At last week’s Gartner Security Summit in National Harbor, Maryland, Gartner analyst Neil MacDonald outlined 10 cybersecurity projects that could go a long way toward reducing enterprise security risk.
First, though, MacDonald listed 10 things enterprises should already be doing to “make sure you’ve got the basics right.” Those 10 basics are:
- Upgrade to the latest endpoint protection platform offering, with fileless malware detection, memory injection protection, machine learning, and other features
- Remove administrative rights from Windows users where possible
- Implement an IAM program with automated provisioning and deprovisioning
- Perform regular patch management
- Implement a standardized server/cloud workload protection platform agent
- Implement robust anti-spam technical controls
- Use some form of SIEM/log monitoring solution (basic detection and response)
- Use backup and restore for ransomware protection
- Conduct basic security awareness training
- Improve perimeter security, including URL filtering for internet access
Top security projects for 2018
MacDonald said his top security projects for CISOs to consider this year are aimed at high business impact and high risk reduction. They came from recommendations from the security community, and a team whittled down the list to 10. He said he doesn’t expect enterprises to do all of them, but they might pick one or two that fit their particular needs.
1. Privileged account management
MacDonald recommended privileged account management for root, administrative and highly empowered accounts and monitoring behaviors for unusual access. At a minimum, he said enterprises should at least have multi-factor authentication. He listed the following vendors as those that might be able to help with privileged account management:
- ARCON
- BeyondTrust
- CA Technologies
- Centrify
- CyberArk
- Fox Technologies
- Hitachi
- Lieberman Software
- Micro Focus
- One Identity
- Thycotic
2. Vulnerability management project
MacDonald recommended that enterprises implement a vulnerability management project based on Gartner’s CARTA principles (Continuous Adaptive Risk and Trust Assessment) in order to target the vulnerabilities of highest risk. This should be a top priority, he said. Sample vendors include:
- Kenna Security
- IBM Qradar
- NopSec
- Qualys
- RedSeal
- Bay Dynamics
- Skybox Security
- RiskSense
- Resolver (RiskVision)
3. Anti-phishing project
An active anti-phishing project includes three aspects: technical controls, end-user training, and process design. Possible vendors include:
Technical controls:
- Area 1 Security
- Microsoft
- Proofpoint
- Symantec
- Trend Micro
- Menlo Security
User training:
- KnowBe4
- PhishLine
- Cofense
- SANS Institute
- Terranova WW
- Proofpoint (Wombat Security)
4. Application control on server workloads
Application control, exploit prevention and memory protection can provide the basis for a strong server security strategy. Possible vendors include:
- Carbon Black
- McAfee
- Trend Micro
- Symantec
- Microsoft
Container-centric security:
- Aqua Security
- Twistlock
- StackRox
- Aporeto
5. Microsegmentation and flow visibility project
Visibility and control of traffic flows between workloads can stop attacks from spreading, MacDonald said. Potential vendors include:
- VMware
- Cisco
- Illumio
- vArmour
- CloudPassage
- Dome9
- Bracket Computing
- Cloudvisory
- NeuVector
- Cyxtera
- GuardiCore
- Unisys
- Certes Networks
- SAIFE
- BlackRidge
- Zentera Systems
- Amazon Web Services (AWS)
- Microsoft Azure
- Aporeto
6. Detection and response
Detection and response is a critical technology for enterprises that know a breach is inevitable, and MacDonald offered a few possible projects in this area. Vendors include:
EPP + EDR:
- Carbon Black
- Cisco (Advanced Malware Protection)
- CrowdStrike
- Cylance
- Cybereason
- Microsoft
- SentinelOne
- Symantec
UEBA:
- Bay Dynamics
- Exabeam
- Splunk
- IBM
- Interset
- Gurucul
- HPE (Niara)
- Rapid7
- Securonix
MacDonald said some SIEM vendors offer UEBA technology, potentially saving money and vendor complexity for users.
Focused detection and response with deception
Deception technology can frustrate attackers and make them easier to detect. Vendors include:
- Attivo Networks
- Acalvio
- TrapX Security
- Cymmetria
- Fidelis (TopSpin)
- GuardiCore
- Illusive Networks
- Javelin
Managed Detection and Response (MDR)
Managed detection and response can be a faster route to advanced threat detection and response. MacDonald recommended asking your MSSP for this service to limit the number of vendors you have to deal with. Vendors include:
- Arctic Wolf
- Alert Logic
- BAE Systems
- Booz Allen Hamilton
- Cisco
- CrowdStrike
- Cybereason
- eSentire
- F-Secure
- FireEye
- Mnemonic
- Rapid7
- Raytheon
- Red Canary
- Rook Security
- Secureworks
- SecureLink
- UnitedLex
7. Cloud security posture management project
The goal of the cloud security posture management project is to identify areas of risk in how your public cloud configuration is set up, particularly with a complicated service like AWS. A CASB vendor should ideally offer these services if a company is already working with one, MacDonald said. Vendors include:
- Alert Logic
- BMC
- Cavirin
- Cloud Conformity
- CloudAware
- CloudCheckr
- Cloudnosys
- Cloudvisory
- DivvyCloud
- Dome9
- Palo Alto Networks (Evident.io)
- RedLock
- Saviynt
- Tenable
- Turbot
CASB vendors:
- Bitglass
- McAfee (Skyhigh Networks)
- Netskope
- Oracle
- Palo Alto Networks
- Symantec (Blue Coat)
8. Automated security scanning project
He recommended an automated security scanning project for integrating security controls into DevOps-style workflows, beginning with open source software composition analysis. Vendors include:
- Sonatype
- CA Technologies (SourceClear)
- Synopsys (Protecode and Black Duck Software)
- WhiteSource
- Lexumo
- ANX (Positive Networks)
- Flexera Software (Palamida)
- Snyk
9. CASB
MacDonald also listed CASB as a separate project for enterprises looking for a control point for visibility and policy-based management of multiple enterprise cloud-based services. He listed the following CASB vendors:
- McAfee (Skyhigh Networks)
- Netskope
- Symantec/Blue Coat (Elastica, Perspecsys)
- Microsoft (Adallom)
- Forcepoint (Skyfence)
- Cisco (Cloudlock)
- CipherCloud
- Oracle (Palerra)
- Palo Alto Networks (CirroSecure)
- Proofpoint (FireLayers)
10. Software-defined perimeter project
Lastly, he recommended a software-defined perimeter project to reduce surface area of attack by limiting the exposure of digital systems and information to only named sets of external partners, remote workers and contractors. Vendors include:
- Akamai (Soha Systems)
- BlackRidge
- Cato Networks
- Certes Networks
- Cyxtera (was Cryptzone)
- Dispel
- Luminate
- Perimeter 81
- Safe-T
- SAIFE
- Trusted Knight
- Unisys
- Vidder
- Waverley Labs
- Zentera
- Zscaler
Prioritizing security projects
MacDonald said five of the projects would reduce the financial impact of successful attacks by 80% by 2020 over 2017 levels:
- Risk-prioritized vulnerability management
- Privileged account management
- Active anti-phishing program
- Application control on server workloads
- Automated security testing in development
He told attendees they should immediately require stronger authentication for all IT administrative activities, and multi-factor authentication for cloud users too, and begin a free cloud application discovery and risk assessment project.
In the next few months, enterprises should evaluate and deploy risk-prioritized vulnerability assessment and management and automatically scan applications for known vulnerable OSS components.
In the next year, they should evaluate and deploy a deception platform and link it to their SIEM and security operations center; switch to a default deny, application control (whitelisting) model for servers; and initiate a data center microsegmentation project.