Gartner’s 25th annual Summit for CISOs, security architects, and data practitioners ended last week. There was a focus on organizational culture rather than piecemeal technology and services can improve cybersecurity. Specifically, they emphasized how keeping up with cybersecurity frameworks and people-centric strategies create an agile security architecture and integrated risk management program.
Across about 250 sessions from 210 speakers, (81 of them Gartner Analysts), over 3,500 attendees mixed with 206 solution providers to discuss where the market is headed in 2019. I attempted to anticipate the conversations in a blog article leading up to the Summit. Here, I have detailed more of the thinking that came out of the event.
Five years ago, the message was to “be wary of The Cloud”, with a focus on Cloud Access Security Brokers (CASBs) and encryption. More recently, the feeling was “Get in the cloud, but keep important things on-prem.” This year, the focus was “Cloud, Cloud,Cloud: your data is safer in the Cloud.” Big transition in a short timeframe.
In addition to dozens of conversations with analysts, presenters, vendors, and attendees, I did a lot of listening this year, often hanging around after a presentation for the one-on-one informal attendee questions. In this unmic’d setting, analysts give their most insightful tips–like which vendors to investigate and which to avoid.
This, in itself, is one of the most valuable reasons to attend Summit. You’ll never get that transparency in an Analyst inquiry or on a webinar. I hope to give you a flavor for those insights from this article.
Keynote: Enabling Value Creation
Keynote Presenters David Madhi, Beth Schumaecker, and Katell Thielemann focused heavily on how security professionals can help bottom line value while keeping security and risks in check. They mentioned that the average Chief Information Security Officer (CISO) tenure is down to only two years and explained the broader Gartner message that beyond on data security and regulatory compliance a CISO can deliver growth with efficient use of technology and building a diverse and innovative culture.
The Automation Continuum
The Keynote promoted automation as the best way to bring value to organizations, but with a tradeoff of additional risks. Because increasing automation is important and, it seems, inevitable, becoming an expert in one of the types of automation can enable professionals to work themselves into the right roles for managing that automation.
Because automation reduces hands-on control, it necessitates good dashboards and the importance of systems working in sync. Finding the right balance of automation can remove friction in the user experience. Ongoing digital transformation (another broader Gartner theme) means more data, and where there is data there are regulators.
Gartner predicts that by 2020, archived personal data will represent the largest area of privacy risk for 70% of organizations. Finding their place along the automation continuum can help firms prepare for this very near future and mitigate emerging regulatory risks.
The Continuous Adaptive Risk and Trust Assessment (CARTA) came up early and often at the Summit. It is all about automation: the automation of security processes across the four elements—predict, prevent, respond, and detect — with the careful management from security professionals and a ton of data. David Mahdi, a Gartner analyst that specializes in identity and access management, authentication and data security, offered a comprehensive overview.
Data powers the Artificial Intelligence (AI) that fuels business processes and projects, necessitating more security for that data. Here, the EU Global Data Protection Regulation (GDPR) and its worldwide implications were touched on again. “Security professionals should be looking for ‘augmented intelligence’ to secure their investments,” he reminded. AI with context awareness can provide enhanced human support for things like incident response, putting previously used usernames and passwords on watchlists, auto-quarantine publicly-exposed sensitive data, etc.
These notions brought the conversation around the themes of the summit: “Identity as the New Perimeter”, multi-factor authentication, User Experience (UX) techniques, and integrating CARTA into the tools and practices across the Security Operations Center and other relevant systems.
Top 10 Security Projects for 2019
Every year, Gartner captures the security priorities of the typical enterprise with a Top-10 list of projects that their customers are (or should be) implementing.
Gartner Senior Director Analyst, Brian Reed, started the session by comparing the trends in geography and market growth. “The biggest growth markets alone don’t necessarily determine what those top 10 projects should be,” he noted, pointing out that any security project must be supported by technology, address the changing needs of cybersecurity, and reduce risk by adopting a CARTA strategic approach.
We noticed that cloud is taking on an ever-increasing place in this list (see image). One of the new items, Business Email Compromise (BEC) is unique because it is actually a subset of the larger anti-phishing projects of previous years. In fact, in its recently-published Market Guide for Email Security, Gartner introduced a new category to address BEC in cloud-based email.
Neil Wynne and Peter Firstbrook refer this new class of technology as “Cloud Email Security Supplements.” CESSs protect against the threats that Secure Email Gateways (SEGs) typically miss–advanced persistent threats, business email compromise (BEC) phishing, account takeover, and intradomain insider attacks.
This session was well-attended, widely discussed in the tweetstream, and a lot of attendees remained to discuss it afterward. We’ll talk more about CARTA, CASBs, Business Email Compromise (BEC), and Security Incident Response in later articles.
