Exploring The IoT Attack Surface

Jeff Pollard

Merritt Maxim and I just published our research on the IoT Attack Surface. This report gives a realistic, but not sensationalized, view of how enterprises need to think about IoT. Three factors motivated our research for this topic - attacks on IoT will transcend the digital-physical divide, the sheer scale of IoT will challenge security teams, and IoT devices collect massive amounts of data.

The following methodology allowed us to hone in on concrete enterprise scenarios:

  • We went for offense first. We started by interviewing prominent security researchers that spend their days thinking about how to attack IoT devices and systems. Our outside in approach allowed us to develop a threat model for intrusions, as well as identify weak points in the defenses of IoT makers, users, and operators.
  • We explored the ramifications of an attack. We wanted to understand what an attacker would - or could - do when successful. We also wanted to understand the amount of friction that existed for whatever came next - credential harvesting, persistence, or disrupting operations.
  • We examined existing security practices to understand what works, and what doesn't when defending IoT devices. This step highlighted that while IoT is different, defending IoT looks similar to other security problems S&R pros have dealt with. You can bring security lessons forward and apply them to IoT without having to learn them all over again.
Read more

Introducing The Forrester Wave™: Digital Risk Monitoring, Q3 2016

Nick Hayes

We recently published our Forrester Wave™: Digital Risk Monitoring, Q3 2016 report. We evaluate nine of the top vendors in this emerging market that offer solutions to continuously monitor “digital” -- i.e., social, mobile, web, and dark web -- channels to detect, prevent, and mitigate any type of risk event posing a threat to organizations today.


Why now

It’s almost 2017 and yet companies are more exposed and less equipped to handle the slew of risks that run rampant across countless digital channels today. Digital risk monitoring (DRM) solutions are increasingly valuable for organizations because:

  • Digital channels are now ground zero for cyber, brand, and even physical attacks. Cybercriminals use a variety of tactics to weaponize social media, impersonate or embed malware into mobile apps, deface websites, collude in dark channels, and cause financial, reputational, or physical harm. Digital risk monitoring tools combat these methods by deploying a variety of data-gathering and advanced risk analysis techniques. They aggregate data via open-source intelligence (OSINT), technical intelligence (TECHINT), human intelligence (HUMINT), and even covert human intelligence (CHIS). Then they analyze the collected data with data classifiers, machine learning, and risk scoring algorithms to determine the most likely and most threatening risk events in a quick and efficient manner.
Read more

Can Salesforce Really Prescribe An End-to-End Sales Process?

John Bruno

Last week, nearly 170,000 business and technology professionals descended onto San Francisco for Salesforce’s annual conference, Dreamforce. The event itself was ripe with discussions on social responsibility and charity, but most attendees, including myself, attended for other reasons. We wanted Salesforce to pull back the curtains on what it saw for the future of sales.

Once things got underway, Salesforce’s Einstein took center stage… quite literally. We’ll get to Einstein in just a bit, but not to be overshadowed by Einstein, Salesforce unequivocally made their keynote about sales. 2016 was a landmark year for Salesforce and their commitment to sales. They closed on their acquisitions of SteelBrick and Demandware, and used Dreamforce as the stage to rebrand them as Salesforce CPQ and Commerce Cloud respectively. So what does all this mean? It means that regardless of sales channel, Salesforce is fighting harder than ever to be your selling platform of choice… and they make a pretty compelling case.

Let’s take a closer look at the case Salesforce is making. To do so, we must understand Salesforce’s pillars of technology supporting sales.

  • Sales Cloud delivers core CRM functionality for sellers. Sales Cloud is the bread and butter for Salesforce. For many of its customers, Sales Cloud represents the foundation of technology enabled selling processes. From account and opportunity management to pipeline management and white space analysis, Sales Cloud helps sales and sales leaders strategize and prioritize their sales efforts.
Read more

S&R Analyst Spotlight: Josh Zelonis

Stephanie Balaouras

Based on the West Coast, Senior Analyst Josh Zelonis is the newest addition to the S&R team. When he’s not out cruising his Harley, Josh is working with clients to adapt their architecture, policies, and processes to evolving threats and to develop robust incident response programs. His research focuses on threat intelligence, endpoint detection and response (EDR), malware analysis, pen testing/red teaming, forensics and investigations, and of course, incident response.

Josh Zelonis Image

Prior to joining Forrester, Josh accumulated over 13 years of experience as a security practitioner with demonstrated success in product architecture, engineering, and security assessment roles. As a product architect, Josh helped design and build innovative technologies in the breach detection space, architecting both endpoint and appliance products with a focus on data collection and analytics. His background also includes extensive experience in security assessment roles including red team, vulnerability research, and compliance.

Listen to Josh’s conversation with me to hear about his biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:

To download the MP3 version of the podcast, click here.

What do you foresee as the biggest threat to security and privacy in the United States in the next ten years?

