During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling: Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9 + Carbon Black, Confer, CounterTack Sentinel, Cybereason, CrowdStrike Falcon Host, Guidance Software Cybersecurity, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian.
I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first 5 minutes of the conversation, the vendor mentions that their solution has a “small footprint.” The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me. When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has four or five agents running, the collective footprint is far from small.
Critical infrastructure is frequently on my mind, especially the ICS/SCADA within the energy sector. I live in Texas; oil and natural gas are big here ya'll. I'm just a short distance away from multiple natural gas drilling sites. I cannot help but think about the risks during the extraction and transport of this natural gas. North Texas has seen an attempt to bomb the natural gas infrastructure. In 2012, Anson Chi attempted to destroy an Atmos Energy pipeline in Plano, Texas. As a security and risk professional, I wonder about the potential cyber impacts an adversary with Chi's motivations could have.
Fifty organizations representing 95 countries were included in the data set. This included 1,367 confirmed data breaches. By comparison, last year’s report included 19 organizations and 621 confirmed data breaches.
In a significant change, Verizon expanded the analysis beyond breaches to include security incidents. As a result, this year’s dataset has 63,437 incidents. This is a great change, recognizes that incidents are about more than just data exfiltration, and also allows for security incidents like DoS attacks to be included.
The structure of the report itself has also evolved; it is no longer threat overview, actors, actions and so on. One of the drivers for this format change was an astounding discovery. Verizon found that over the past 10 years, 92% of all incidents they analyzed could be described by just nine attack patterns. The 2014 report is structured around these nine attack patterns.
I am about to kick off my next Forrester research on targeted attacks. Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."
Vendors: The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future.
Enterprises: If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you. If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know. We are currently scheduling research interviews. Research interviews are open to more than just Forrester clients. If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion.