise due diligence on their investments. They rarely ask “Do any of our existing technologies offer this capability?” Forrester calls this “expense in depth,” the multilayered approach to ensuring marginal returns on your security investment (see Figure 3-2). Do you know where you start getting diminishing returns?




■ Security portfolio management can reduce costs while improving performance. Security leaders must do a better job of managing security investments. We focus much more on procuring new technology than we do on measuring effectiveness. We seldom retire technology when it no longer meets our needs, and it seems we’re happy to pay annual maintenance or subscriptions fees. You must measure the efficacy and operational effectiveness of your investments. What inputs are required to manage your security controls?

A great place to start portfolio management is during the after-action review of security incidents. How did each technology perform in the incident? You should retire technologies that continually underperform or have a significant reduction in investment. Ad hoc analysis in post incident analysis should transition to quarterly evaluation of security investments. This will make justification of investment less painful. Forrester has written on determining the business value of a security program, and these concepts can assist with managing your security portfolio.20

■ Forrester’s Zero Trust model is the blueprint for your security architecture. Forrester’s Zero Trust model states that S&R pros must eliminate the idea of a trusted internal network and an untrusted external network. Three concepts underpin Zero Trust. S&R pros must: 1) verify and secure all resources regardless of location; 2) limit and strictly enforce access control across all user populations, devices, channels, and hosting models; and 3) log and inspect all traffic, both internal and external.21 If you don’t have a sound architectural approach that addresses mobile device and app proliferation, cloud service adoption, social media use, and third-party dependencies, you will have no hope of detecting or responding to a targeted attack. An architectural approach will also help you avoid the temptation of buying the next silver bullet or contributing to an expense in depth mindset.

■ Security alignment with the business is not optional. You’ve heard this before, but now is the time to finally get off the hamster wheel of tactical activity agony. Do you know what your organization’s top priorities are? Do you know what generates the most revenue for your company? Is your firm a publicly traded company? If so, are you reading your company’s annual and quarterly reports?22 The filings will provide you with an overview of business operations as well as the risk factors that could adversely affect these operations. You can use them as a starting point for understanding how your security and risk responsibilities support the architecture of the business. If you don’t work for a publicly traded company, it’s no excuse. You can meet with key business or other senior leaders to learn how they contribute to the organization, and understand your role in securely enabling their operations.




Figure 3 Expense In Depth


Expense in depth isn’t a strategy3-1

Marginal returns

Resource investment: money and time

Value

Do you knowwhere you fall on

the curve?

Expense in depth results in marginal returns3-2




Need No. 2: a Dedication To Recruiting and Retaining staff

Technology is not a substitute for people; you can only maximize it when you have staffed your team appropriately with skilled and trained resources. According to Forrester’s 2014 data, 58% of North American and European security decision-makers from enterprises with 1,000 or more employees stated that their lack of IT security staff is a challenge or major challenge for their firm, and 57% stated the same for unavailability of security employees with the right skills.23 Forrester has written extensively on the skills and staffing strategy for building a high-performance security program and organization.24 Building on this research, when it comes to targeted attacks, you should also:

■ Double-down on educational institutions. In a recent joint Ponemon/HP study and report, the authors noted that, “The demand for well-educated cybersecurity professionals is outpacing the supply in both the public and private sectors.”25 Universities are well aware of this need and are racing to establish world-class programs. This is a great opportunity for you to partner with these institutions, join their advisory boards, and influence their curriculum. Universities need to differentiate their programs, and having relationships that provide them with a real world practitioner perspective can help them better prepare students that can quickly make a difference upon graduation.

■ Educate your staff to both teach and retain them. Attackers learn new techniques and methodologies for compromising your environment; your defenders should be learning as well. Chris Sanders’ Applied Network Security Monitoring or Richard Bejtlich’s The Practice Of Network Security Monitoring are good resources for educating incident responders.26 Send your staff to leading incident response conferences like the SANS Digital Forensics and Incident Response (DFIR) Summit or the Forum of Incident Response and Security Teams (FIRST).27

■ Add some offensive perspective to your defense. Complement your defenders with staff that have offensive experience. Cross-pollinate, and rotate the attackers and defenders from your teams; this role reversal will make each function stronger. Also look to the intelligence community and defense sector for individuals that had computer network attack (CNA) or computer network exploitation (CNE) missions. No one understands the capabilities of an advanced attacker like someone who used to be one. Of course, there is high demand and limited availability for staff of this pedigree.

