Category: #CISO CORNER

The chief information security officer role hasn’t always gotten the respect it deserves. Research over the years has shown companies often treat their CISO primarily as a scapegoat for security incidents.

But that may be changing – at least it is in organizations with a strong cybersecurity culture. New research by (ISC)² shows the overwhelming majority of companies that properly staff their cybersecurity teams employ a CISO.

The Building a Resilient Cybersecurity Culture study revealed that 86% of organizations that consider themselves adequately staffed with cybersecurity talent have a CISO. This is a substantially higher percentage than the 49% of companies overall with a CISO, according to other research.

Cybersecurity Knowledge

The finding points to the likelihood that a CISO contributes to a better cybersecurity posture. The organizations in the study were selected for their cybersecurity credentials. These companies are doing something right; the point was to find out what that is.

Hiring a CISO is part of it. Companies that have one, and give the position the proper level of authority, recognize they need someone in the organization with a deep understanding of security risks and how to mitigate them.

If used properly, the position is in charge of developing the cybersecurity strategy, which includes making technology investments, hiring the right people for the cybersecurity team and ensuring team members’ skills are updated regularly to keep up with new and evolving threats. Making the right decisions in these areas can help stop a cyber attack, saving a company millions of dollars in monetary costs and reputation.

While traditionally cybersecurity has been handled by the CIO and IT teams – which remains the case in many instances – cybersecurity has evolved into its own discipline, requiring skills and experience generalist IT professionals may not possess.

Reporting Structure

Another indicator of how seriously companies take their CISO is where the position fits in the management hierarchy. While a case can be made that the CISO should report to the CIO, the CIO has many other responsibilities and, as a result, may not give cybersecurity the priority it requires.

More than half of participants (57%) in the (ISC)² study say their CISO reports to either the CEO or Board of Directors. The prevalent trend is for CISOs to report to the CIO, COO or another executive. A study in early 2018 revealed only 8% reported to the CEO.

The (ISC)² finding on reporting structure is further evidence that CISOs need to be higher up in the management structure to be effective. Judging by the study’s results, a company that employs a CISO and has the position reporting directly to the CEO or directors is better prepared to face the dangers lurking in cyberspace.

[(ISC)² Blog]

Endpoint detection and response (EDR) has been an important technology for security professionals as they attempt to find suspicious activity, or at least traces of it, on endpoints and hosts. Cybersecurity itself is as old as computers, but the EDR segment is still in its infancy with the first solutions dating back only about five years or so.

The technology works by monitoring the endpoint and then storing the data in a centralized repository where analysis can be done to detect a threat. Typically, EDR solutions require a software agent to be installed on the host system to provide the data used in monitoring and reporting.

EDR has been critical for advanced protection, as more threats are being directed at the user. In fact, one of the industry’s leading penetration testers recently told me that he can normally breach an organization within an hour by attacking the user and compromising the endpoint. Also, Windows is still the most widely used operating system in the business world, and many of its internal features are used by threat actors to breach that computer and others.

So, if EDR is so integral to threat protection and provides so much value, why am I proclaiming EDR dead? Is that crazy?

As valuable as EDR has been, it provides a very narrow view of the world. It’s akin to looking out a porthole on a ship where one sees only a slice of the horizon. To determine what the weather is like, if there are islands around or if there are passing ships, one would need to be on the bridge to get an overall view.

EDR is narrowly focused

EDR is too narrowly focused, as it provides a view of only the endpoint. It’s time for EDR to give way to XDR where X is a far broader set of data that includes endpoint, as well as cloud, threat intelligence, network data, logging information and possibly even community data. This certainly isn’t meant to be an exhaustive list of data feeds into XDR, but rather serves to highlight the point that more sources of data from more enforcement points lets the security team and technologies find more threats faster, and then block them.

