Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this
publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research
may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or
influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
Brian Reed
Top 10 Security Projects
for 2019
Gartner Security & Risk Management Summit17 – 20 June 2019 / National Harbor, MD
1 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Do You Have Atelophobia?
Atelophobia is defined as the fear of not
doing something right or the fear of not
being good enough.
In other words, it’s a fear
of imperfection.
2 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
How Were These Top 10 Security
Projects Selected?
3 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
We Looked at Where Gartner Clients Are Spending
46.2
23.7
20.6
17.0
14.2
14.2
13.4
13.1
12.4
10.5
10.2
9.4
9.3
0 20 40 60
Cloud Access Security Broker Software
Encryption Software
Threat Intelligence Software
Privileged Access Management Software
Tokenization Software
SIEM Software
Vulnerability Assessment Software
Enterprise Data Loss Prevention Software
IT Outsourcing
Web Application Firewall Software
Application Security Testing Software
Consulting
Other Information Security Software
8.5
8.3
8.1
7.8
7.4
7.4
5.8
5.4
4.1
3.7
1.8
-5.8
-10 10 30 50
Integrated Risk Management Solution Software
Firewall Equipment
Secure Web Gateway Software
Identity Governance and Administration Software
Implementation
User Authentication Software
Endpoint Protection Platform (Enterprise) Software
Hardware Support
Consumer Security Software
Access Management Software
Secure Email Gateway Software
Intrusion Detection and Prevention Systems
ID: 386713
© 2019 Gartner, Inc.
Information Security Spending, CAGR by Segment, 2017-2022
4 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
We Looked at Where Gartner Clients Are Spending
North America
Eastern Europe
Western Europe
Eurasia
Middle East and North Africa
Sub-Saharan Africa
Greater China
Mature Asia/Pacific
Emerging Asia/Pacific
Japan
Latin America
6
11
16
5 10 15
Information Security Spending Growth Outlook by Region
2017-2022 CAGR (%)
2018 G
row
th (
%)
ID: 386713
© 2019 Gartner, Inc.
5 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
2018 Top 10 Security Projects
Privileged Access
Management
Detection
and Response
Cloud Security
Posture
Management
(CSPM)
Cloud Access
Security Broker
(CASB)
CARTA-Inspired
Vulnerability
Management
Active Anti-
Phishing Project
Software-
Defined Perimeter
Micro-
Segmentation
and Flow Visibility
Automated
Security Scanning
Application
Control on
Server Workloads
6 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
2019 Top 10 Security Projects
Privileged Access
Management
Detection
and Response
Cloud Security
Posture
Management
(CSPM)
Cloud Access
Security Broker
(CASB)
CARTA-Inspired
Vulnerability
Management
Business
Email Compromise
Security
Ratings Services
Container
Security
Security
Incident Response
Dark
Data Discovery
7 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Some New, Some Changes, Some Same … Why?
• It’s tough to start and complete three to four new projects in a year.
• For 2019, five repeat projects, five new or modified projects.
• The new projects focus heavily on risk reduction and understanding
process breakdowns.
• Don’t just buy a security tool, understand what that tool can help you
do to reduce risk.
• Projects were not decided based upon 10 biggest spend areas!
– Or the 10 loudest Gartner analysts.
8 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Still Need to Do “the Basics” Before the “Top 10”
Information Handling
Email Security Controls
Security Awareness Training
SystemProtection
Latest Endpoint Protection Platform and Unified Endpoint Management
Server Protection
SecurityInfrastructure
Log Monitoring
Backup/Restore
Patch/Vulnerability Management
Perimeter Security Controls
UserControls
Remove Administrative Rights From Windows Users
IAM program With Automated Provisioning/Deprovisioning
9 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
How Should You Define Project Success?
• We can’t do everything, so what should we be doing?
• What are the top new projects we recommend CISOs and their teams look at in 2019?
– Projects, not programs (for example, IAM is a program).
– Real with supporting technologies, not science projects. Budgetable and staffable in 2019.
– Enterprise adoption less than 50%.
– Supported by available technologies, many times new but not required.
• Prioritized:
– Where can security better enable our business?
– Where can I reduce the most risk for amount of resources required?