Read more

Emerging Technologies To Power Your Systems Of Insight

Brian  Hopkins

In 2014, I recognized something was a bit off with all the big data excitement and I started interviewing companies to get to the bottom of it. In 2015, Ted Schadler and I published the first of my ideas in the report "Digital Insights Are The New Currency Of Business." In that report, we pointed out what was wrong - big data only focused on how to turn more data into more insight. It didn’t say anything about how to turn that insight into more action. In that report we defined a system of insight, which focused big data energy on implementing insights in software using closed loops that create action and continous learning. Read more

Nokia “Connects” Network Services To Customer Experience

Dan Bieler

Nokia’s services division recently hosted an analyst event where it elaborated on the interlinkage between network services and network infrastructure. Of course, network services matter to businesses and telcos because they help technology managers to better manage infrastructure complexity and to modernize network infrastructure with the goal of making networks faster and more reliable. However, there are more fundamental implications:

  • Network services add value to products and open new business areas. Customers want features and services that are relevant to them in the immediate context of their needs and desires. As more products become connected, network services will play a critical role in developing and enhancing such features. Moreover, network services play a central role in driving augmented and virtual-reality solutions in outdoor conditions, such as those already used in manufacturing by Caterpillar or in construction by BAM Group.
Read more

The No. 1 Barrier To Effective Digital Transformation

Nigel Fenwick

In a recent post, I wrote about how digital experiences shape customer perceptions of value. But it's easy to forget that your organization's culture also shapes your customer's perception of value.

Earlier this week, I was moderating a panel on digital transformation at a Software AG event in New York. In opening the event, Kevin Niblock, Software AG's North America President and COO, described digital business as "a cultural phenomenon." Organizational culture plays an enormous role in the ability of a company's employees to transform a traditional business into a digital business.

If you're not the CEO, you might be forgiven for thinking that you have little control over your corporate culture. But we all have the opportunity to shape our organization's culture. And while nurturing the company culture is arguably one of the most important jobs of the CEO, it is also a critical capability for any leader.

Former IBM Chairman and CEO, Lou Gerstner, reminds us of this in an excellent Wall Street Journal (WSJ) article: "The Culture Ate Our Corporate Reputation". Gerstner writes: "What is critical to understand here is that people do not do what you expect but what you inspect. Culture is not a prime mover. Rather it is a derivative. It forms as a result of signals employees get from the corporate processes that structure their work priorities."

Read more

Vertical clouds - less useful than you're meant to believe, but still useful

Paul Miller

How often have you been told you can't use a mainstream public cloud provider? Quite often, probably, especially if you happen to work in a regulated industry like banking or healthcare. And what justifications are you given? The regulator "won't let you," no doubt? That's a good one. And "it's not secure" is often pretty close behind. Either that, or the argument that generic public cloud infrastructure can't possibly meet your very special, very unique, very carefully crafted mix of requirements?

Sadly, despite the frequency with which they're trotted out, these attempts at justification stand a pretty good chance of being either hearsay, or just complete nonsense.

It's easy not to change, and to justify your inertia with reference to the scary, punitive, hopelessly luddite regulator.  It's easy to continue lovingly polishing the hideously complex snowflake your internal computing environment has become. It's far harder to look at the truth behind the hearsay, and to work out when doing something different might — or might not — be the better approach for your business, and its effort to win, serve, and retain customers.

My latest report, Bespoke Vertical Clouds Become Less Important As Public Clouds Do More, takes a look at some of the rationale for using vertical cloud solutions in these situations. Often — but definitely not always — you may discover that a generic public cloud provider will do the job just as well. Or maybe even better.

Drunk History of Your Mobile Strategy

Ted Schadler

Everybody can name their favorite apps. But can you name even two mobile websites you love? We can't. So we stared into the awful maw of the mobile web to learn how to fix it. 65 companies signed up to help. Along the way, we found problems stemming from the journey you've taken to be in your customer's pocket.

My colleague Danielle Geoffroy brilliantly realized that it was a drunk history, so we wanted to share it with you.

  • 2008: "There's an app for that." Savvy developers jailbroke the first iPhone so they could build apps. Apple then launched the Apple App Store and chaos ensued as every developer and company piled on the apps as the mobile strategy. (And y'all invented the pub game, "there's an app for that.") You ignored the mobile web.
  • 2010: Responsive retrofits tiny-ize websites but miss the mobile moment. Agencies and creative developers swooped in to magically morph brands' giant desktop websites into "mobile-friendly" websites. But that strategy led to the quiet crisis that responsive web design is not mobile-first.
  • 2016: Apps are winning . . . just not yours. Forrester's data shows that US consumers used 26 apps last year and 26 apps this year. (Millennials use . . . wait for it . . . 28 apps.) Consumers have enough apps — they don't want more. What's worse, they spend 60% of their total mobile time (web and app) in just three apps — usually owned by Facebook and Google. 
Read more

R.I.P. BlackBerry Phones

Ted Schadler

An era has passed. BlackBerry will no longer make phones. RIM opened our eyes when it put the power of digital communications into our pockets. Email on the go was the beginning of the mobile mind shift.

I loved the passion of Mike Lazaridis and his team for building great devices that we'd drive home and get if we left on the counter. His devices were the first to inspire such passion, such intimacy, such a feeling of empowerment that we now all take for granted. He started it.

As a software guy, I was always saddened by the clunky interface for apps other than email and messaging, but I loved the power flowing into my palms from the BlackBerry devices I carried.

Then along came iPhone. As a software guy, it only took a few months of jailbroke phones and developer-built apps before I realized that the real mobile revolution had arrived -- a computer in your pocket. That's when the mobile mind shift really kicked in, as Julie Ask, Charlie Golvin, and Thomas Husson recognized very early.

Read more