■ Continue to rely on service providers and consultancies. Despite all of your efforts to find, develop, and retain staff, chances are that you will still not be able to adequately staff your security team. You’re going to have to turn to third parties. If a function or group of functions is largely commoditized and doesn’t directly support the security team’s strategic mission, outsource it. You can repurpose the operational resources that maintain the functions to more strategic needs like security architecture, incident response, and application security. Email/web content security and SIM/IDS monitoring can be good candidates for outsourcing to SaaS or an MSSP. Forrester has written on sourcing your security services and has created Forrester’s Information Security Sourcing Decision Tool Kit.28




Need No. 3: a Focus On The Fundamentals

In the Pixar film Up, squirrels easily distract Dug, the talking dog, from any activity that he is currently focused on — no matter how important. Too often, we as S&R professionals become easily distracted at the expense of the fundamentals. “I am a good and smart security professional; I must protect my enterprise so that we are secure. APT defense-in-a-box!”29 To stay focused, when thinking about security fundamentals, remember:

■ Make the attacker’s job harder; don’t let the adversary walk right in the front door. Most organizations’ security programs are so weak that attackers have little trouble accomplishing their objectives. Why would an attacker use a zero-day exploit when something much more pedestrian can accomplish the same goal? Jim Broome, vice president at security consultancy DirectDefense, said:

“Modern-day penetration testers spend 40% to 60% of their time avoiding the latest security widget to exploit the same 15-to-20-year-old vulnerabilities. To advance your security program, address the underlying vulnerabilities versus continuing to hide behind layers of security products.”

■ Ignoring fundamentals enables the adversary. Adversaries use only the minimal amount of effort required to achieve their mission. Flat network architecture is a prime example of this. Once an attacker compromises a single host, he can now pivot across the organization with ease. Forrester has listed other common fundamental missteps that organizations make, as well as some remediation options (see Figure 4).




Figure 4 Fundamental Missteps


Example Details Example remediation

No two-factor authentication forvirtual private networks (VPN)

Adversary phishes credentialsand now can remotely accessyour network

Leverage a solution like DuoSecurity

All users are local administratorson their workstations

Greatly increases attack surface,giving adversary many optionsfor exploitation

Leverage a solution likeBeyondTrust’s PowerBroker forWindows to transparently removeadministrator privileges

Using the same local administratorpassword for all workstations

Force multiplier for pivoting; onepassword grants access to allsystems

Use Microsoft Group Policyframework to create unique localadministrator passwords

No egress �ltering Gives the adversary wide arrayof command and control andex�ltration options

Leverage a solution like AlgoSecBusinessFlow to create ACLs thatspeci�cally permit approvedcommunication

Lack of privileged accountmonitoring

Inability to detect accounts thatadversary has elevated privilegeson

Use Microsoft Windows logging toalert when new accounts are addedto the domain administrator group

Out of date patches Offers adversary wide selectionof exploitation options

Use Microsoft Windows ServerUpdate Services or Tivoli EndpointManager (BigFix) for more robustpatching capabilities

Need No. 4: an integrated Portfolio That enables Orchestration

It’s very trendy to talk about creating friction for the adversary: increase their costs for targeting our environment to make their jobs more difficult. This is all well and good, but often this conversation doesn’t address the internal friction we create for ourselves. Lack of staff, inadequate training, and immature process and oversight all contribute to internal friction. One result of the expense in depth technology strategy is a highly heterogeneous environment of disparate solutions with little integration. This results in internal friction that reduces our ability to respond to the attacker. You need to make integration a priority in your strategy; to do so, take these steps:30

■ Invest in software development staff. Having a software development capability to orchestrate your defense shouldn’t be a requirement, but it is a somber reality. Take advantage of the educational institution relationship that we suggested above, and bring in computer science interns and recent graduates to help integrate your security controls. Demand that vendors provide well-documented APIs for your developers.




■ Prioritize vendors that integrate and automate. Most organizations won’t have the resources to build a software development capability, and will be forced to rely upon their vendors to help them with this orchestration. This presents an opportunity for innovation and differentiation, but beware of statements like “We integrate with SIM.” Of course you integrate with SIM, everyone does, that is the point of a SIM, to pull in large amounts of data from many sources. The follow-up questions would be “How do I act on the data within my SIM in a meaningful way? How does this integration speed time to containment?”

■ Pay attention to vendors who see the need and are developing solutions. McAfee recently released the Threat Intelligence Exchange, which is designed to enable the sharing of security data across endpoints, gateways, and other security controls.31 In May, Proofpoint acquired Silicon Valley startup NetCitadel. NetCitadel, now Proofpoint Threat Response, is focused on providing a vendor-agnostic platform for integrating security analytic solutions with security controls like firewalls and web proxies. Threat Response’s goal is to enable response in a scalable manner.32 CSG Invotas’ Security Orchestrator also focuses on orchestration and automation.

