Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson
CEO, Nemertes Research
[email protected], @johnatilljohnso
July 17, 2018
© 2018 Nemertes Research DN6741 1
About Nemertes
Topics We Cover Research We Conduct Services We Provide• Contact Center & Customer Engagement
• Cloud and Networking
• Digital Transformation
• IoT
• Next Generation Endpoints
• Security and Risk Management
• Unified Communications & Collaboration
• Benchmarks: Live discussions with IT leaders
• Surveys: Industry-leading data integrity methodology
• Vendor discussions: Product, technology analysis
• Research advisory service
• Strategy & roadmap consulting
• Vendor & technology assessment
• Cost models
• Maturity models
• Annual conference
Global IT research and strategic consulting firm focusing on the business impact of emerging technology. Founded in 2002 by IT professionals, for IT professionals.
© 2018 Nemertes Research DN6741 2
The Current State: July 2018
© 2018 Nemertes Research DN6741 3
The World Today
© 2018 Nemertes Research DN6741 4
New Breaches
The World Today
© 2018 Nemertes Research DN6741 5
Cloud
New Breaches New Vectors
Mobile
IoT“Shadow IoT”
Collaboration
Chips/Firmware
Blockchain
The World Today
© 2018 Nemertes Research DN6741 6
Ransomware
New Breaches New Vectors
New Threats
OSX Attacks
Industrial botnets
Cryptocurrency malware
The World Today
© 2018 Nemertes Research DN6741 7
Russia
New Breaches New Vectors
New Threats New Actors
China
North Korea
The World Today
© 2018 Nemertes Research DN6741 8
June 13, 2017
“Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.”
“Red Blinking Lights”
© 2018 Nemertes Research DN6741 9
Director of National Intelligence Dan Coats, 07/13/18
"The warning signs are there. The system is blinking… we are at a critical point. Today, the digital infrastructure that serves this
country is literally under attack.”
What Now?
© 2018 Nemertes Research DN6741 10
Defining “World Class”
© 2018 Nemertes Research DN6741 11
What Is “World Class” Cybesrsecurity?
Technology deployment?
Spending and investment?
Operational metrics?
Organization and governance?
© 2018 Nemertes Research DN6741 12
Nemertes’ Security Benchmarking
• 2017-2018 Security and Risk Management Research Study
• Interviewed and surveyed during 2017 and 2018:
o 625 companies
o 12 countries
o 13% (80 companies) financial services
• Validated/invalidated range of hypotheses
© 2018 Nemertes Research DN6741 13
Unprepared (Level 0)
Reactive (Level 1)
Proactive (Level 2)
Anticipatory (Level 3)
Success Metric 1: Nemertes Maturity Model
Have basic platforms and structures to react to business requirements; cannot proactively prevent problems from arising
Have platforms, structures, organizational processes to proactively address current issues and challenges
Have platforms, structures, organizational processes to proactively address futureissues and challenges
Lacking necessary information to take effective action; unaware or unable to respond to current or emerging issues
© 2018 Nemertes Research DN6741 14
Success Metric 2: Operational Metrics
98th
percentile
75th percentile
50th percentile
© 2018 Nemertes Research DN6741 15
• Median time to detect incursion: 1 hour
• Two clusters of higher performers: 10 minutes and 30 minutes
• Cluster of lower performers requiring days to weeks
SecOps Metrics: Detection Time
Under 1 hr Hrs to weeks
© 2018 Nemertes Research DN6741 16
• Median time to understand incursion: 180 minutes (3 hours)
• Higher performers understand in 30 minutes or less
• Lower performers requiring days to weeks
SecOps Metrics: Understanding Time
Under 3 hr Hrs to weeks
© 2018 Nemertes Research DN6741 17
• Median time to resolve incursion: 6 hours
• Bimodal distribution: cluster around 2 hours, cluster around 2 days
• Highest performers resolve in half an hour or less
SecOps Metrics: Resolution Time
2 days +Under 2 hr 2 hr- 2 day
© 2018 Nemertes Research DN6741 18
Success Metric 2: Operational Metrics
98th
percentile
75th percentile
50th percentile
8 minutes
109 minutes
410 minutes
© 2018 Nemertes Research DN6741 19
Budgeting Maturity
Ad-hoc
37%
Framework
13%
Benchmark
31%
Risk
19%
How Security Budget Set
Best practice: Risk-based budget setting
Second-best practice: Benchmarks from peers based on internal metrics Percentage of IT spend
Percentage of revenue
“I get whatever I ask for” is not good enough Ad-hoc is least successful,
even in an environment of perceived unlimited funding, and usually results in lower spending
© 2018 Nemertes Research DN6741 20
36.7%
11.7%
15.0%
16.7%
20.0%
68.5%
11.1%
9.3%
9.3%
1.9%
0.0% 20.0%40.0%60.0%80.0%
Lessthan$100
$100ormorebutlessthan$500
$500ormorebutlessthan$1000
$1000ormorebutlessthan$2000
$2000ormore
2018SecurityBudgetPerEmployee
Lesssuccessful
Moresuccessful
Annual Per-Employee Security Spend
Most successful more likely to spend more, and 10X more likely to spend more than $2000 per employee
© 2018 Nemertes Research DN6741 21
Annual Per-Employee Security Spend
Mean spend by
financial services
firms in 2018
$3,361
More-successful companies are more likely to include as line item in infosec budget: Network security Mobile security Facilities DR/BCP IoT security AppSec/DevOps SecOps IAM Third-party risk Education/awareness training Cybersecurity Insurance Forensics Threat detection Governance Cloud security
© 2018 Nemertes Research DN6741 22
What is Zero Trust Security and Why Does It Matter?
