June 20, 2017
This year’s Gartner Security and Risk Management Summit had a very clear message: You need an adaptive defense to survive today’s onslaught of cyber threats. Building on Gartner’s Adaptive Security Architecture vision, the message was on extending abilities and the need to be continuously adaptive to all disciplines of information security. It was said that this approach will be the only way that information security will be able to balance the rapidly changing requirements of digital business with the need to protect the organization from advanced attacks while maintaining acceptable levels of risk and compliance.
While that sounds like a simple statement, executing against it can be tricky. First, faced with strategies and budgets that continue to focus predominantly on the maintenance of existing systems, CISOs have to somehow find ways to go beyond the basics and examine possible new solutions. But to what end? Organizations seeking solutions that will address today’s cyber challenges need an adaptive approach and to factor in how an attacker’s methods will be changing. In understanding those ways, they are staying one step ahead of existing security infrastructure.
Eric Ahlm, Neil MacDonald, and Ramon Krikken kicked off the Summit with a Keynote on “Managing Risk, Build Trust, and Embrace Change by Becoming Adaptive Everywhere.” It proved to be the focal point of the entire Summit, emphasizing the need to embrace change to manage increasing cybersecurity risks. The sessions provided insight into the latest threats and the flexible new security architectures that are addressing them. In line with this, the Gartner team has now modified their Adaptive Security Architecture (ASA) to include implementing a continuous adaptive risk and trust assessment (CARTA) strategic approach. The stated goal of the ASA is about minimizing the risk of loss and the ability of an intruder or insider to cause damage by improving our adaptive access and defense, as well as minimizing the time to detect and respond to an intrusion when one inevitably occurs. To achieve this requires the ability to assess both the trust of the entity and the risk of the behaviors being requested continuously, from the moment the entity initially requests to interact with our systems and data and throughout its interactions.
A great example of the need to be adaptive was presented by Lewis Pugh, a motivational speaker with an exceptional background in adjusting to changing environments. Pugh, who drew attention to the melting of the Arctic Sea ice by swimming across the North Pole, has been swimming oceans since 2007. Every body of water has its own personality and its own set of challenges, he explained. While the basics of swimming certainly apply, the swimmer—like a CISO—has to be able to adapt quickly to the changes that each new environment poses.
Gartner described ten of the top technologies they believe can help with that adaptation. They include: Cloud Workload Protection Platforms; Remote Browser protection; Endpoint Detection and Response; Network Traffic Analysis; Managed Detection and Response; Micro segmentation; Software-Defined Perimeters; Cloud Access Security Brokers; OSS Security Scanning and Software Composition Analysis for DevSecOps; and Container Security.
For the second year in a row, detection ranked among the top ten.
Additionally, Gartner identified the top technologies for security in 2017. These included:
- Cloud Workload Protection Platforms
- Remote Browser
Deception technologies are defined by the use of deceits, decoys and/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or detect an attack. By using deception technology behind the enterprise firewall, enterprises can better detect attackers that have penetrated their defenses with a high level of confidence in the events detected. Deception technology implementations now span multiple layers within the stack, including endpoint, network, application and data.
- Network Traffic Analysis
- Managed Detection and Response
- Software-Defined Perimeters
- Cloud Access Security Brokers
- OSS Security Scanning and Software Composition Analysis for DevSecOps
- Container Security
CISOs were once again encouraged to investigate deception as part of their adaptive security posture. According to Gartner “By using deception technology behind the enterprise firewall, enterprises can better detect attackers that have penetrated their defenses with a high level of confidence in the events detected. Deception technology implementations now span multiple layers within the stack, including endpoint, network, application and data.”
Neil MacDonald, vice president, distinguished analyst, and Gartner Fellow Emeritus has spent a good deal of time looking at deception, the vendors in the space, and the marketplace demand. He pointed out that “security and risk leaders must evaluate and engage with the latest technologies to protect against advanced attacks, better enable digital business transformation and embrace new computing styles such as cloud, mobile and DevOps.”
Lawrence Pingree, a Research VP in the Security and Privacy practice spoke on “The Art of Deception and Its Benefits for Lean-Forward Security Programs”. He focused on the “value of using deception against attackers, the products and solutions available and the compelling low false positive threat detection capabilities that can be used by security programs globally.” One of the first Gartner research analysts to investigate deception technologies and an early believer, Pingree’s talk examined why deception is an important strategy to use in security; what deception solutions are available today and how they can be used; and, perhaps most important, how security controls are evolving to leverage deception. Gartner analysts and organizations are both beginning to understand how the use of deception technology can complement existing security products by sharing attack information that can make those products more accurate and more effective as they work together. This is one of the key aspects of the Attivo Networks recent ThreatDefend platform—the extension of early detection products into a more sophisticated modular solution for efficient and effective continuous threat management.
Research Director Augusto Barros spoke on “Applying Deception for Threat Detection and Response”. He centered his talk around using deception as a “low friction” method to detect lateral threat movement, and as an alternative or a complement to other detection technologies. He discussed whether an organization should utilize threat deception, what tools and techniques are available, how to use deception to improve your current threat detection effectiveness, how to customize and tune the deception controls, and what the emerging operational practices around deception are.
My time at the Summit was well invested and I enjoyed hearing the broad insights of the analysts and companies that attended.
My final thoughts from the event; every new technology and every security vendor appears to have a compelling story to convince you they have the best solution to add to your arsenal. To filter though this requires education and an openness to take a different approach. As the core message shared, it is critical to have an adaptive response. The constant change in attack strategies and the new tools attackers employ demand it.