World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research [email protected], @johnatilljohnso

World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson

CEO, Nemertes Research

[email protected], @johnatilljohnso

July 17, 2018

© 2018 Nemertes Research DN6741 1

About Nemertes

Topics We Cover Research We Conduct Services We Provide• Contact Center & Customer Engagement

• Cloud and Networking

• Digital Transformation

• IoT

• Next Generation Endpoints

• Security and Risk Management

• Unified Communications & Collaboration

• Benchmarks: Live discussions with IT leaders

• Surveys: Industry-leading data integrity methodology

• Vendor discussions: Product, technology analysis

• Research advisory service

• Strategy & roadmap consulting

• Vendor & technology assessment

• Cost models

• Maturity models

• Annual conference

Global IT research and strategic consulting firm focusing on the business impact of emerging technology. Founded in 2002 by IT professionals, for IT professionals.


The Current State: July 2018


The World Today


New Breaches

The World Today


Cloud

New Breaches New Vectors

Mobile

IoT“Shadow IoT”

Collaboration

Chips/Firmware

Blockchain

The World Today


Ransomware


New Threats

OSX Attacks

Industrial botnets

Cryptocurrency malware

The World Today


Russia


New Threats New Actors

China

North Korea

The World Today


June 13, 2017

“Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.”

“Red Blinking Lights”


Director of National Intelligence Dan Coats, 07/13/18

"The warning signs are there. The system is blinking… we are at a critical point. Today, the digital infrastructure that serves this

country is literally under attack.”

What Now?


Defining “World Class”


What Is “World Class” Cybesrsecurity?

Technology deployment?

Spending and investment?

Operational metrics?

Organization and governance?


Nemertes’ Security Benchmarking

• 2017-2018 Security and Risk Management Research Study

• Interviewed and surveyed during 2017 and 2018:

o 625 companies

o 12 countries

o 13% (80 companies) financial services

• Validated/invalidated range of hypotheses


Unprepared (Level 0)

Reactive (Level 1)

Proactive (Level 2)

Anticipatory (Level 3)

Success Metric 1: Nemertes Maturity Model

Have basic platforms and structures to react to business requirements; cannot proactively prevent problems from arising

Have platforms, structures, organizational processes to proactively address current issues and challenges

Have platforms, structures, organizational processes to proactively address futureissues and challenges

Lacking necessary information to take effective action; unaware or unable to respond to current or emerging issues


Success Metric 2: Operational Metrics

98th

percentile

75th percentile

50th percentile


• Median time to detect incursion: 1 hour

• Two clusters of higher performers: 10 minutes and 30 minutes

• Cluster of lower performers requiring days to weeks

SecOps Metrics: Detection Time

Under 1 hr Hrs to weeks


• Median time to understand incursion: 180 minutes (3 hours)

• Higher performers understand in 30 minutes or less

• Lower performers requiring days to weeks

SecOps Metrics: Understanding Time

Under 3 hr Hrs to weeks


• Median time to resolve incursion: 6 hours

• Bimodal distribution: cluster around 2 hours, cluster around 2 days

• Highest performers resolve in half an hour or less

SecOps Metrics: Resolution Time

2 days +Under 2 hr 2 hr- 2 day


Success Metric 2: Operational Metrics

98th

percentile

75th percentile

50th percentile

8 minutes

109 minutes

410 minutes


Budgeting Maturity

Ad-hoc

37%

Framework

13%

Benchmark

31%

Risk

19%

How Security Budget Set

Best practice: Risk-based budget setting

Second-best practice: Benchmarks from peers based on internal metrics Percentage of IT spend

Percentage of revenue

“I get whatever I ask for” is not good enough Ad-hoc is least successful,

even in an environment of perceived unlimited funding, and usually results in lower spending


36.7%

11.7%

15.0%

16.7%

20.0%

68.5%

11.1%

9.3%

9.3%

1.9%

0.0% 20.0%40.0%60.0%80.0%

Lessthan$100

$100ormorebutlessthan$500



$2000ormore

2018SecurityBudgetPerEmployee

Lesssuccessful

Moresuccessful

Annual Per-Employee Security Spend

Most successful more likely to spend more, and 10X more likely to spend more than $2000 per employee


Annual Per-Employee Security Spend

Mean spend by

financial services

firms in 2018

$3,361

More-successful companies are more likely to include as line item in infosec budget: Network security Mobile security Facilities DR/BCP IoT security AppSec/DevOps SecOps IAM Third-party risk Education/awareness training Cybersecurity Insurance Forensics Threat detection Governance Cloud security


What is Zero Trust Security and Why Does It Matter?


