I do apologise for all the buzzwords you’re going to read in this article. But then again, what’s the point of working in this industry if you can’t use buzzwords!
Gartner held their premier Security and Risk Management Summit in late August and without doubt saw great attendance from all around Australia and the Asia Pacific.
Many of the execs I spoke to had something positive to say about the 2 day conference. I don’t have the stats, but many of the people I networked with were from diverse security backgrounds. Most of them held leadership and technical roles within the organisations they represented. With over a 100 scheduled events we did notice a few recurring themes that Gartner analysts spoke about.
Here are my key takeaways from the many sessions, roundtables and analyst discussions I attended, capturing quite well the current state of the industry while giving us a taste of what to expect over the next 3–5 years.
1. Challenges with securing IoT are real and around the corner
IoT is not exactly a new paradigm, but the availability of high bandwidth connectivity and low power networking makes the dream of billions of independent and inter-connected devices a reality.
Analysts predict 8.4 billion connected devices in 2017, up by 31% from 2016. By 2020, this industry will be worth $1.29 trillion. With IoT devices notoriously known to be insecure (as seen from the rise of botnets such as Mirai), this presents an interesting security challenge.
The traditional CIA principles aren’t enough when it comes to IoT, given its place in critical infrastructure and physical devices. We need to think about Privacy, Safety and Reliability and overall Resiliency of the device.
IoT security looks like basic security practices from the surface, but has hidden complications under the hood. Given the incredibly low cost per device requirement of IoT, security needs to come cheap. Factors such as Scale, Diversity of technology used, varied Functionality and Flow of data add complexities to the equation.
We can expect to see security standards (which may later become regulation) emerge and mature in the short term future, with general purpose cloud based IoT platforms that abstract security and asset management of the devices.
2. Everyone wants a piece of Data Science and Analytics
Security has evolved from traditional controls to more proactive statistical approaches to identifying security vulnerabilities. Talking to people from organisations of various sizes, almost everyone has a centralised logging platform or a SIEM of some kind.
Some of the more mature organisations in this space are performing some kind of data analytics on their wealth of information to be able to paint a picture of their complex environments and report the insights back into the business (Analytics Driven Security). User Entity Behaviour Analytics (UEBA) products are a hot topic. The analytics build a profile on a user or machine and analyse events for security related outcomes. Most UEBA products are security rule based and can alert when something bad has happened. A growing crop of vendors are also adopting the anomaly detection path to UEBA and use learning models to report on anomalous behaviours that could mean something malicious.
It is predicted however that standalone UEBA products are a dying breed, with almost all solutions now directly integrating into your SIEM or logging platform of choice. Splunk already offers Security Essentials and UBA as part of their service, and this is envisioned to be the model of the future. UEBA products could become part of Endpoint protection, Service Brokering/Authentication and DLP solutions.
This kind of maturity however is not for everyone. Predictive security analytics is great, but only if you have your basic protective security figured out. If you’re not doing the basics, you’re not going to have clean enough data sources and the ability to tune and configure analytics based products to be effective.
3. Cloud Security is mature (kinda), but continues to present big opportunities
Every company that wants to be relevant in 2020 already has a large cloud based infrastructure, or has a ‘Cloud Strategy’ or roadmap in place to make the transition. Unlike 5 years ago, Cloud Security is actually quite robust and capable; probably better than most in-house security controls we spent millions of $ on. Implicit default ‘deny’ security policies and better visibility are probably the reasons why.
Governance, visibility and access control are still big gaps in the cloud security market and vendors know this. There were quite a few exhibits selling Unified Identity and Access Management solutions for cloud based infrastructure.
Cloud Access Security Broker (CASB) products were another recurring theme. Most products had similar takes on core functionality (despite their claim of being unique), with some having more maturity than the others in functionality and a supporting ecosystem of solutions.
I’m an advocate of AWS’s own products for security. They do everything from DDoS, WAF, Visibility/Monitoring, Governance to IAM. Competitively priced, tight integration and rich/quickly growing feature set. Understandably some of these products might not cater to every need of large enterprise customers; most middle to large businesses should be perfectly happy with what’s on offer.
4. Simplifying day to day security with a Risk based mindset
More people are now re-thinking security around risk implications. It sounds really obvious, but traditional security mindsets have always been “protect all, store all, deny all”. The problem is that there’s always more people/resources/vulnerabilities on attack than on defence. Especially in smaller organisations. This makes security a massive cost centre in every company, and you’ll see people run away when they see someone from security approaching.
Reconsidering where your risk actually lies, and better allocating your resources around securing only against identified key risks gives you better bang for your buck. You’ve increased the risk appetite of your organisation, but you’re also a lot more competitive and efficient.
7/8th of the exploits out in the wild never get exploited. Malware only leverage a small subset of exploits.
Better intelligence and research around attack vectors help in being more strategic and efficient with your security policies.