Written by: Carolyn Crandall, CMO & Chief Deception Officer – I always look forward to the Gartner Security and Risk Summit to hear their vision and insights into the future. Last year, I was not as inspired by the back to basics message, as it didn’t provide as much visibility into new innovation as I was seeking. This year was still a little light in the promotion of innovation, though I found usefulness in how they were trying to educate security professionals on what I will call “inspired thinking”.
The opening keynote was split between Katell Thielemann, Research VP Gartner Research & Advisory, Craig Lawson, Research VP Gartner Research & Advisory, and Ramon Krikken, Research VP Gartner Research & Advisory. The message was to get empowered with the ability to prioritize, adapt, transform, and scale. They presented this in a diagram that showed the intersection of what’s important, what’s real, and what’s dangerous. They then applied this to the concepts of innovating for value, urgent crisis and threat management, and technology transformation. Finally, they went deeper into the implications of trust and resilience.
What will drive the most value?
- Trust with customers and partners
- Reliability and stability agility
- Innovation safety and security
- Safety and concern
What’s important? Understanding concerns by role.
- CISO: Compliance GDPR Protected Data Privacy Data Security
- Digital Transformation Officer: Digital Transformation, Market Share Decline, Customer Experience
To find a balance, there needs to be an understanding and a fair risk assessment. In their example, it was the balance between customer engagement and mitigation of identity spoofing with fake social media accounts.
In the end, they filled out a chart with design principles for each area.
As a detection vendor, most of my time was spent in sessions that focused on detection technology and innovation. Here is where I think some analysts fell into the trap of reporting on what they are most familiar with vs. taking time to include new innovation.
Let me start with a few sessions where I thought they did a good job of presenting innovation.
Augusto Barros: How to Apply Deception Effectively
In this session, Augusto described how deception technology has evolved and covered offerings from open source and embedded features, to full distributed deception platforms. Some of the use cases covered included:
- When there are technical or economic limitations for other detection methods
- Unmanaged devices (= no agents allowed)
- Nontraditional devices (IoT?)
- Wide, distributed networks (where to place sensors?)
- Encrypted traffic
- No/Few resources to deploy and manage the technology
- When you want to improve detection by adding a layer with a different approach
Augusto then shared how to align one’s approach for the most effective detection of regular or advanced threats and for specific use cases. He added some additional perspectives on the value of deception for customized environments such as POS and SWIFT.
Overall, this was a good intro to deception technology. More information on this topic can be found in this report:
Applying Deception Technologies and Techniques to Improve Threat Detection and Response Augusto Barros and Anton Chuvakin (G00314562)
Peter Firstbrook: Top Trends in Security 2018
In this session, Peter covered ongoing strategic shifts in the security ecosystem that he expects to have significant potential for disruption. There were 6 that he highlighted.
- “Senior Business Executives Are Finally Aware That Cybersecurity Has a Significant Impact on the Ability to Achieve Business Goals and Protect the Corporate Reputation… However, security organizations must change in order to respond
- “Legal and Regulatory Mandates on Data Protection Practices Are Impacting Digital Business Plans and Demanding Increased Emphasis on Data Liabilities.”
- “Security Products Are Rapidly Exploiting Cloud Delivery to Provide More Agile Solutions.” With a footnote that consideration be given to data sensitivity and concentration of risk.
- “Machine Learning Is Providing Value in Simple Tasks and Elevating Suspicious Events for Human Analysis.”
- “Security Buying Decisions Are Increasingly Based on Geopolitical Factors Along with Traditional Buying Considerations.”
- “Dangerous Concentrations of Digital Power Are Driving Decentralization Efforts at Several Levels in the Ecosystem.”
Ian McShane covered the MQ for Endpoint Protection Platforms based upon the following criteria.
- Anti-malware effectiveness, accuracy and third-party validation/testing: – Protection from malware with a broad portfolio of protection techniques – Application attestation, which classifies applications and processes into good, bad, unknown
- Protection from highly targeted new and low-volume attacks that include solid operational management processes: – Vulnerability assessment, mitigation, resolution – Security state assessment and prioritized action plan to remediate potential security gaps
- Detection and response capabilities: – Automatic containment, not just a “this is bad” alert – Actionable root cause analysis, guidance driven by vendor authority, managed features
- Cross-platform protection and visibility for Microsoft Windows AND macOS
Overall, Ian cited little differentiation when reviewing against technology platforms, SecUX, and managed services. He recommended that each organization evaluate vendors and set up calls with the analysts that conducted the research that was done in January. Attivo Networks partners with the top vendors noted in the chart and provides native integrations to share threat deception alerts and automate the isolation of infected systems. Symantec is the exception, who has chosen to include deception as a feature within their platform. Note: for people considering deception, a feature or two placed within a platform has significantly limited value compared to deploying full distributed deception platforms.