Zero Trust: All Assets Untrusted

• Originally developed by Google as part of BeyondCorp™ architecture

• Assumes all assets untrusted; inside the firewall is no safer than outside

• Impacts on all devices, applications, services:o Data-centric approach; requires detailed asset inventoryo Highly granular and scalableo Authentication, authorization, access control at every levelo Firewalls no longer delineate “safe” from “risky”o Encryption everywhere!


Zero Trust: All Assets Untrusted

©2016 Google


Zero Trust: Classification is Key

©2016 Google


Key Trends: State of Zero Trust Today


50.0%

28.6%

14.3%

0.0%

7.1%

23.3%

7.8%

23.3%

3.9%

41.7%

Havenow

Planningfor2018

Evaluating

Notplanning(assessedandrejected)

Notplanning

BTAAdoption

ZeroTrustNon-Adopters

ZeroTrustAdopters

Current State: by Success

Successful organizations 2X to 3X more likely to be deploying or planning


Enabling Practices for Zero Trust


73.2%

10.7%

10.7%

3.6%

1.8%

50.0%

7.8%

17.6%

1.0%

23.5%

Havenow

Planningfor2018

Evaluating


Notplanning

DataClassificationAdoption


ZeroTrustAdopters

Data Classification

Adopters 50% more likely to have implemented


Security Automation

Adopters up to 70% as likely to be automating security


Firewall Architecture

0.0%

46.0%

24.0%

30.0%

8.0%

17.8%

35.5%

29.0%

17.8%

11.2%

Nofirewalls

Centralized

Distributed

Virtualized

Cloud-based

FirewallArchitecture


ZeroTrustAdopters

Adopters almost twice as likely to have virtualized firewalls


Firewall Architecture

0.0%

46.0%

24.0%

30.0%

8.0%

17.8%

35.5%

29.0%

17.8%

11.2%

Nofirewalls

Centralized

Distributed

Virtualized

Cloud-based

FirewallArchitecture


ZeroTrustAdopters

Adopters more likely to have centralized firewalls


Enabling Technologies for Zero Trust


Bellwether Technology: Advanced Endpoint Security

• Software that protects endpoints from malware, using a variety of mechanisms (eg microsegmentation)

• Goes far beyond list-based protection offered by traditional anti-malwareWhat it Is

• Represents an architectural/technical “step function” increase over existing technology

• Aligns well with additional strategic initiatives (eg virtualization)

Why We Selected It

• Bromium, Crowdstrike, Invincea, Tanium, Carbon Black (also current versions of Trend Micro, McAfee, Symantec, some capability in Microsoft)

Example Providers


58.9%

23.2%

10.7%

1.8%

5.4%

28.2%

6.8%

21.4%

6.8%

36.9%

Havenow

Planningfor2018

Evaluating


Notplanning

AESAdoption


ZeroTrustAdopters

Advanced Endpoint Security (AES)

Adopters 2X as likely to have implemented AES


Bellwether Technology: Behavioral Threat Analytics

•Software that integrates multiple sources of data (logs, analytics platforms such as Splunk, SEIM) to capture and display anomalous behavior of users, devices, and systems

What it Is

•Effective use of BTS requires “table stakes” of solid analytics already in place; therefore characterizes more mature organizations

•UBA enables proactive protection against attacks

Why We Selected It

•Bay Dynamics, Gurucul, Exabeam, Splunk/CaspidaExample Providers


50.0%

28.6%

14.3%

0.0%

7.1%

23.3%

7.8%

23.3%

3.9%

41.7%

Havenow

Planningfor2018

Evaluating


Notplanning

BTAAdoption


ZeroTrustAdopters

Behavioral Threat Analytics

Adopters morelikely to have implemented BTA


Bellwether Technology: Network Access Control

• Tools that authorize devices on the network based on security policiesWhat it Is

• To deploy NAC, organizations need to have a solid authorization and authentication policy in place; that policy becomes the foundation of the zero-trust environment

Why We Selected It

• Cisco, Forescout, HP/Aruba, TrustwaveExample Providers


61.1%

22.2%

11.1%

0.0%

5.6%

29.7%

6.9%

24.8%

4.0%

34.7%

Havenow

Planningfor2018

Evaluating


Notplanning

NACAdoption


ZeroTrustAdopters

Network Access Control (NAC)