It’s like being on the bridge of a ship and being able to see everything at once. The difference is that XDR brings into view all elements of an attack, not just those found on a single endpoint, it adds the analytics that are required to interpret the data across different data sources, and it makes more efficient use of security analysts’ time in investigations.

XDR sees everything

Also, because XDR solutions have an understanding of the enforcement points, they can actually respond and block the threat faster and across a wider range of vectors, not just the endpoint. With EDR, the endpoint may highlight a breach, but the only thing known is what occurred on the endpoint. The solution is able to see what occurred on the endpoint and then pivot to another endpoint to evaluate it. If the source is external, then EDR wouldn’t help because the endpoint data would not reveal anything and is blind to network data.

What’s required is visibility into the network portion of the threat and the link between the different stages of the attack. For example, something showing that administrator credentials were stolen off server A and then those credentials were used to infiltrate server B.

XDR can trace threats back to their source

With XDR, the system is able to better trace the bad traffic from where it was discovered, reconstructing the attack. This helps the security team better understand what happened, determine where it happened, and respond at the best possible enforcement point (or points if there are multiple ones). Without that, all one knows is that an attack occurred and a single endpoint is involved. Using the ship metaphor, water in the bottom would indicate there was a leak. One could clean up the leak, but if the source isn’t known, the problem can’t be fixed.

One of the criticisms I’ve had with EDR is that it focuses largely on the detection and often doesn’t help much with the response unless you’re a specialist. With XDR, they are equal parts detection and response. Think of EDR as being big D and little r and XDR being big D and big R across all potential data sources, giving the security team a much better chance at fighting the bad guys.

In its time, EDR was a breakthrough for security buyers because it provided a way to see what was happening on the endpoint, which is the biggest attack point. Now that we live in a world where literally everything is connected, it’s important that EDR evolve into XDR so security teams can see more and block more at their source. If you’re going to commit the budget and time of your security team, why restrict them to endpoint?

Zeus Kerravala, CSO

Source: https://www.csoonline.com/article/3301893/endpoint-protection/edr-is-dead-long-live-xdr.html

If you are a new CISO or starting a new Security Leadership gig, your first few months on the job are critical to your ongoing success in your new role. In the first few months you’ll be judged, tested by your organization and staff, and put on a “stage” to perform in front of your C-Level peers. The precedent you set and first impression in your first 101 days will dictate how your organization perceives you and whether your tenure is marked by overcoming early mis-perceptions or you get a “hall-pass” to do all the good things you were originally hired to do.

This is the New CISO’s Playbook and some initiatives that will help you be successful in the first 101 days in your new role.

Days 1-10

Start to get your arms around your Information Security Program.

As you would expect the first thing to start doing is taking an inventory of all the pieces of your Information Security Program. This includes direct and dotted line Information Security Staff and their responsibilities, what program capabilities are in place and if possible how mature those capabilities are, any available metrics on department performance. It’s critical that you at least start to take cursory program-level inventory of services in your first week, because as you meet with other Business Unit leaders in the coming weeks you can start formulating a more robust and relevant Information Security Program and Strategy.

Get to know colleagues.

This is an important step in kindling great relationships. If you have been promoted into your role, this is a good opportunity to attempt to recover difficult working relationships from days past. If you are new to your Company, as you have these relationship building discussions it’s important not to pass judgment on anything you hear since you might not know the political underpinnings of the information that’s being shared. Use this time to build political capital by listening to your colleagues, displaying empathy, and most importantly gather their goals and objectives so you can help them be successful when you build your Information Security Roadmap and Strategy.

Hold a Department Meeting.

This is a must-do! Your team might be apprehensive about having new leadership and how your strategy and management style will affect their jobs. Give everyone a chance to talk and ask questions. Be sure to listen, express empathy, and advise that you are still gathering information and not ready to make any decisions. Most importantly this is a good opportunity to demonstrate everyone is on the same team with a common goal.

Review Budget and Associated Metrics.