– Support a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach.
10 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Prioritize Business Enablement
and Risk Reduction
High
High
Business
Impact
Risk Reduced
Low
2019 Targets
11 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Business Enablement for Project Success
Remember your organization decides whether to take on the risk;
our job in security is to provide all known data points to support a
business decision.
Make this directly relatable to your organization:
Communicate with business leads to validate risk reduction.
Do you have a lot of third-party
relationships and share a lot of data?
If so, security risk ratings and dark
data discovery might be of interest.
Do you have employees who look at email
as the single source of truth and trust?
If so, look into business
email compromise.
12 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
What Are the Top 10 Security
Projects for 2019?
13 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Privileged Access Management (PAM) Project
Privileged Account
and Session
Management
(PASM)
Privilege Elevation
and Delegation
Management
(PEDM)
14 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Privileged Access Management Project
All organizations deal with root,
administrative and highly empowered
accounts and these will be primary targets
for attackers to gain access.
Criteria and Prerequisites for Success
Support cloud, hybrid and on-prem.
PASM/PEDM use cases desired with recording.
API automation capabilities.
Human and machine access management.
Advise
MFA for all admins, PAM for third-party
access. Apply risk-based approach.
“Magic Quadrant for Privileged
Access Management”
Project Difficulty:
Medium.
Requires both tools and process adjustments.
Sample Vendors
ARCON Hitachi ID
BeyondTrust Lieberman2
Broadcom-CA One Identity
Centrify Osirium
CyberArk senhasegura
Fox Technologies1 Thycotic
Fudo Security WALLIX
1 Acquired by HelpSystems; 2 Acquired by BeyondTrust
15 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CARTA-Inspired Vulnerability Management Project
All patches are not equal. This project
takes a risk-based approach to patch
management by focusing on systems and
vulnerabilities with higher risk.
Criteria and Prerequisites for Success
Acknowledge we will never be 100% patched.
Joint initiative with IT operations = win/win
Leverage existing scanning data and process.
Advise
Focus on vulnerabilities with exploits.
Factor in compensating controls. “Market
Guide for Vulnerability Assessment”
Project Difficulty:
Easy. Apply context and threat intel to
vulnerability data.
Sample Vendors
Core Security1 Skybox Security
Kenna SecurityTenable.io
NopSec
Qualys
RedSeal
RiskSense
Risk Based Security
1 Acquired by HelpSystems; 2 Acquired by BeyondTrust
16 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Detection and Protection Techniques
IOC/Policy/Configuration Behavior
Internet Outlook Word Macro GitHub.com Unknown.exe LSASS* New Logon Network
17 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Detection and Response Project
Mean time to detect and respond is the
new standard for effective security against
attackers. Only 20% of endpoints have
deployed EDR.
Criteria and Prerequisites for Success
Commitment to reviewing and resolving alerts.
Skilled operators that can interpret low
confidence alerts. Operations and security hand-
offs for remediation.
Advise
Type A, invest in EDR and incident
response processes.
Type B, C consider premium support
and outsourcing.
Sample Vendors
BlackBerry Cylance McAfee
Carbon Black Microsoft
Cisco Sophos
CrowdStrike Symantec
Cybereason Tanium
Endgame Trend Micro
FireEye
Project Difficulty:
Easy. Solutions offer cloud-based deployments.
Operator skill level is key.
18 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Applicability of CSPM and CASB
© 2018 Gartner, Inc.
ID: 361411
Illustration of Potential Deployment Patterns for CASB, CSPM and CWPP Into IaaS
Enterprise Users External Users
CS
PM
CA
SB
Compliance
Assessment
Adaptive
Access Control
Data Loss
Prevention
UEBA
Policy
Enforcement
Threat
Protection
Compliance
Assessment
Operational
Monitoring
DevSecOps
Integration
Risk
Identification
Policy
Enforcement
Threat
Protection
Load Balancing
Web Servers
Application Servers
Database &
Storage
IaaS Subscription
Web APINSG
API Integration
to Cloud APIs
1
3
API Integration
to Cloud APIs
2
NSG
NSG
Network Proxying
CWPP
Work
loa
d
Con
firgu
ratio
n
Syste
m
Mo
nito
ring
Netw
ork
Se
gm
en
tatio
n
Syste
m
Inte
grity
Ap
plic
atio
n
White
listin
g
Exp
loit
Pro
tectio
n
4
Agents deployed
to workloads
19 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Control Coverage of CSPM and CASB
CASB = Cloud Access
Security Broker
CSPM = Cloud Security
Posture Management
CWPP = Cloud Workload
Protection Platforms
© 2018 Gartner, Inc.