W h at i t m e a n s

aDDRess THe esseNTial NeeDs BeFORe PReveNTiON aND DeTeCTiON

Don’t put the cart before the horse; develop a strategy for defending your environment before you make investments. Focus on the first four needs, and ensure that your leadership understands that your goal is to build resiliency to quickly respond and recover from targeted attacks. If you don’t establish a solid foundation, blind investments in prevention and detection won’t have the intended effect and will leave you more vulnerable.

sUPPleMeNTal MaTeRial

Methodology

Forrester conducted a mixed methodology phone and online survey, fielded in April and May 2014, of 3,305 business and technology decision-makers located in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the UK, and the US from companies with two or more employees.

Each calendar year, Forrester’s Business Technographics® fields business-to-business technology studies in 10 countries spanning North America, Latin America, Europe, and Asia Pacific. For quality control, we carefully screen respondents according to job title and function. Forrester’s Business Technographics ensures that the final survey population contains only those with significant involvement in the planning, funding, and purchasing of business and technology products and services. Additionally, we set quotas for company size (number of employees) and industry as a




means of controlling the data distribution and establishing alignment with IT spend calculated by Forrester analysts. Business Technographics uses only superior data sources and advanced data-cleaning techniques to ensure the highest data quality.

Forrester collaborated with CyberFactors to obtain the data used in this report. The data may contain publicly available information and/or proprietary data collected by CyberFactors. The analysis of the data is exclusively Forrester’s. More information is available at www.cyberfactors.com.

Companies interviewed For This Report

CrowdStrike

FireEye/Mandiant

General Dynamics Fidelis Cybersecurity Solutions

Verizon

eNDNOTes1 Source: Krebs on Security (http://krebsonsecurity.com/).

2 Customers are using mobile, social, and other digital technologies to take power from institutions — in particular, corporations. Customers can easily discover pricing, publicly critique products they don’t like, and buy from anyone at any time, anywhere. In the age of the customer, only customer-obsessed enterprises will prosper. For more information, see the October 10, 2013, “Technology Management In The Age Of The Customer” report.

3 In May 2014, Target announced that Steinhafel was stepping down from his role as a result of the breach. Steinhafel held “himself personally accountable and pledged that Target would emerge a better company.” Source: Clare O’Connor, “Target CEO Gregg Steinhafel Resigns In Data Breach Fallout,” Forbes, May 5, 2014 (http://www.forbes.com/sites/clareoconnor/2014/05/05/target-ceo-gregg-steinhafel-resigns-in-wake-of-data-breach-fallout/).

4 Source: “Target Corporation’s CEO Discusses Q4 2013 Results - Earnings Call Transcript,” Yahoo Finance, February 26, 2014 (http://finance.yahoo.com/news/target-corporations-ceo-discusses-q4-193019436.html).

5 This data is through November 19, 2014 and therefore does not reflect the full year of events. Source: CyberFactors, a wholly owned subsidiary of CyberRiskPartners and sister company of CloudInsure.

6 Source: “The State of Advanced Persistent Threats,” Ponemon Institute Research Report, December 2013 (http://buildingtrust.trusteer.com/Ponemon_Study_December_2013).

7 It isn’t always clear who is responsible for an attack because the lines between activists, state actors, and cybercriminals are blurry. Both the Citadel and Poison Ivy Trojans have been utilized for espionage. It’s foolish to equate the use of “traditional” cybercrime tools only with cybercriminals. Why would a state actor waste resources creating a new Trojan, when they could use a readily available commercial Trojan? To learn more, see the November 3, 2014, “Know Your Adversary” report.







8 Source: Sean Michael Kerner, “How Did Syrian Electronic Army Take Down The New York Times?” eWeek Security Watch Blog, August 28, 2013 (http://www.eweek.com/blogs/security-watch/how-did-syrian-electronic-army-take-down-the-new-york-times.html).

9 Source: “Phishing Campaign Linked with ‘Dyre’ Banking Malware,” US-CERT, October 27, 2014 (https://www.us-cert.gov/ncas/alerts/TA14-300A).

10 Source: “2014 Data Breach Investigations Report,” Verizon (http://www.verizonenterprise.com/DBIR/2014/).

11 Source: Operation SMN: Axiom Threat Actor Group Report, Novetta Solutions (http://www.novetta.com/files/9714/1446/8199/Executive_Summary-Final_1.pdf).

Source: Ellen Nakashima, “Researchers identify sophisticated Chinese cyberespionage group,” The Washington Post, October 28, 2014 (http://www.washingtonpost.com/world/national-security/researchers-identify-sophisticated-chinese-cyberespionage-group/2014/10/27/de30bc9a-5e00-11e4-8b9e-2ccdac31a031_story.html).