In the course of understanding your Information Security Program also spend some time dissecting your budget breaking down Capital and Operating Expenditures. The question might come up in the next couple weeks about the financial footprint of the Information Security team. If a lot Security of Compliance spending has taken place before your arrival as CISO, the question might be asked if capital expenditures can be reduced. If you are building the Information Security function for the first time in the history of your company there might be less attention on spending as an initial capital spend is expected; however, it might be good to begin political posturing to appropriately set expectations if you think a lot of spending might be required. Also use this time to find a financial analyst to assist in budget formulation and help communicating a common definition your CFO understands.

Let people know you exist!

Information Security is pervasive to an organization–it requires that you interface with many difference departments not just IT.  Putting people on alert and driving awareness to your role will give people an invitation to reach out and discuss security topics, concerns, or just open a communication thread.  Reaching out early helps to enforce that you are an approachable person within your organization.

Days 11-20

Queue up an Information Security Assessment.

At the beginning of your third week, queue up an independent Information Security Assessment. Depending on the purchasing requirements of your company coordination of the assessment could take a few weeks and scheduling an assessor can require a lead time. This should be an an assessment of your Information Security Program not just a Penetration Test or Vulnerability Assessment. Find a quality Information Security Assessor (such as NuHarbor Security) who can review your overall program posture using a framework such as ISO27001. You would be well served to find an seasoned Information Security assessor that can measure the ISO27001 controls with a business context so you can gain an accurate read on business risk and appropriately prioritize remediation plans.

Hold One on One Meetings with your team.

Begin to meet with members of your team. Start with your direct reports first before making your way through your organizational structure. If your organization is so big you can not talk with everyone then definitely make some time to talk with front line Security Staff even it means skipping the middle management tiers. Your front line staff are the individuals who see issues and deal with problems, and as problems are escalated from the front lines up the message can get filtered–so for a candid view of the challenges your security organization faces, be sure to talk to or survey your front-line team. During these meetings with your team you can and should be building political capital and trust within your organization. Ask for informed fact based opinions, what the department risks are, and seek their opinion as to how risks can best be mitigated. You can also use these meetings to establish your approachability by actively soliciting their feedback.

Begin to Understand what projects or initiatives will be active in 6 Months time.

Time permitting in your busy third and fourth week, start to understand new company initiatives or projects that might be active in six months time. The idea is that these will be emerging projects and initiatives you will be dealing with once you are full orientated in your new position, and starting to gather a strategy will help you be purposeful in your first 101 days and ensure your success on those projects or initiatives. Starting this process now will help give you some context when you begin having one-on-one meetings but it will also give a glimpse as to what members of your team are already planning six months out, and how they are tracking risks associated with these initiatives.

Day’s 21-30

Prepare Steering Committee Materials.

By this point you’ve been in your position for a few weeks, if you have a Security Steering Committee you should begin preparing materials and begin framing what the first meeting agenda should be. If you are inheriting an existing committee this can be a tricky proposition because it’s critical you get the first meeting right and start off the relationship on the right foot, the complexity of this arrangement can be amplified if you have the wrong stakeholders involved in the meeting (i.e. the committee members aren’t at the right level in the organization). If you find yourself in this position of dealing with a low-level Security Steering Committee, you should pause and critically evaluate whether you want to “start over” with the committee–politically speaking it might be easier to dissolve legacy committees and spend time amassing political capital to build new. If you find yourself in this position, this step of meeting with the Security Steering Committee comes much later in your first 101 days. If you are starting a new Security Steering Committee for the first time, in addition to framing the agenda and first meeting format you should also be considering and actively selling the position to committee members you would like to participate.

Hold One on One Meetings with Business Leaders.

Start meeting with peers and Business Unit Leaders. The relationships you begin to form here will be critical to your ongoing success. In addition to gaining the trust of your company’s Business Leaders, you should also begin learning what their goals and objectives are. It’s important to gather this information and ingest into your strategic plan and strategic roadmap. This information will help to ensure your Information Security goals and initiatives directly correlate to business objectives. During this meeting also gather their advice how the Security team can help.