Office 365 Security 201
Patrick Hevesi discussed “Advanced Security Features and Third-Party Options for Protecting Your O365 Tenant” on Monday morning, a session in which 70-80% of the audience had already implemented Office 365 in their environment, and ostensibly the rest are in the throes of that deployment process.
As part of the Gartner for Technical Professionals (GTP) research, Patrick annually releases an 80+ page guide to the licensing, configurations, and recommendations around the implementation of Office 365, called “Understanding and Implementing Security in Office 365: Exchange Online, SharePoint Online, OneDrive for Business and Teams.” The table of the security and compliance services that come with each O365 license, alongside the third-party providers for each category is an invaluable resource that should be hanging on every administrator’s wall. By the way, all those folks (and any admin) should have Multi-Factor Authentication (MFA) turned on as well, according to Patrick.
The advice from this former CISO is that the Microsoft Security Score is a good place to start. It gamifies compliance, but there is no ‘perfect’ score. Attendees yelled out their own scores, with numbers from 70 to 387. He promotes on turning on native data classification and Data Loss Protection (DLP), and mastering what he calls “the most dangerous console in all of O365”: admin.onedrive.com.
Misconfigurations are the root of many vulnerabilities. A default setting that allows users to copy and paste from OneDrive consumer (their personal) to business (corporate) and vice-versa is a particularly dangerous one, as are access policies for managed devices vs unmanaged devices. SharePoint and OneDrive also have a slider that lets admins control access from “the whole world” to “very restrictive” but with very few options in between.
Complexity is the second source of vulnerability. Patrick mentioned that Powershell activities are not tracked anywhere in O365 and all users have access by default. Knowing that an unmanaged hacker trying to use PowerShell would not be tracked was certainly jarring to the session audience. He spends a lot of time being briefed by Microsoft on their roadmap and plans to improving upon the 600 commandlets and advanced settings (with no real user interface) are not on the horizon from Microsoft.
In a show of hands, perhaps 10% of the audience employed a CASB in a room of about 250 who were clearly very squarely cloud-based organizations.
Intra-domain protection, or scanning internal-to-internal communications for phishing and malware threats, is a key requirement all email security professionals should have top of mind. From numerous conversations with CISOs, executives, and summit attendees interested in Cloud Security, intra-domain attacks, post-delivery protection and impersonation attacks were a common thread.
Outlook for Cloud Security 2019
VP Analyst Jay Heiser said that Cloud Security is this year’s top area of analyst Inquiries. While raw number of provider failures remains low, the number of customer-exposed data continues to climb. The most notable of these recently have come from development failures, open Amazon S3 buckets, and the like. Jay asserted that “the biggest cause of security failure is phishing,” and “it doesn’t matter where your server is or application is... if the phisher can gain access to the authentication material, they will gain access to that service.”
To state it clearly, “It isn’t so much about whether the cloud is secure… It’s mostly about how securely you are using it.” Gartner’s cloud security research covers multi-tenant public cloud environments Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS). This session followed Heiser’s recent research “How to Evaluate Cloud Service Provider Security.”
Jay asserted that the most important thing an organization can do to reduce the potential for unwanted exposure of important data is to address open file shares. He recommended keeping people from “promiscuously sharing data with everyone else across the internet,” particularly calling out Microsoft OneDrive, where this is a default option. Firms can easily start addressing this exposure with access and time-based limitations, keeping in mind that file shares are still a better way to share data than email.
Mitigating Phishes That Your Email Gateway Misses
Continuing on this year’s email security theme, Mario do Boer, a specialist in endpoint, malware, and email/collaboration security, noted in his presentation the sustained popularity of email gateways, but posed that their protection is far from perfect. In this session, he suggested that changing user behavior and evaluating next-generation email security technologies is a must. help.
As to be expected, this starts with raising user awareness, which is most easily accomplished through user education sessions that test knowledge of phishing attacks, IoT risks, and password management best practices. He stressed, however, that programs that emphasize positive reinforcement for discovering attacks, versus punishing users for falling victim, lowers an organization’s susceptibility to this risk. An unintended consequence of punishing victims with simulated attacks seems to be a suspicion and distrust of the IT function, who originate them.
One organizational response to phishing is to change operational behavior after the phish, especially for BEC attacks.
Mario looked at this through the lens of recipient-focused and operations-focused phishing detection and response practices. The need for proactive pre-delivery and post-delivery protection becomes apparent here, as he walked through an analysis of end-user messages, some of the same 300+ indicators the Avanan platform sees.
Gartner coined the term “Security Orchestration, Automation, and Response” (SOAR), a solution stack that can be applied to compatible products and services that help define, prioritize, standardize, and automate incident response functions. Mario introduced “Mail-focused SOAR” or M-SOAR in this session to focus on exclusively email threats, as opposed to orchestration. He noted that this capabilities lie at the intersection of email gateways, awareness/training, and solution software for collaboration suite security, such as Avanan.
