Some vendors just cannot let go of their "precious appliances!"

We just published my latest research, the Forrester Wave: SaaS Web Content Security, Q2 2015. Forrester categorizes web gateways/forward proxies into this web content security category. I did something different with this evaluation, instead of looking at on-premise appliances; I only evaluated the SaaS deployment model. If a vendor didn't have a SaaS delivery model, we didn't include them in the Wave. 
 
The decision to focus this wave on the SaaS model, wasn't popular with some of the vendors we evaluated. The majority of vendors who sell web proxies lead with the on-premises delivery model and relegate SaaS to a niche deployment option. As users, their endpoints, and their applications move outside the perimeter and into the cloud, the traditional web gateway model is being disrupted; yet many vendors are still very attached to their appliances.  Instead of evaluating a very mature on-premise market, I wanted to focus this Wave on the future.

Read more

The State Of The Cyberthreat Intelligence Market

If the RSA Conference was any indicator, threat intelligence has finally joined the ranks of cloud and advanced persistent threat as ambiguous/overused terms that mean many different things to many different people. If you were given a dollar, pound or euro every time you heard "threat intelligence," there is no doubt you could fund your security budget for decades to come. Your biggest challenge would be determining how to invest some of that money into threat intelligence capabilities.

To help Forrester clients navigate the threat intelligence market I have several pieces of research underway. The first report, "The State Of The Cyberthreat Intelligence Market" has just published. In it I discuss the frenzied venture capital and vendor investment in the threat intelligence space.  I also provide guidance on how security and risk professionals should navigate the marketing hype to make the best investment of their limited resources. I am currently writing the second report "Market Overview: Threat Intelligence Providers." Here is a snippet from the latest research that illustrates just how much vendor focus we have seen. Since October of 2014:

\

  • There have been three acquisitions and eight fundraising rounds.
  • iSight Partners (Critical Intelligence) and Lookingglass (Cloudshield) have each raised funds and made an acquisition.
  • Of the acquisitions, only one company publicly disclosed the acquisition amount: $40 million (Proofpoint.)
  • The eight fundraising rounds raised a total of $102.5 million dollars.
Read more

Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)

For years cybersecurity professionals have struggled to adequately track their detection and response capabilities. We use Mean Time to Detection/Containment/Recovery. I wanted to introduce an additional way to track your ability to detect and respond to "sophisticated" adversaries: Mean Time Before CEO Apologizes (MTBCA). Tripwire’s Tim Erlin had another amusing metric: Mean Time To Free Credit Monitoring (MTTFCM).

Here are some examples (there are countless others) that illustrate the pain associated with MTBCA:

1) CareFirst breach announced 20 May 2015

2) Premera breach announced 17 March 2015

Your CEO doesn't want to have to deliver a somber apology to your customers, just like you don't want to have to inform senior management that a "sophisticated attack" was used to compromise your environment. Some of these attacks may have very well been sophisticated but I'm always skeptical. In many cases I think sophisticated is used to deflect responsibility. For more on that check out, "The Millennium Falcon And Breach Responsibility."  

Read more

The Millennium Falcon And Breach Responsibility

Do you remember the scene from The Empire Strikes Back where the Millennium Falcon is trying to escape an Imperial Star Destroyer? Han Solo says, “Let’s get out of here, ready for light-speed? One… two… three!” Han pulls back on the hyperspace throttle and nothing happens. He then says, “It’s not fair! It’s not my fault! It’s not my fault!”

Later in the movie when Lando and Leia are trying to escape Bespin, the hyperdrive fails yet again. Lando exclaimed, “They told me they fixed it. I trusted them to fix it. It's not my fault!” In first case transfer circuits were damaged, and in the second case, stormtroopers disabled the hyperdrive.

Ultimately they were at fault; they were the captains of the ship, and the buck stops with them. It doesn't matter what caused problems, they were responsible; excuses don't matter when a Sith Lord is in pursuit. 

I am seeing a trend where breached companies might be heading down a similar “it’s not my fault” path. Consider these examples:

Read more

New Research: Know Your Adversary

Mandiant's APT1 report changed the threat intelligence marketing game, and you would be hard pressed to find a cybersecurity company that doesn't have a research/intelligence team that produces threat actor reports. The previous few weeks have seen a significant amount of threat intelligence marketing around threat actor groups. FireEye released "APT28: A Window into Russia’s Cyber Espionage Operations?" The analytics firm Novetta released "Operation SMN: Axiom Threat Actor Group Report."  
 
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.  
 
Read more

The Militarization Of Information Security

Does something like this sound familiar? "We need to find, fix, finish, exploit, analyze, & disseminate this intrusion set along the kill chain via force multipliers so we can observe, orient, decide, and act according to tactical, operational, and strategic priority intelligence requirements." I bet that part of it does. 

These days it seems that we cannot escape military concepts making their way into information security strategy. Firms are attempting to implement the kill chain, and vendor-marketing headlines these concepts. I've contributed to it as well. See: "Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces.

I think that it is important to keep in mind that we aren't the military and don't have the resources of the military. While military concepts can be useful, buzzwords won't secure your environment; you could become distracted and utilize your limited resources in the wrong manner. As I was sorting out my Black Hat calendar tonight, I fortuitously saw a talk that is very applicable to this topic: "The Library of Sparta," with David Raymond, Greg Conti, and Tom Cross. Here is part of their abstract: 

Read more

Say “Small Footprint” Again. I Dare You, I Double Dare You.

During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling:  Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9 + Carbon Black, Confer, CounterTack Sentinel, Cybereason, CrowdStrike Falcon Host, Guidance Software Cybersecurity, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian. 

I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first 5 minutes of the conversation, the vendor mentions that their solution has a “small footprint.”  The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me. When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has four or five agents running, the collective footprint is far from small.

Read more

got STIX?

The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand.  Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time. 
 
 
Read more

Are You Down With CIP (Critical Infrastructure Protection)?

I am kicking off a new research series on critical infrastructure protection.  This first report is titled: “Brief: S&R Pros Can No Longer Ignore Threats To Critical Infrastructure.”  

Critical infrastructure is frequently on my mind, especially the ICS/SCADA within the energy sector. I live in Texas; oil and natural gas are big here ya'll. I'm just a short distance away from multiple natural gas drilling sites.  I cannot help but think about the risks during the extraction and transport of this natural gas.  North Texas has seen an attempt to bomb the natural gas infrastructure. In 2012, Anson Chi attempted to destroy an Atmos Energy pipeline in Plano, Texas. As a security and risk professional, I wonder about the potential cyber impacts an adversary with Chi's motivations could have.

Read more

Introducing Forrester’s Targeted-Attack Hierarchy Of Needs

We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.  

Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified: 

Read more