Begin participation in Information Security Projects.

At this point you should have an inventory of active Information Security projects. Based on your emerging work load pick some of the most important and strategic security projects to participate in. As you participate, keep in mind your position and granted creditability that comes with being a CISO. If you participate too actively you may inadvertently take over the project and accidentally derail progress. Establish some personal guidelines for yourself as you operate in these meetings, focus on steering the project and adding value or suggestions that might improve the project. Otherwise be a mentally and physically present tie-breaker when collaboration ends in a stalemate, encourage and motivate the team, and at the end of the day your presence in the meeting will give creditability to the project.

Day’s 31-40

Review the Operational Security Budget.

Hopefully you were able to obtain a good understanding of your budget in the first couple weeks (Day’s 1-10). Now that you have a solid month under your belt, you should be able to start answering specific questions about your budget and how spending is improving the program. By now you should have also recruited a financial analyst to help with your budget and develop ROI metrics and start developing metrics to show how you are improving the fiscal posture of the Information Security Program.

Establish a Program Vision.

It’s doubtful you’ll have your full vision formalized by this point, but if you do it will help shape the conversations you are about to have in the coming weeks. Following your conversations with business leaders from the previous weeks, you should begin to have a picture of what success looks like and how to help your company deliver on strategic goals and initiatives. While your vision might not be formalized, you’ll have plenty of time to firm up your goals in the coming months. Consider this step a prerequisite to developing an overall strategy for your Information Security Program.

Take Inventory of the Security Team Skill Sets and Establish Development Plans.

In talking with your team, holding one-on-one meetings, and observing performance of your team members collect an inventory of skills. This inventory should include technical and soft skills. Soft skills are a little harder to articulate and measure but there are tested frameworks such as Lominger that can help to measure soft skills. In the course of developing a staff development plan give some consideration as to what your employee wants in their career. Based on the career aspirations of the employee that will drive their skills development. In this role you should act as advisor and motivator, the act of developing a plan should be driven by the employee and they need to be invested in the process to feel motivation to improve. Under-performing employees or employees with a negative attitude can perpetuate bad feelings among the team–and you owe it to your top performers to fix this ASAP. Also, don’t spend all your time on the under-performers, each team member should receive equal attention. This might be one of the most important tasks that you complete. Spend some time here and get this right.

Begin your Information Security Assessment.

This should an independent review of your Information Security posture. While you might be qualified to do the assessment yourself, you should resist the temptation to do so. There’s an opportunity cost in doing the assessment yourself, and the opportunity cost is all the program and relationship development you should be doing instead of the assessment. Additionally, the independent lens of someone impartial and removed from the organization will help add to the creditability of any findings. During this assessment it’s critical, as always, to partner with your independent Information Security Assessor and guide them to ensure you get the results and quality you are looking for. Since the assessor is more than likely new to the organization, helping them think in the right business and security context will help to ensure an accurate measure of risk. An information security assessment without business context is just a gap assessment not a risk assessment. A risk assessment is needed so you can begin to prioritize what remediation efforts to tackle first. Depending on your corporate purchasing processes a 31-40 day start time might be unrealistic, but this assessment should be performed as soon as possible. This is a prerequisite to formalizing your Information Security Program Strategy.

Day’s 41-50

Write or review the Information Security Charter.

Ideally you want your charter approved by the CEO and Board of Directors, so it should be written at a high enough level that it encompasses all your mission and objectives but still provides enough detail that you can translate the charter into an operational plan. If your CEO and Board of Directors take interest in this document, it’s worth taking the time to get it right the first time because each edit and change will need to be “re-approved” by the CEO and Board of Directors. Alternatively, many CISO’s have their charter approved by their Security Steering Committee. If you are inheriting an existing Information Security Charter, this is good opportunity to review the Charter and make any changes or modifications you require.

