The annual Gartner Security Summit in National Harbor, MD is always an enlightening event for us. We tend to be myopic and focused on our own technology and solutions, and this Summit, in particular, gives us the opportunity to lift our gaze and reconnect with other, broader trends in IT, security and compliance. Here are some of the key takeaways from the conference sessions.
Identity– The security industry has been saying that the perimeter is dead for many years now. This was starkly clear in the sessions this year. IT and security as it pertains to where cyber threats originate and what they target has shifted from the external attacks targeting critical data repositories in corporate-owned data centers. Overwhelmingly, the new attack vector is the privileged user and their access to internal assets. Privilege, in this case, means any user that may have an account on corporate systems including email, shared drive, business application etc. Hackers have figured out that increasingly breaking through the front door is much harder than convincing an unsuspecting user to give their credentials.
These trends were expressed in Gartner’s recommendation that CISOs focus on projects that make it harder for attackers to compromise identities and accounts, and also leverage both behavior analytics and risk-based approaches to understanding users and accounts.
Cloud Computing – Organizations are moving to cloud at a rapid pace. Security is playing catch-up. The traditional on-prem security controls of DLP, Firewalls, IDS may no longer be effective in addressing the threats to the cloud infrastructure. Organizations need a new approach to identifying where the sensitive data resides in the cloud, who has access, and how is it consumed by the end users.
At the Gartner summit, the emphasis was on selecting agile cloud-based security solutions to meet the needs of monitoring growing cloud infrastructure. Monitoring of data and user behavior in cloud services using an advanced analytics based solution can help identify malicious or unwanted access to sensitive data and infrastructure.
Machine Learning and AI – The scarcity of skilled resources coupled with an explosion of IT/security data is the new norm. Organizations, and hence their security staff, will no longer grow with at the same rate as the growth rate of their data – files, processes, transactions, activity (machine and user). This makes the manual analysis of all this data simply impossible. Attackers are also leveraging dynamic, automated and highly varied attack techniques that include social, network, user and technical components. Their goal is to closely mimic the normal behavior of activity within the organization so as to fly under the security radar. The volume and subtlety of these techniques further makes manual threat detection in this new age virtually impossible. The key to being successful is to leverage sophisticated behavior analysis and AI anomaly detection.
At the Gartner Summit, the emphasis was on machine and behavior-based threat detection across several security solution categories. Gartner recommended organizations to consider technologies that are machine learning, AI, and behavior based across projects.
Risk-based approach to security – Absolutes in security are not relevant anymore. This is important in threat detection of specific attacks as well as while defining broad security program elements. Risk-based approaches factor several considerations into security decisions and are also able to provide back up plans for the risk that an organization chooses to “self-insure” against.
In the Gartner sessions, this point was expressed when talking about security management and also in vulnerability management programs. Security professionals have long known that the leading cause of security incidents is outstanding vulnerabilities that are not addressed by vendors. In addition, even if a patch is released by the vendor, uptime and SLA requirements often prevent the patch from being rolled out. These practical facts should be coupled with the overall risk that the organization faces.
Analytics-driven SOC – The security operations center is even more all-important than it was just a few short years ago. However, the specific requirements of what to expect from a SOC are drastically different. The previous paradigm of a rule-based SIEM alerting SOC analysts when certain rules/conditions were matched is long gone. First and foremost, unknown unknowns are ever more important which means that rules are history. The modern CISO must rely on a system that is able to analyze the entire spectrum of activity – across endpoints, network and users, and determine what to look for in an automated fashion.
At the Gartner Summit, the recommended foundational component of a security program was a SIEM – and a next-gen, machine learning/AI and security analytics based SIEM at that. The fact that advanced cyber threats focused on the users quickly necessitated a behavior-based user monitoring or UEBA solution to take your security monitoring program to the next stage. Systems and networks are still crucial parts of the organization’s overall footprint, and it is necessary to make sure endpoint threats and network anomalies are considered as the security program matures, typically deployed in the form of EPP/EDR and NTA solutions.