ID: 361515
Control Coverage of CSPM vs. CASBs and CWPPs
SaaS
IaaSPaaS
CASB
CWPP
CSPM
20 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Security Posture Management Project
Organizations looking for an automated
assessment and remediation across
multicloud IaaS/PaaS environments on
control plane.
Criteria and Prerequisites for Success
Support for multiple cloud providers.
Sensitive data discovery and risky exposure.
Support for all IaaS and PaaS services.
Remediation and not just assessment.
Advise
For single cloud provider look for native
capabilities or CASB
For multi cloud, prioritize remediation,
sign 1-2 year contracts, reassess often.
Sample Vendors
Alert Logic Microsoft Azure
Amazon Qualys
Bitglass Symantec
CloudAware Tenable.io
CloudCheckr
Google Cloud
McAfee
Project Difficulty:
Medium
Process and culture changes are also needed.
21 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Access Security Broker Project
Enterprises aspiring a central location for policy
and governance concurrently across multiple
cloud services; for users and devices and
visibility of user activities and sensitive data.
Criteria and Prerequisites for Success
Visibility via forward/reverse proxy? APIs?
Vendor provides risk ratings database?
Sensitive data monitoring and
UEBA capabilities.
Advise
Start with cloud application discovery.
Favor multimode CASB (proxy + APIs).
Data discovery and cloud + on-prem.
Protection; sign 1 to 2 year contracts.
Sample Vendors
Bitglass Microsoft
CensorNet Palo Alto Networks
CipherCloud Proofpoint
Cisco Symantec
Forcepoint
Fortinet
McAfee
Project Difficulty:
Medium. Discovery project and prioritization of
use cases.
22 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
A BEC attack steals funds or sensitive data by exploiting normalbusiness processes using pure social engineering tactics(not malicious URLs or attachments).
Business Email Compromise (BEC) Project
Why it works:
• Bypasses traditional security products that are only looking for a malicious payload.
• A combination of social engineering tactics cons users and overrides their better judgment.
How to stop it:
• Fix loopholes in business processes.
• Employ technology that can inspect message context by looking at the trustability and authenticity ofthe sender.
• Actively monitor your email systems and provide end users an easy path to report suspicious email communications.
23 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Business Email Compromise Project
Phishing and BEC are not the same.
Addressing process breakdowns where
organizations trust the text of an email as
the “single source of truth.”
Criteria and Prerequisites for Success
Technical controls using ML that can integrate
with your current email security systems.
Customize based on your specific workflow and
business operations.
Advise
Combine technical controls for BEC,
security awareness training and web
browser isolation.
“Fighting Phishing — 2020 Foresight”
Sample Vendors
Abnormal Security Mimecast
Agari PhishLabs
Area 1 Security Proofpoint
GreatHorn Terranova
Graphus Trend Micro
INKY Valimail
IRONSCALES
Project Difficulty:
Medium.
Communication between security and users.
24 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Dark Data
Discovery Project
Do you know where all of your
sensitive data resides?
Do you have data that is taking
up space with zero value?
25 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Dark Data Discovery Project
All organizations deal with data that was
once operationally valuable, however over
time has become “dark,” meaning it has
unknown risks and no value.
Criteria and Prerequisites for Success
Address data that resides across multiple data
silos — such as file shares, databases, and big
data and cloud repositories.
Integrate with data classification.
Advise
Implement defensible deletion or other
effective data management strategies.
“Market Guide for File Analysis Software”
Sample Vendors
Active Navigation Micro Focus
Adlib SailPoint
Druva Spirion
Formpipe STEALTHbits
Ground Labs TITUS
IBM Varonis
Index Engines
Project Difficulty:
Medium to Difficult.
Tools complexity and changes to behavior.