Appoint team leaders.

By now you’ve been able to observe the performance of your team for the past couple months and hopefully you have some obvious stand-out leaders. Considering your Information Security Program strategy and direction you want to take the program, you need to start putting the right team in place to ensure delivery of that Strategy. Considering the strength of the leaders you select should drive the autonomy which you afford them. Junior leaders might need a little more structure with work plans and project reviews. More Senior Leaders will be able to work autonomously and help you coach and provide oversight to Junior Leaders.

Be visible in established Security Projects.

Whether you inherited a list of Security Projects or getting ready to kick-off your own, you should judiciously select a couple projects to participate in. This will help to ensure projects stay on track or help and existing stalled project get back on track. Plus, while ramping up in your new role this will allow to gain some credibility in your team and show you’re there to help them be successful. You have be careful not to overstep your role and responsibility on the project because depending on your background and expertise you don’t want to be perceived as taking over the project from your team. Also, your role on the project should be a consensus builder not a C-Level overriding vote. There will be times when you need to pull out your “CISO card” but that should be only in dire circumstances; your modus operandi should be using your excellent communication skills to get everyone on the same page and consensus within the teams.

Day’s 51-60

Review Budget for Second Month.

Review your budget again and by now you might be seeing trends in your expenditures. You should have enough information by this point to start making informed decisions about top expenditures. Also, now that you’ve met with your team about development plans, there might be some members on your team which you can delegate budget monitoring responsibilities.

Meet with Information Security Steering Committee or Board of Directors.

If you operate with an Information Security Steering Committee then you have flexibility as to when this meeting is scheduled, because you drive the agenda and timing. Alternatively, if you have an opportunity to meet with the Board of Directors you have to work around their schedule and agenda. Depending on when the Board of Directors meeting falls on the calendar and how it aligns with your employment start date it might make sense to skip presenting at the first Board of Directors meeting and so your first impression with the Board of Directors is strong, fact based, and value-adding to the overall business strategy.

Obtain approval for you Security Charter.

In previous weeks you published a new charter or you edited an existing charter. Now it’s time to get it approved. Based on the timing of when the approving body meets, Information Security Steering Committee or Board of Directors, will drive when and how this task is completed. Before requesting a formal approval of the Information Security Charter you should make sure you have buy-in from appropriate reviewers. This will help to grease the skids of the approving body to ensure a smooth approval process.

Form Security Awareness team.

This might be most overlooked task in most CISOs Information Security Playbook. It’s fairly challenging to continually develop new and engaging Security Awareness ideas, content, and dissemination schemes. It’s common for a CISO to tag their marketing department to develop creative content and fresh ideas for delivery. It is recommended you enlist any and all help you can get from creative marketing teams. Everyone on the Information Security team has a responsibility to take up the Security Awareness flag and take a turn disseminating a Security Awareness message. There’s many avenues which this can be completed, but at a minimum everyone on the team should have an obligation to deliver training at least once a year.

Day’s 61-70

Formalize your Information Security Program Strategy.

Four months to develop a strategy might seem like too long, but considering your prerequisites of developing your vision (figuring out how good you want your Information Security Program to be), and completing your Information Security Assessment (figuring out how good your Information Security Program is today) you’ll need sometime to put all these data points together. Your strategy should ultimately be your roadmap to delivering you program. Some ingredients to a successful Information Security Roadmap and Strategy include:

• a maturity model for each competency you plan to develop in-house,
• consideration of how/if an Managed Security Service Provider (MSSP) helps you mature quicker for less money,
• fiscal capital costs to develop a competency and how the investment improves the maturity of the program,
• fiscal operational costs to develop a competency (headcount, etc) and how the investment in staff and operations improves the maturity of the program.