Tom Scholtz: Leadership Vision for Security and Risk Management, 2018
In this session, Tom discussed the 4 V’s of digital, which were value, volume, variety, and velocity. He led with the results from a survey that said 95% of respondents expected cybersecurity threats to increase over the next 3 years and lent perspectives on the course we would take to address this factoring in technology, business, and environmental drivers.
Tom then incorporated the Gartner CARTA model and its 7 factors.
He closed with the following recommendations:
- Develop a compelling vision
- Add the objectives of privacy, reliability and safety
- Establish and manage appropriate governance that provides the mandate for … A principle-based security program
- Evolve an adaptive approach to security architecture that leverages CARTA concepts
- Prepare to change and adapt. Implement an annual strategy planning project and review it quarterly for relevance
I enjoyed the way he weaved in the need for disruptive technology and openness for revision of strategy based upon changing factors.
Neil MacDonald: 10 Principles of a CARTA Approach and Implications for Your Security Organization
Neil presented in depth on the Gartner CARTA model and the need to instrument for comprehensive, full-stack risk visibility, including sensitive data handling. This went further into reviewing how CARTA applies to identity access management and threat protection. He then went into the areas of access management and assessing from the perspective of not only keep the bad stuff out, but making sure to let the good stuff in. In this model, there must be continuous monitoring to assess risk and trust. He then transitioned into management of usage and adaptive responses to respond to incidents.
As he got further into his presentation he introduced the concept of shifting left. This included going beyond development and DevSecOps.
- Application, service and product development
- IT-enabled systems procurement
- IT and BU-led consumption of new SaaS, platform as a service (PaaS) and infrastructure as a service (IaaS) services
- Download of new applications and services for installation locally
- Selection and deployment of new operational technology (OT) and Internet of Things (IoT) devices
- Opening of internal systems and data via application programming interfaces.
- Digital business partnership formation
- Digital business delivery channels co-sourcing or outsourcing
He then turned towards continuous management, defense in depth, and integrated response. I was pleased to see deception technology as one of the areas listed for speeding time to detect and respond and to scale limited resources.
Neil concluded with an action plan for security leaders based on Monday morning, 90 days, and the next 12 months.
Craig Lawson: Magic Quadrant for Intrusion Detection and Prevention Systems
Craig provided some interesting insights into vulnerabilities and exploits. I found this chart interesting.
He also shared that we used to have ~30 days, we now have 7 days (on average) from when a vulnerability is announced to when it starts to be exploited in the wild. I also found his research that showed that net-new samples of malware are off the charts, but the volume of vulnerabilities they are attacking is not changing significantly.
Craig also went on to talk about how we still need to do more for east-west traffic. And although he pointed to IDS systems as a way to address this, I would propose that deception technology would prove the most accurate and efficient way to detect east-west traffic lateral movement.
He closed with sharing that 25% of his inquiries on IPS included mentions of IDS making it clear that detection is a critical part of the security stack and that he is seeing it more and more in practice with NTA and in managed detection and response services.
Jeremy D’Hoinne and Lawrence Orans: Why You Still Must Detect Advanced Threats on Your Network
This session was specifically focused on network traffic analysis (NTA). I had a chance to catch up with Lawrence and Jeremy after the sessions and had a good discussion on rates of adoption of NTA vs. deception technology. They were admittedly surprised at the adoption and traction of deception. By nature, deception customers don’t advertise the use of the technology. The unfortunate fallout is that the real rate of adoption is underappreciated as it is underrepresented externally.
The last day of the summit concluded with a keynote speech titled, “Digital Business and Culture Clash — Surviving the Revolution”. Leigh McMullen and Paul Proctor cohosted this presentation. Here they went into discussing the balance between the need for an agile business and a CISO’s quest for resiliency and security andthe tension to strike the right balance. They also discussed how the need for influence does mean giving up some control, however, it doesn’t have to be a complete compromise. What they found is that, as long as the customer effort required remains fairly paired to the benefit, consumers will accept the additional level of effort required.
They offered these words of advice to the CISO in finding the balance of technology to business risk:
- Stop hiding systemic risk and the cost of real security.
- Be transparent about your weaknesses.
- Your job isn’t to say everything is fine, it’s to facilitate a real conversation.
Overall, I enjoyed this summit more than last year. Hopefully next year there will be more coverage of innovation outside of the exhibit hall. That said, it sounds like Gartner may try something new with the exhibit hall next year to drive more attendance on the show floor and more vendor interaction. I look forward to seeing this and following up with everyone that I met this year.
Until next time…