At this week’s Gartner Security Summit in National Harbor, Maryland, Gartner analyst Brian Reed outlined 10 cybersecurity projects that could help enterprises reduce security risk.
Reed also noted enterprise spending priorities. CASB tops the list by a wide margin, with 46% compound annual growth (CAGR) expected through 2022, followed by encryption at 23.7% annual growth, threat intelligence at 20.6% and privileged access management (PAM) at 17%.
The list of top projects includes five holdovers from the 2018 list and five new projects. The goal was to find projects with high business and risk reduction impact that can be budgeted and staffed this year.
Before tackling new security projects, Reed emphasized that enterprises should first get the basics right:
- endpoint and server protection;
- user controls such as removing admin rights from windows users and implementing identity and access management (IAM) with automated provisioning and deprovisioning;
- a basic security infrastructure that includes log monitoring, backup and restore, patch and vulnerability management, and perimeter security controls;
- proper information handling like email security controls and security awareness training
Top security projects for 2019
Of the 10 security projects, the five holdovers from 2018 are: privileged access management; vulnerability management; detection and response; cloud security posture management; and CASB.
The five new projects are: business email compromise; dark data discovery; security incident response; container security; and security ratings services.
1. Privileged Access Management
Among Reed’s recommendations were multi-factor authentication for all admins and PAM for third-party access.
He listed the following vendors in the PAM space:
- ARCON
- Hitachi ID
- BeyondTrust
- Lieberman
- Broadcom-CA
- One Identity
- Centrify
- Osirium
- CyberArk
- Senhasegura
- Fox Technologies
- Thycotic
- Fudo Security
- WALLIX
2. CARTA-inspired vulnerability management
CARTA – Continuous Adaptive Risk and Trust Assessment – is Gartner’s strategic concept for information security. Reed recommended a similar risk-based approach to patch management that focuses on systems and vulnerabilities with higher risk. He listed the following vendors as potential partners:
- Core Security
- Skybox Security
- Kenna Security
- Tenable.io
- NopSec
- Qualys
- RedSeal
- RiskSense
- Risk Based Security
3. Detection and response
Reed said that mean time to detect and respond is the new standard for effective security against attackers. As only 20% of endpoints are protected by endpoint detection and response (EDR), there’s a lot of room for improved security here. He listed the following vendors:
- BlackBerry Cylance
- McAfee
- Carbon Black
- Microsoft
- Cisco
- Sophos
- CrowdStrike
- Symantec
- Cybereason
- Tanium
- Endgame
- Trend Micro
- FireEye
4. Cloud security posture management (CSPM)
Reed’s list included two cloud projects: Cloud security posture management (CSPM) and Cloud Access Security Brokers (CASB). CSPM is focused more on the operational aspects of enterprises than CASB or cloud workload protection, such as monitoring, DevSecOps and risk identification. Reed said vendors include:
- Alert Logic
- Microsoft Azure
- Amazon
- Qualys
- Bitglass
- Symantec
- CloudAware
- Tenable.io
- CloudCheckr
- Google Cloud
- McAfee
5. CASB
Reed said CASB is for enterprises looking for visibility and central management of policy and governance across multiple cloud services. CASB vendors include:
- Bitglass
- Microsoft
- CensorNet
- Palo Alto Networks
- CipherCloud
- Proofpoint
- Cisco
- Symantec
- Forcepoint
- Fortinet
- McAfee
6. Business email compromise (BEC)
A business email compromise (BEC) attack steals funds or sensitive data by exploiting normal business processes using pure social engineering tactics rather than malicious URLs or attachments and thus bypasses traditional security processes. Reed said enterprises need technology that can inspect message context by looking at the trustworthiness and authenticity of the sender. Security awareness training and web browser isolation are other controls. BEC vendors include:
- Abnormal Security
- Mimecast
- Agari
- PhishLabs
- Area 1 Security
- Proofpoint
- GreatHorn
- Terranova
- Graphus
- Trend Micro
- INKY
- Valimail
- Ironscales
7. Dark data discovery project
Reed said “dark data” is data that was once operationally valuable but over time has become “dark,” meaning it has unknown risks and no value. Vendors that could help include:
- Active Navigation
- Micro Focus
- Adlib
- SailPoint
- Druva
- Spirion
- Formpipe
- STEALTHbits
- Ground Labs
- TITUS
- IBM
- Varonis
- Index Engines
8. Incident response
Reed said security incidents are inevitable, but having an incident response vendor on retainer “is not a replacement for good security processes and preparedness.” IR vendors include:
- AT&T
- Kroll
- Blackberry Cylance
- Kudelski Security
- Booz Allen Hamilton
- McAfee
- Cisco
- Rapid7
- Crowdstrike
- Secureworks
- FireEye (Mandiant)
- Stroz Friedberg
- IBM
- Verizon
9. Container security
Reed said more than half of enterprises have at least one container-based application in development or production, making container security a growing need. “Make sure these are secured from inception,” he said. Container security vendors include:
- Aqua Security
- Trend Micro
- McAfee
- Twistlock
- NeuVector
- Qualys-Layered Insight
- StackRox
- Symantec
10. Security ratings services
Reed also recommended a security ratings services project focused on risks associated with digital ecosystems, going beyond internal security posture, to the supply chain, regulators, customers and partners. Security ratings services vendors include:
- BitSight
- NormShield
- CORAX
- PANORAYS
- Cyence
- RiskRecon
- CORAX
- Security Scorecard
- UpGuard
- CyRating
- FICO
IT security priorities
Reed said if an enterprise can do only two things this year, it should implement MFA for admins and a CARTA-inspired approach to vulnerability management.
He also recommended a default deny posture on server, network and application access.