Adopters 2X morelikely to have implemented NAC


Bellwether Technology: Cloud DLP

• Premise or cloud based software that protects content stored on cloudsWhat it Is

• Critical to manage cloud use by employees

• Use implies a relatively mature cloud initiative, including defined policies

Why We Selected It

• Skyhigh, GTB, Cyphercloud, VormetricExample Providers


53.6%

23.2%

16.1%

3.6%

3.6%

34.0%

10.7%

24.3%

1.9%

29.1%

Havenow

Planningfor2018

Evaluating


Notplanning

CloudDLP


ZeroTrustAdopters

Cloud: Data Loss Prevention

Adopters 60% more likely to have implemented DLP for cloud


Bellwether Technology: CASB

• Premise or cloud based software that automatically detects cloud usage by employees, assesses business and technical risk, and enforces policies

What it Is

• Critical to manage cloud use by employees


Why We Selected It

• BitGlass, BlueCoat/Symantec, Microsoft, Netskope, Skyhigh

Example Providers


51.8%

25.0%

8.9%

1.8%

12.5%

16.5%

7.8%

27.2%

7.8%

40.8%

Havenow

Planningfor2018

Evaluating


Notplanning

CASBAdoption


ZeroTrustAdopters

Cloud: Cloud Access Security Brokers

Adopters 3X more likely to have implemented CASB


Bellwether Technology: Single Signon as a Service

• Cloud based software that enables single signon to cloud and on-premise resourcesWhat it Is

• Critical to manage cloud and on-premise use by employees


Why We Selected It

• Microsoft, Okta, PingExample Providers


71.4%

19.6%

7.1%

0.0%

1.8%

35.6%

13.5%

19.2%

3.8%

27.9%

Havenow

Planningfor2018

Evaluating


Notplanning

SSOaaSAdoption


ZeroTrustAdopters

Cloud: Single Signon as a Service

Adopters 2X morelikely to have implemented SSOaaS


What Else? “Shadow” Security


Special Focus: UC Security

• UCC suites may have a range of weaknesseso Lack of privacy (no end-to-end encryption)o Lack of integrated authentication/authorizationo Lack of DLPo Inadequate logging/auditing

• UCC suites are vulnerable to a range of attackso Man in the middle (MITM) attacks exploiting TLS/SSL interceptiono Other TLS/SSL vulnerabilitieso Session hacking

• More-successful companies are ahead of less-successful companies, but very few have effectively addressed all critical areas of UCC security


“Shadow IoT” Security

Planned IoT initiative: • Strategy, architecture, roadmap• Clear business goals• Defined security budget• Defined project team• Can be integrated into

overarching security strategy

Shadow IoT:• No strategy,

architecture,roadmap• No clear business goals or

operational processes• No defined project team

(responsibility split among facilities, lines of business, IT)

• No budgetBiggest IoT threat!!


Putting “Sec” Into DevSecOps

Configuration management

Continuous Delivery

MonitoringVersion Control

Test and Build

Security


Current State: Slouching Towards DevSecOps

InfoSec AppSec

DevOps AppSec

DevSecOps


AppSec Staffing: More is Better

9.0%

15.0%

4.8%

22.2%

12.6%

9.0%

10.2%

17.4%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

More than one person (indicate

how many)

None; we don't have an infosec person

responsible for

AppSec

One person, and s/he has ONLY

AppSec

responsibility

One person, but s/he has other infosec

responsibilities in

addition

AppSec Staffing: More vs Less Successful

Less Successful

More Successful

Successful companies more likely to have larger AppSec team


Conclusions and Recommendations

• Benchmark SecOps metrics

• Assess cybersecurity maturity

• Develop roadmap for improvement

• Initiate project to assess ZTM

• Review “shadow” infosec areas; launch remediation projects if necessary


Additional Resources

Nemertes Security Strategic Support Program

• For Technology Users (IT, InfoSec, Marketing, other professionals): o Assistance developing policy, business cases, strategy, architecture, roadmap, vendor strategic selection o Data-based guidance on staffing, spending, budgeting, governance, operationso Success metrics for comparable organizations

• For Technology Providers (Vendors, Carriers, VARs):o Market trend and customer sentiment analysiso Data-based guidance on marketing, product strategy, and go-to-market strategieso Objective third-party marketing collateral

• As part of all Nemertes Services:

Ongoing support, telephone advisory service, written inquiries and access to all research


Thank you!

[email protected]

[email protected]

@Nemertes


Documents

World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research [email protected], @johnatilljohnso