It’s important to remember Information Security is a Risk Management exercise and to mitigate Information Security risks costs time and money. In some cases it might make sense to mature an Information Security competency to 90% of the potential capability because the additional 10% improvement might be cost prohibitive. Developing this Information Security Roadmap and being purposeful about investment and return on investment will help gain traction for your future budget.  If you’re looking for assistance or a sounding board on your strategy NuHarbor Security can assist.

Identify Objectives for your Information Security team.

Once your Information Security Strategy is complete (or currently in development), you should begin developing your Annual Information Security Playbook. This Playbook should outline how your Information Security team delivers on your strategic Information Security objectives for the year. The projects you assign your team members to in the Playbook should tie to professional development plans. Your Information Security Playbook can also be a mechanism which to hold people accountable for the work they perform.

Day’s 71-80

Monitor your Information Security Program Delivery.

Based on your Information Security Program Strategy and your Information Security Playbook, you have solid platform which to track progress of your strategic deliverables, the tasks that are on track and those that are falling behind. Given all the work you’ve put in to date you now have a good mechanism to measure your program and more importantly have an early warning system when your Information Security Program begins to deviate from the plan. This can be used as a component of your overall Information Security Governance processes.

Day’s 81-90

Continue monitoring Information Security Program Delivery.

Depending on the number of initiatives you have in your Information Security playbook and the number of Senior Team Leaders you might need to jump in to help Junior Leaders get started and gain traction.

Preset at an all Company Meeting.

If you have the opportunity to do so, you should take advantage of an All-Company meeting to talk about the Information Security program, what to expect and how to engage with the Information Security team. The sooner you can get onto the agenda to present–the better, but when you do talk hopefully you’ve had enough time in your role to form some contextually relevant material about vision and how Information Security can help your business succeed in their goals and objectives. While everyone on the Information Security team has an obligation to perform or deliver some level of Security Awareness, this is your opportunity as CISO to do your part toward Security Awareness and share the Information Security brand with your company.

Day’s 91-100

BCP/DR Planning.

If you have responsibility for Business Continuity Planning and Disaster Recovery, it is time to look into performing or refreshing your Business Impact Analysis (BIA) for Business Continuity Planning (BCP). Depending on the size of your business and Executive support received will drive the level of effort required here. In other words, if you need to convince other executives to “give-up” resources to help with BIA and BCP efforts then it might take a little longer to complete this effort. However, while you organizationally and politically posture your BIA and BCP efforts, you can start to collect your asset inventory for the complementary Disaster Recovery (DR) efforts.

Day 101

Enjoy a celebratory beverage!

You’re on your way to building a top-notch Security Program. By this point you’ve completed some significant tasks including:

• completed an Information Security assessment of your Organization,
• built solid working working relationships with your Business Peers,
• improved on your Information Security budget,
• developed staffing development plans for your Information Security staff.
• completed an Information Security Strategy, Plan, and operationalized an Information Security Playbook,
• established a great working relationship with other Executives and the Information Security Steering Committee or Board of Directors.

You have built a solid foundation for your Company’s Information Security program and you’ll be well served for future growth with the ability to recruit and retain top talent.

By: Justin Fimlaid

Source: https://www.nuharborsecurity.com/first-101-days-new-ciso-chief-information-security-officers-playbook/

CISOs should focus on these ten security projects to reduce risk and make a large impact on the business.

The new chief information security officer (CISO) of a global bank is overwhelmed by his list of to dos. He knows he can’t do everything, but struggles to narrow down the endless list of potential security projects.

“Focus on projects that reduce the most amount of risk and have the largest business impact,” said Gartner vice president and distinguished analyst Neil MacDonald, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD.

To help CISOs get started, MacDonald shared Gartner’s top 10 list of new projects for security teams to explore in 2018. “These are projects, not programs, with real supporting technologies,” explained MacDonald. He added that they are new to most CISOs, with enterprise adoption at less than 50%.

No. 1: Privileged account management

This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access. At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third-party access, such as contractors.

Tip: Phase in using a risk-based approach (high value, high risk) systems first. Monitor behaviors.