26 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Level of Preparedness for Security Incidents
Base: Risk and Security Management, Excluding “Have no plans” and “Don't Know,” n = 290Q: Which of the following statements best characterizes your organization's preparedness for a security incident?Note: Percentage may not add up to 100% due to rounding.
Percentage of Respondents
We have a plan. Security and/or IT will manage the entire incident. We test it regularly, at least annually.
46%
We have a comprehensive security incident response plan covering all possible business impacts.
37%
We have a plan. Security and/or IT will manage the entire incident. We test it occasionally at best.
15%
We have a plan documented somewhere. We will consult it if we ever have an incident.
3%
27 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Security Incident Response Project
Security incidents are a matter of “when”
not “if.” An IR retainer is not a replacement
for good security processes and
preparedness.
Criteria and Prerequisites for Success
Planning and preparation before an incident.
Detection and triage processes critical.
Capabilities for containment, eradication.
Feedback lessons learned into preparedness.
Advise
Look for IRR provider who understands
your operations and processes
“Market Guide for Digital Forensics and
Incident Response Services”
Project Difficulty:
Medium. Not just a vendor selection exercise,
also process changes and communication.
Sample Vendors
AT&T Kroll
Blackberry Cylance Kudelski Security
Booz Allen Hamilton McAfee
Cisco Rapid7
Crowdstrike Secureworks
FireEye (Mandiant) Stroz Friedberg1
IBM Verizon
1 An Aon company
28 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Container Security Project
In 2019, more than 50% of enterprises will
have a container-based application in
development or production. Make sure
these are secured from inception.
Criteria and Prerequisites for Success
Start container security in development.
Make security seamless to the developer.
Balance the need for security with speed.
Advise
Integrate/Automate natively into
development, scan for known vulns. “Container Security — From Image Analysis to
Network Segmentation, Options Are Maturing”
Sample Vendors
Aqua Security Trend Micro
McAfee Twistlock
NeuVector
Qualys-Layered Insight
StackRox
Symantec
Project Difficulty:
Medium.
Integration into DevSecOps required.
29 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Security Ratings Services Project
Focus on risks associated with digital
ecosystems. Look beyond internal
security posture, to supply chain,
regulators, customers and partners.
Criteria and Prerequisites for Success
Not a one stop shop. Need a traditional third-
party risk program in place first.
Do not collect unnecessary amounts of
information on non-strategic partners.
Advise
Evaluate multiple SRS offerings; make
SRS part of a comprehensive program.
“Innovation Insight for Security
Rating Services”
Project Difficulty:
Easy to Medium. Use cases: Third-party risk,
M&A, internal reporting, cyber insurance.
Sample Vendors
BitSight NormShield
CORAX PANORAYS
Cyence RiskRecon
CORAX Security Scorecard
Cyence UpGuard
CyRating
FICO
30 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Here’s a List of Projects We Also Reviewed
• Threat intelligence services enhancements
• Threat attribution services
• Cyber insurance technology support systems
• Ai-driven MSS/MDR/threat hunting
• Biometric credential protection
• Quantum encryption
• Chaos security engineering – deliberate flaws to test devsecops
• SIEM-as-a-service
• Hire a digital risk manager
• Data-centric deception
• Drone detection and mitigation
31 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommendations
If you can do only two things in 2019, implement an intelligent,
CARTA-inspired approach to vulnerability management project and
MFA for admins.
Don’t make the mistake of only focusing on risk reduction when
choosing projects for 2019 – think about enablement.
If you have privacy concerns or migrating large amounts of data to
cloud/third-party, consider dark data discovery and security
ratings services.
Implement a default deny posture on servers, network and
application access.
32 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
For information, please contact your Gartner representative.
Recommended Gartner Research
Top 10 Security Projects for 2019
Brian Reed, Neil MacDonald, Peter Firstbrook, Sam Olyaei and
Prateek Bhajanka (G00378651)
Top Security and Risk Management Trends
Peter Firstbrook, Brian Reed, Sam Olyaei, Gorka Sadowski, David
Mahdi, Prateek Bhajanka and Earl Perkins (G00378361)
Zero Trust Is an Initial Step on the Roadmap to CARTA
Neil MacDonald (G00377791)