The new chief information security officer (CISO) of a global bank is overwhelmed by his list of to dos. He knows he can’t do everything, but struggles to narrow down the endless list of potential security projects.
“Focus on projects that reduce the most amount of risk and have the largest business impact,” said Gartner vice president and distinguished analyst Neil MacDonald, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD.
To help CISOs get started, MacDonald shared Gartner’s top 10 list of new projects for security teams to explore in 2018. “These are projects, not programs, with real supporting technologies,” explained MacDonald. He added that they are new to most CISOs, with enterprise adoption at less than 50%.
No. 1: Privileged account management
This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access. At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third-party access, such as contractors.
Tip: Phase in using a risk-based approach (high value, high risk) systems first. Monitor behaviors.
No. 2: CARTA-inspired vulnerability management
Inspired by the Gartner continuous adaptive risk and trust assessment (CARTA) approach, this project is a great way to tackle vulnerability management and has significant risk reduction potential. Consider exploring when the patching process is broken and IT operations is unable to keep up with the number of vulnerabilities. You can’t patch everything, but you can significantly reduce risk by prioritizing risk management efforts.
Tip: Require your virtual assistant/virtual machine vendor to provide this and consider mitigating controls in your analysis, such as firewalls.
No. 3: Active anti-phishing
Aimed at organizations that continue to experience successful phishing attacks against their employees. This requires a three-pronged strategy: technical controls, end-user controls and process redesign. Use technical controls to block as many phishing attacks as possible. But make users an active part of the defense strategy.
Tip: Don’t single out groups or individuals for doing the wrong thing; spotlight those who exhibit the right behaviors. Ask your email security vendor if they can undertake this project. If not, why?
No. 4: Application control on server workloads
Organizations looking for a “default deny” or zero trust posture for server workloads should consider this option. This project uses application control to block the majority of malware as most malware is not whitelisted. “This is a very powerful security posture,” said MacDonald. It has proven to be successful against Spectre and Meltdown.
Tip: Combine with comprehensive memory protection. Is an excellent project for the Internet of Things (IoT) and systems that no longer have vendor support.
No. 5: Microsegmentation and flow visibility
This project is well-suited for organizations with flat network topologies — both on-premise and infrastructure as a service (IaaS) — that want visibility and control of traffic flows within data centers. The goal is to thwart the lateral spread of data center attacks. “If and when the bad guys get in, they can’t move unimpeded,” explained MacDonald.
Tip: Make visibility the starting point for segmentation, but don’t over segment. Start with critical applications and require your vendors to support native segmentation.
No. 6: Detection and response
This project is for organizations that know compromise is inevitable and are looking for endpoint, network or user-based approaches for advanced threat detection, investigation and response capabilities. There are three variants from which to choose:
- Endpoint protection platforms (EPP) + endpoint detection and response (EDR)
- User and entity behavior analytics (UEBA)
The latter is a small but emerging market ideal for organizations looking for in-depth ways to strengthen their threat detection mechanisms with high-fidelity events.
Tip: Pressure EPP vendors to deliver EDR and security information and event management (SIEM) vendors to provide UEBA capabilities. Require a rich portfolio of deception targets. Consider MDR “lite” services directly from the vendor.
No. 7: Cloud security posture management (CSPM)
This should be considered by organizations in search of a comprehensive, automated assessment of their IaaS/platform as a service (PaaS) cloud security posture to identify areas of excessive risk. Organizations can choose from several vendors including cloud access security brokers (CASBs).
Tip: If you have a single IaaS look to Amazon and Microsoft first. Make this a requirement for your CASB vendor.
No. 8: Automated security scanning
This project is for organizations that want to integrate security controls into DevOps-style workflows. Begin with an open source software composition analysis and integrate testing as a seamless part of DevSecOps workflows, including containers.
Tip: Don’t make developers switch tools. Require full application programming interface (API) enablement for automation.
No. 9: Cloud access security broker (CASB)
This project is for organizations with a mobile workforce looking for a control point for visibility and policy-based management of multiple-enterprise, cloud-based services.
Tip: Start with discovery to justify the project. Weight-sensitive data discovery and monitoring as a critical use case for 2018 and 2019.
No. 10: Software-defined perimeter
This project is aimed at organizations that want to reduce the surface area of attacks by limiting the exposure of digital systems and information to only named sets of external partners, remote workers and contractors.
Tip: Re-evaluate risk of legacy virtual private network (VPN)-based access. Pilot a deployment in 2018 using a digital business service linked to partners as a use case.