© 2018 Nemertes Research DN6741 23
Zero Trust: All Assets Untrusted
• Originally developed by Google as part of BeyondCorp™ architecture
• Assumes all assets untrusted; inside the firewall is no safer than outside
• Impacts on all devices, applications, services:o Data-centric approach; requires detailed asset inventoryo Highly granular and scalableo Authentication, authorization, access control at every levelo Firewalls no longer delineate “safe” from “risky”o Encryption everywhere!
© 2018 Nemertes Research DN6741 24
Zero Trust: All Assets Untrusted
©2016 Google
© 2018 Nemertes Research DN6741 25
Zero Trust: Classification is Key
©2016 Google
© 2018 Nemertes Research DN6741 26
Key Trends: State of Zero Trust Today
© 2018 Nemertes Research DN6741 27
50.0%
28.6%
14.3%
0.0%
7.1%
23.3%
7.8%
23.3%
3.9%
41.7%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
BTAAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Current State: by Success
Successful organizations 2X to 3X more likely to be deploying or planning
© 2018 Nemertes Research DN6741 28
Enabling Practices for Zero Trust
© 2018 Nemertes Research DN6741 29
73.2%
10.7%
10.7%
3.6%
1.8%
50.0%
7.8%
17.6%
1.0%
23.5%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
DataClassificationAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Data Classification
Adopters 50% more likely to have implemented
© 2018 Nemertes Research DN6741 30
Security Automation
Adopters up to 70% as likely to be automating security
© 2018 Nemertes Research DN6741 31
Firewall Architecture
0.0%
46.0%
24.0%
30.0%
8.0%
17.8%
35.5%
29.0%
17.8%
11.2%
Nofirewalls
Centralized
Distributed
Virtualized
Cloud-based
FirewallArchitecture
ZeroTrustNon-Adopters
ZeroTrustAdopters
Adopters almost twice as likely to have virtualized firewalls
© 2018 Nemertes Research DN6741 32
Firewall Architecture
0.0%
46.0%
24.0%
30.0%
8.0%
17.8%
35.5%
29.0%
17.8%
11.2%
Nofirewalls
Centralized
Distributed
Virtualized
Cloud-based
FirewallArchitecture
ZeroTrustNon-Adopters
ZeroTrustAdopters
Adopters more likely to have centralized firewalls
© 2018 Nemertes Research DN6741 33
Enabling Technologies for Zero Trust
© 2018 Nemertes Research DN6741 34
Bellwether Technology: Advanced Endpoint Security
• Software that protects endpoints from malware, using a variety of mechanisms (eg microsegmentation)
• Goes far beyond list-based protection offered by traditional anti-malwareWhat it Is
• Represents an architectural/technical “step function” increase over existing technology
• Aligns well with additional strategic initiatives (eg virtualization)
Why We Selected It
• Bromium, Crowdstrike, Invincea, Tanium, Carbon Black (also current versions of Trend Micro, McAfee, Symantec, some capability in Microsoft)
Example Providers
© 2018 Nemertes Research DN6741 35
58.9%
23.2%
10.7%
1.8%
5.4%
28.2%
6.8%
21.4%
6.8%
36.9%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
AESAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Advanced Endpoint Security (AES)
Adopters 2X as likely to have implemented AES
© 2018 Nemertes Research DN6741 36
Bellwether Technology: Behavioral Threat Analytics
•Software that integrates multiple sources of data (logs, analytics platforms such as Splunk, SEIM) to capture and display anomalous behavior of users, devices, and systems
What it Is
•Effective use of BTS requires “table stakes” of solid analytics already in place; therefore characterizes more mature organizations
•UBA enables proactive protection against attacks
Why We Selected It
•Bay Dynamics, Gurucul, Exabeam, Splunk/CaspidaExample Providers
© 2018 Nemertes Research DN6741 37
50.0%
28.6%
14.3%
0.0%
7.1%
23.3%
7.8%
23.3%
3.9%
41.7%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
BTAAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Behavioral Threat Analytics
Adopters morelikely to have implemented BTA
© 2018 Nemertes Research DN6741 38
Bellwether Technology: Network Access Control
• Tools that authorize devices on the network based on security policiesWhat it Is
• To deploy NAC, organizations need to have a solid authorization and authentication policy in place; that policy becomes the foundation of the zero-trust environment
Why We Selected It
• Cisco, Forescout, HP/Aruba, TrustwaveExample Providers
© 2018 Nemertes Research DN6741 39
61.1%
22.2%
11.1%
0.0%
5.6%
29.7%
6.9%
24.8%
4.0%
34.7%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
NACAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Network Access Control (NAC)
Adopters 2X morelikely to have implemented NAC
© 2018 Nemertes Research DN6741 40
Bellwether Technology: Cloud DLP
• Premise or cloud based software that protects content stored on cloudsWhat it Is
• Critical to manage cloud use by employees