A show of hands across the 150 or so attendees in the session indicated that a minority of them were using tools that would effectively fit the M-SOAR definition.
The 1990s Are Calling: They Want Their Perimeter Back
Analysts David Mahdi, Patrick Hevesi and Steve Riley joined forces for this playfully-named session that poked fun at outdated ways of looking at Security. Traditionally, the analogy was about a castle and moat... but today, the question is, where is the moat? As introduced in the Keyonte, Identity is the new perimeter, coupled with the assumption that data will leak. Much re-tweeted phrases from this session included Steve RIley’s “Zero Trust without another NOUN after it is an empty phrase”… a Zero Trust WHAT?
The term comes from a 2017 O’Reilly book Zero Trust Networks: Building Secure Systems in Untrusted Networks and as Gartner has noted in the past, this is the first step on the road to the CARTA framework, where observations continue after log-ins, and re-assessed regularly. In this way, trust can be initially established on identity, but can also be lost based on the pattern of behavior.
Access dependent on which client is logged in, adaptive based on where the device sits currently (inside corporate wifi or out in the wild, for example), would have different access restrictions (for example - read only) during that interaction. As many organizations have adapted a Bring Your Own Device (BYOD) policy, those devices could have different restrictions based on their own security, level of patching, location, etc. Restrictions on upload/download, and the ability to access sensitive or confidential data, were discussed, among other alternatives.
Gartner defines Identity and Access Management (IAM) as “ensuring the right people get the right access to the right resources at the right time for the right reasons, enabling the right business outcomes.”
Coupling the “identity is the new perimeter” concept, Patrick Hevesi added the idea that organizations could contextually adjust its security posture while under attack. This would mean that more onerous and friction-filled security for the end-user is only in place during those periods. This seems like a great suggestion. In our own discussions at Avanan, I have found the clients believe searching for anomalies in log-ons, in particular looking for “superman attacks” (successive log-ins from geographic locations too far apart to reasonably be the same person), is a good example of coupling identity as a virtual perimeter to cloud infrastructure. The Analysts concluded this discussion with an overview of Software Defined Perimeter (SDP) and data-centric protection for applications related to Zero Trust Network Access (ZTNA).
Cloud Security Fundamentals for Midsize Enterprises
Steve Riley led this session, he and fellow analyst Jay Heiser are fans of saying “In the cloud, everything is the same. Except it’s all completely different.” For this reason, Gartner advocates a cloud-native approach for protecting data, users, and securing applications. This owes to the idea that conventional models of security and control rely on location… if location couldn’t be acknowledged, it was thought to be insecure. This doesn’t apply in cloud models; only until very recently, G Suite customers would have no way of knowing where in the world their data lives.
These concepts are prescient for mid-sized enterprises; I paid particular attention as many of the clients I work with today are in this category. The cloud is liberating for these organizations, SaaS collaboration suites like Office 365 give them the same email, file-sharing and messaging as Fortune 500 Enterprises. It gives them the same risk exposure, too.
Regardless of the Cloud model-IaaS, PaaS or SaaS-the responsibility for identity and data always relies with the client. The change in mindset supports the idea that the public cloud can be a more secure starting point than corporate data centers. At the same time, that mindset also changes from a network of secure systems versus a secure network of systems.
More Secure Than Your Neighbor
Is the goal to be as secure as possible? Riley suggests that goal is to be “more secure than your neighbor.” He compares this to the “security sticker” posted outside homes that presumably have a home alarm system. The deterrence is more about “going to the next house” as opposed to truly preventing a break-in. Steve says he “just has the sticker,” although there isn’t an analogous concept for securing the cloud.
Interestingly, many organizations using cloud collaboration suites like Office 365 are doing quite the opposite. The ability for a potential bad access to easily understand which security protocols are in place (as in an MX record change), which gateways are in use (also from DNS and DKIM entries that are accessible), and the fact that anyone can get their own virtually identical O365 system to practice attacks, if effectively a sticker that gives potential hackers a roadmap for what to try. (So, until we have a sticker-think about using Avanan for a full collaboration suite protection tool!)
The summary for this session: forget about where the data is, but be careful about who can access what, kinds of access/permissions, why and how they access it. And while you’re at it, Riley suggests “encrypt all things.” The technology has caught up to offer cloud-native patterns and practices to make this as straightforward as it has ever been.
Redefining Your Email Security Strategy for 2020 and Beyond
"Fighting Phishing is a Team Sport,” according to Neil Wynne, who departs Gartner after an 11+ year stint as an Analyst. Nothing is 100% effective, but in most cases the human is ultimately the one taking the bad action. As the last line of defense, they can either be a resilient one or a weak one. “Users do dumb things,” he lamented.
Neil tied CARTA directly to email security, with an annotated version of the framework. He asserted that the email security market has caught up to this approach, and the market has coalesced around the Gartner vision here. The change from previous focus on only detect and prevent has been bolstered by the ability to detect and respond, for a full-scale solution to confront phishing, which is by far the biggest attack vector.
For me, this was the most pointed session. If I reverse-engineered an overview presentation of the Avanan Platform into a Gartner Analyst presentation for Summit, it would look a lot like this. The key here is what Neil refers to as “predictive phishing protection,” which he says “very few vendors are doing...many have it on their roadmap, but it’s not there yet.” While the email clients themselves need to get better, especially on mobile devices, only some users will chose to interrogate them more deeply.
This sets up the requirement for a passive protection, one that happens before the inbox. Layering SPF, DKIM and DMARC will be a requirement in the coming months, although he notes there are a lot of cultural and organizational issues to address in order to put this in place.
Intra-Domain (yes, again)
As I heard repeatedly in relation to email security at the Summit, internal-to-internal, or intra-domain scanning is “a blind spot for most organizations,” and almost “no one is doing this yet.” (This means that we’re not doing a good enough job of explaining how Avanan does this!) While MFA can help, if an account is taken over, hackers are able to move laterally in the organization with impunity. Detection requires a fresh pair of eyes, as in supplementing existing efforts with a new tool to address malware, malicious URLs, and payload-less attacks.
Neil then got specific on Office 365. “You could script this out in PowerShell… but do you have those skills? Can they do it at 3am? Can they address when PowerShell gets weird?” Effectively, this supports the idea that enabling those analysts on staff to remediate, so as they only spend time identifying things that truly needs a human eye to detect. He advocated adopting the above-referenced M-SOAR approach to handle a response to phishing attack by integrating directly with O365. As organizations start looking at the email problem from each of these quadrants, they put users at the center of their strategy — and create a positive feedback loop to support their efforts at identifying potential phishing attacks.
Business Email Compromise
“90% of the calls I take are focused on inbound… an actual indent or a near miss,” says Wynne, as he noted that in most cases, Business Email Compromise (BEC) “exploits a flawed business process.” It doesn’t cost any more to fix that, just paying attention to fill those process gaps.
The bigger problem, he notes, is outside of the security team. The external brand image of an attacked firm is most affected by BEC, for example. “Marketing and legal may need to be involved,” he says, supporting the idea reinforced repeatedly at the Summit. Whether your organization has a CISO, or you are effectively serving in that role. Building relationships across the executive suite is a business imperative.
Fundamentally, as this area evolves, the CARTA approach is the right mindset, and the organizations leveraging it will see what is coming today, and be ready for the next things heading down the pike-and stay ahead of them.
Five Top Takeaways - a Summary
- Know the CARTA framework. This paradigm is here to stay. Gartner analysts are making their recommendations in this context, and see this as the best way to frame a meaningful security discussion. The best technology vendors have this in mind.
- Understand new terminology. A Gartner glossary is useful, not because there are buzzwords, but rather new phrases that segment capabilities, requirements, and which vendors can solve for which challenges. Cloud Email Security Supplements (CESSs), M-SOAR, CSPW, and CSPP are all important parts of a meaningful cloud security strategy, and deserve the time to understand.
- MQs: Look beyond the dot. As Steve Riley noted, the body of research that goes into a Magic Quadrant goes far beyond the simple two axis ranking. Organizational requirements, balanced with individual vendor strengths, as well as an understanding that there is not an MQ for everything, and many times the right solution isn’t necessarily a leader, are key things to know when reviewing the MQ research. Use the MQ as a starting point before speaking with the appropriate analyst in an inquiry.
- Know your analysts. Summit provides a great overview of trends in space. It also surfaces which analysts are focusing their attention on areas meaningful your business. Armed with a who’s who among relevant analysts, Gartner clients can book inquiries to delve into what matters to their organization. As an example, David Madhi covers IAM, which wouldn’t normally be of direct interest for me. I found at the Summit that the areas in which he does research include the types of anomaly detection relevant to Avanan clients, and I plan to spend some time learning from him where CISOs are challenged, aside from the Superman attack scenarios.
- Only at the Summit. The Summit continues to be a useful microcosm of the industry. I enjoyed keying in on specific topics, many of which may not have been in mind before hearing it in a session. Reminders of things to be diligent about, such as DMARC, CARTA, and M-SOAR, are useful as well. Keynotes help expand the mind above day-to-day minutiae, to understand the bigger picture, to understand the collective consciousness among the best CISOs in business today. As noted above, you’re also likely to hear both from analysts and others things they just don’t share in inquiries of webinars.
Hope you enjoyed this detailed summary. We’re on the journey with clients, partners and friends to take what we learned at Summit and continue to grow. Want to know what we know? Drop me a line or request a meeting anytime. I’m happy to connect.