12 Attackers are using a sophisticated Web-based tool to gather information on potential targets. Source: Lucian Constantin, “Rigged industrial software site points to watering hole attack,” ComputerWorld, September 1, 2014 (http://www.computerworld.com/article/2600767/security-rigged-industrial-software-site-points-to-watering-hole-attack.html).

13 Source: Dennis Fisher, “Energy Watering Hole Attack Used LightsOut Exploit Kit,” Threatpost, March 13, 2014 (http://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772).

14 Source: A. H. Maslow, “A Theory of Human Motivation,” Psychological Review, July 1943 (http://psychclassics.yorku.ca/Maslow/motivation.htm).

15 For the second part of the research, see the July 24, 2014, “Targeted-Attack Hierarchy Of Needs, Part 2” report.

16 Source: Rick Holland, “Counter-Strike?” Rick Holland’s Blog, June 3, 2013 (http://blogs.forrester.com/rick_holland/13-06-03-counter_strike).

17 Source: Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” Bloomberg Businessweek, March 13, 2014 (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data).

18 For more information on Forrester’s Information Security Maturity Model, see the October 6, 2014, “Assess Your Security Program With Forrester’s Information Security Maturity Model” report.

19 Source: “Defense in Depth,” National Security Agency (http://www.nsa.gov/ia/_files/support/defenseindepth.pdf).

20 For more information on measuring the business value of your security program, see the October 2, 2012, “Determine The Business Value Of An Effective Security Program — Information Security Economics 101” report.








21 For more information on Zero Trust, see the November 15, 2012, “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture” report.

22 The annual report on Form 10-K provides a comprehensive overview of the company’s business and financial condition and includes audited financial statements. Source: US Securities and Exchange Commission (http://www.sec.gov/answers/form10k.htm).

23 Source: Forrester’s Business Technographics® Global Security Survey, 2014.

24 For more information on staffing your information security team, see the June 14, 2012, “Recruit And Retain An Information Security Team” report.

25 Source: “2014 Best Schools for Cybersecurity,” Ponemon Institute, February 2014 (http://www.hp.com/hpinfo/newsroom/press_kits/2014/RSAConference2014/Ponemon_2014_Best_Schools_Report.pdf).

26 Source: Chris Sanders and Jason Smith, Applied Network Security Monitoring: Collection, Detection, and Analysis, Syngress, 2013.

Source: Richard Bejtlich, The Practice of Network Security Monitoring: Understanding Incident Detection and Response, No Starch Press, 2013.

27 Source: FIRST (http://first.org/conference/2014).

Source: SANS Institute (https://www.sans.org/event/dfir-summit-2014).

28 For more information on security services, see the April 25, 2012, “Source Your Security Services” report.

29 In the film Up, Dug says, “My master made me this collar. He is a good and smart master and he made me this collar so that I may speak. Squirrel!” Source: Up, Walt Disney Pictures, 2009 (http://www.imdb.com/title/tt1049413/quotes).

30 It seems that not a day goes by that there isn’t another massive security breach in the news. Consumers around the globe hear about continual threats to their personal data while name brand retailers and enterprises are spending millions to respond, remediate, and recover from the theft of sensitive customer data and intellectual property. As the costs of data breaches skyrocket and regulators add more compliance burdens to the enterprise, the security industry must find new ways to more comprehensively meet these threats and prevent the exfiltration of proprietary data into the hands of cybercriminals and other malicious actors. To learn more, see the December 2, 2014, “Rules Of Engagement: A Call To Action To Automate Breach Response” report.

31 Source: McAfee Threat Intelligence Exchange (http://www.mcafee.com/us/resources/data-sheets/ds-threat-intelligence-exchange.pdf).

32 See the June 19, 2014, “Brief: Proofpoint Strengthens Its Targeted Attack Defense With NetCitadel Acquisition” report.










Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 107121

«

Forrester Focuses On Security & Risk Professionals to help your firm capitalize on new business opportunities safely,

you must ensure proper governance oversight to manage risk while

optimizing security processes and technologies for future flexibility.

Forrester’s subject-matter expertise and deep understanding of your

role will help you create forward-thinking strategies; weigh opportunity

against risk; justify decisions; and optimize your individual, team, and

corporate performance.

sean Rhodes, client persona representing Security & Risk Professionals

About Forrestera global research and advisory firm, Forrester inspires leaders,

informs better decisions, and helps the world’s top companies turn

the complexity of change into business advantage. our research-

based insight and objective advice enable it professionals to

lead more successfully within it and extend their impact beyond

the traditional it organization. tailored to your individual role, our

resources allow you to focus on important business issues —

margin, speed, growth — first, technology second.

foR moRe infoRmation

To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.

Client suppoRt

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

www.forrester.com

mailto:[email protected]