• Use implies a relatively mature cloud initiative, including defined policies
Why We Selected It
• Skyhigh, GTB, Cyphercloud, VormetricExample Providers
© 2018 Nemertes Research DN6741 41
53.6%
23.2%
16.1%
3.6%
3.6%
34.0%
10.7%
24.3%
1.9%
29.1%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
CloudDLP
ZeroTrustNon-Adopters
ZeroTrustAdopters
Cloud: Data Loss Prevention
Adopters 60% more likely to have implemented DLP for cloud
© 2018 Nemertes Research DN6741 42
Bellwether Technology: CASB
• Premise or cloud based software that automatically detects cloud usage by employees, assesses business and technical risk, and enforces policies
What it Is
• Critical to manage cloud use by employees
• Use implies a relatively mature cloud initiative, including defined policies
Why We Selected It
• BitGlass, BlueCoat/Symantec, Microsoft, Netskope, Skyhigh
Example Providers
© 2018 Nemertes Research DN6741 43
51.8%
25.0%
8.9%
1.8%
12.5%
16.5%
7.8%
27.2%
7.8%
40.8%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
CASBAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Cloud: Cloud Access Security Brokers
Adopters 3X more likely to have implemented CASB
© 2018 Nemertes Research DN6741 44
Bellwether Technology: Single Signon as a Service
• Cloud based software that enables single signon to cloud and on-premise resourcesWhat it Is
• Critical to manage cloud and on-premise use by employees
• Use implies a relatively mature cloud initiative, including defined policies
Why We Selected It
• Microsoft, Okta, PingExample Providers
© 2018 Nemertes Research DN6741 45
71.4%
19.6%
7.1%
0.0%
1.8%
35.6%
13.5%
19.2%
3.8%
27.9%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
SSOaaSAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Cloud: Single Signon as a Service
Adopters 2X morelikely to have implemented SSOaaS
© 2018 Nemertes Research DN6741 46
What Else? “Shadow” Security
© 2018 Nemertes Research DN6741 47
Special Focus: UC Security
• UCC suites may have a range of weaknesseso Lack of privacy (no end-to-end encryption)o Lack of integrated authentication/authorizationo Lack of DLPo Inadequate logging/auditing
• UCC suites are vulnerable to a range of attackso Man in the middle (MITM) attacks exploiting TLS/SSL interceptiono Other TLS/SSL vulnerabilitieso Session hacking
• More-successful companies are ahead of less-successful companies, but very few have effectively addressed all critical areas of UCC security
© 2018 Nemertes Research DN6741 48
“Shadow IoT” Security
Planned IoT initiative: • Strategy, architecture, roadmap• Clear business goals• Defined security budget• Defined project team• Can be integrated into
overarching security strategy
Shadow IoT:• No strategy,
architecture,roadmap• No clear business goals or
operational processes• No defined project team
(responsibility split among facilities, lines of business, IT)
• No budgetBiggest IoT threat!!
© 2018 Nemertes Research DN6741 49
Putting “Sec” Into DevSecOps
Configuration management
Continuous Delivery
MonitoringVersion Control
Test and Build
Security
© 2018 Nemertes Research DN6741 50
Current State: Slouching Towards DevSecOps
InfoSec AppSec
DevOps AppSec
DevSecOps
© 2018 Nemertes Research DN6741 51
AppSec Staffing: More is Better
9.0%
15.0%
4.8%
22.2%
12.6%
9.0%
10.2%
17.4%
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
More than one person (indicate
how many)
None; we don't have an infosec person
responsible for
AppSec
One person, and s/he has ONLY
AppSec
responsibility
One person, but s/he has other infosec
responsibilities in
addition
AppSec Staffing: More vs Less Successful
Less Successful
More Successful
Successful companies more likely to have larger AppSec team
© 2018 Nemertes Research DN6741 52
Conclusions and Recommendations
• Benchmark SecOps metrics
• Assess cybersecurity maturity
• Develop roadmap for improvement
• Initiate project to assess ZTM
• Review “shadow” infosec areas; launch remediation projects if necessary
© 2018 Nemertes Research DN6741 53
Additional Resources
Nemertes Security Strategic Support Program
• For Technology Users (IT, InfoSec, Marketing, other professionals): o Assistance developing policy, business cases, strategy, architecture, roadmap, vendor strategic selection o Data-based guidance on staffing, spending, budgeting, governance, operationso Success metrics for comparable organizations
• For Technology Providers (Vendors, Carriers, VARs):o Market trend and customer sentiment analysiso Data-based guidance on marketing, product strategy, and go-to-market strategieso Objective third-party marketing collateral
• As part of all Nemertes Services:
Ongoing support, telephone advisory service, written inquiries and access to all research
© 2018 Nemertes Research DN6741 54