No. 2: CARTA-inspired vulnerability management

Inspired by the Gartner continuous adaptive risk and trust assessment (CARTA) approach, this project is a great way to tackle vulnerability management and has significant risk reduction potential. Consider exploring when the patching process is broken and IT operations is unable to keep up with the number of vulnerabilities. You can’t patch everything, but you can significantly reduce risk by prioritizing risk management efforts.

Tip: Require your virtual assistant/virtual machine vendor to provide this and consider mitigating controls in your analysis, such as firewalls.

No. 3: Active anti-phishing

Aimed at organizations that continue to experience successful phishing attacks against their employees. This requires a three-pronged strategy: technical controls, end-user controls and process redesign. Use technical controls to block as many phishing attacks as possible. But make users an active part of the defense strategy.

Tips: Don’t single out groups or individuals for doing the wrong thing; spotlight those who exhibit the right behaviors. Ask your email security vendor if they can undertake this project. If not, why?

No. 4: Application control on server workloads

Organizations looking for a “default deny” or zero trust posture for server workloads should consider this option. This project  uses application control to block the majority of malware as most malware is not whitelisted. “This is a very powerful security posture,” said MacDonald. It has proven to be successful against Spectre and Meltdown.

Tip: Combine with comprehensive memory protection. Is an excellent project for the Internet of Things (IoT) and systems that no longer have vendor support.

No. 5: Microsegmentation and flow visibility

This project is well-suited for organizations with flat network topologies — both on-premise and infrastructure as a service (IaaS) — that want visibility and control of traffic flows within data centers. The goal is to thwart the lateral spread of data center attacks. “If and when the bad guys get in, they can’t move unimpeded,” explained MacDonald.

Tip: Make visibility the starting point for segmentation, but don’t over segment. Start with critical applications and require your vendors to support native segmentation.

No. 6: Detection and response

This project is for organizations that know compromise is inevitable and are looking for endpoint, network or user-based approaches for advanced threat detection, investigation and response capabilities. There are three variants from which to choose:

• Endpoint protection platforms (EPP) + endpoint detection and response (EDR)
• User and entity behavior analytics (UEBA)
• Deception

The latter is a small but emerging market ideal for organizations looking for in-depth ways to strengthen their threat detection mechanisms with high-fidelity events.

Tip: Pressure EPP vendors to deliver EDR and security information and event management (SIEM) vendors to provide UEBA capabilities. Require a rich portfolio of deception targets. Consider MDR “lite” services directly from the vendor.

No. 7: Cloud security posture management (CSPM)

This should be considered by organizations in search of a comprehensive, automated assessment of their IaaS/platform as a service (PaaS) cloud security posture to identify areas of excessive risk. Organizations can choose from several vendors including cloud access security brokers (CASBs).

Tip: If you have a single IaaS look to Amazon and Microsoft first. Make this a requirement for your CASB vendor.

No. 8: Automated security scanning

This project is for organizations that want to integrate security controls into DevOps-style workflows. Begin with an open source software composition analysis and integrate testing as a seamless part of DevSecOps workflows, including containers.

Tip: Don’t make developers switch tools. Require full application programming interface (API) enablement for automation.

No. 9: Cloud access security broker (CASB)

This project is for organizations with a mobile workforce looking for a control point for visibility and policy-based management of multiple-enterprise, cloud-based services.

Tip: Start with discovery to justify the project. Weight-sensitive data discovery and monitoring as a critical use case for 2018 and 2019.

No. 10: Software-defined perimeter

This project is aimed at organizations that want to reduce the surface area of attacks by limiting the exposure of digital systems and information to only named sets of external partners, remote workers and contractors.

Tip: Re-evaluate risk of legacy virtual private network (VPN)-based access. Pilot a deployment in 2018 using a digital business service linked to partners as a use case.

Contributor: Jill Beadle

Source: https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2018/