Kicking Off Forrester's "Targeted Attack Hierarchy Of Needs" Research

Rick Holland

I am about to kick off my next Forrester research on targeted attacks.  Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."

  • Vendors:  The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future. 
  • Enterprises:  If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you.  If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know.  We are currently scheduling research interviews.  Research interviews are open to more than just Forrester clients.  If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion. 
Read more

If Everything Is Threat Intelligence, Then Nothing Is Threat Intelligence

Rick Holland

The hype surrounding threat intelligence has continued to build since I wrote the blog "My Threat Intel Can Beat Up Your Threat Intel” in mid-2012.  S&R pros are responding to both the hope and promise of threat intelligence. According to our Forrsights survey data, 75% of security decision-makers report that establishing or improving threat intelligence capabilities is a top priority for their organization.   

One of the most significant challenges in leveraging threat intelligence is operationalizing it. Today, there are two broad categories of organizations that leverage threat intelligence. I’ll use an analogy to describe them. The US television show “Sons of Anarchy” follows the lives of an outlaw motorcycle club. The Sons of Anarchy refer to themselves as “1%ers”: They have the power, resources, and means to accomplish anything they desire. This is in contrast with the 99% who are merely motorcycle enthusiasts without these capabilities.  Some of these early adopters include financial services, technology, and manufacturing companies. 

Read more

Why You Should NOT Build Your Own Authentication Framework And Solution In-House. See OWASP A2.

Andras Cser

We regularly get the question: should we build our web authentication and single sign-on solution?

Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says:

"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities."

Implementing your own session and key management, validation, update, periodic rollover, etc. mechanisms in a scalable and fault tolerant way is extremely difficult. We regularly get inquiries from clients who want to replace their own in-house built web single sign-on framework -- mostly because they have been hacked or it's too expensive to operate and update.

This is why we see open source and commercial Web Access Management packages and solutions critically important to protect your web assets. Since they are mostly mature technologies, they protect against not just authentication and session management problems but often against cross site scripting and other older threats as well. If you use a newer product or a pure federation product, make sure that the vendor or supplier can help you answer your questions based on the the OWASP list.

Check out https://www.owasp.org/index.php/Top_10_2013-Top_10 for more details on the OWASP Top 10 for 2013.

 

 

Forrester expects a wave of acquisitions of cloud IAM providers

Andras Cser

With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 

 

Forrester expects that we will see the following in the next 12-18 months:

1) Wave of acquisitions of cloud IAM providers. Those IAM vendors (SAP, Oracle, NetIQ, Quest, McAfee, RSA and even Symantec and Cisco etc.) that have not yet built an IAM framework or don't have on-premise IAM products they could turn into a cloud service will probably want to get into the game sooner rather than later. This will start a wave of acquisitions of cloud IAM providers. Now is the time to acquire and to get acquired in the cloud IAM space.

2) Moving of user stores into the cloud. We predicted this in 2012, but it's becoming a reality now. It is increasingly clear that on premise user directories (AD, LDAP, etc.) are starting to be only used for basic services and there is a great need for cloud based directories to support an increasing number of SaaS applications. Cloud IAM vendors we talk to (UnboundID and Okta) have announced plans to help customers with this migration.  SalesForce.com OEM agreement with ForgeRock to create SalesForce Identity Connect is the first step in this direction. Identity bridges or connectors which connect on-premise user stores to the cloud provider’s user store will play a critical role and be the hardest first step in this transition.  

Read more

Kicking off the Forrester Web Content Security Wave

Rick Holland

We are about to kickoff our next Forrester Wave on web content security.  The inclusion criteria for vendor prequalification will be sent out within the next two weeks. We will be focusing on both traditional web gateways as well as the hybrid and SaaS delivery models. What does this mean for you?

  • Vendors:  If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey.  We will be limiting the number of vendors participating in this evaluation. 
  • Enterprises:  If you would like to provide us feedback on your experience with web content security solutions and vendors, we would love to hear from you.  We plan to leverage your feedback for evaluation criteria as well as score weighting.  

Please contact Kelley Mak (kmak at forrester.com) if you are interested in participating.   We expect this Wave will publish in the Spring of 2014. (Fine print: This is a publication estimate and this date is subject to change.) 

Insights From McAfee Focus

Stephanie Balaouras

Last week, I and several analyst from Forrester’s Security & Risk team, including Chris McClean, John Kindervag, Tyler Shields, Heidi Shey, and Chris Sherman, attended McAfee’s annual Focus conference in Las Vegas.

I attend numerous security and IT conferences each year, most of which simply blur together into a vendor cacophony about the perils of social, cloud, and mobile device adoption or the ever present danger from devious cybercriminals and nefarious state-sponsored agents. The uniform repetition of this narrative from every vendor in the industry reminds me of the drowning din of thousands of cicadas awakening from hibernation. McAfee Focus had a different feel. And overall, compared to other conferences, it was a worthwhile trip, and not just because Chris McClean and I won at craps, but because while McAfee did pay homage to the technical security pros in the audience with the requisite discussion of the changing threat landscape and accompanying hacking demo, there was a palpable difference in their narrative, particularly in CEO Mike DeCesare’s keynote. Here are a few notable highlights from the conference:

Read more

Cold War Security: Four Phones, Two Doors, A Scrap Of Paper, And A Lighter

Renee Murphy

Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack.  This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it...four phones, two doors, a scrap of paper, and a lighter. 

Photo Credit: Renee Murphy

Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.

It might be an occupational hazard, but I can relate almost anything to security and risk management, and my visit to the Titan Missile Museum at AF Silo #571-7 was no exception. The lesson I took from my visit: there's room for manual controls in security and risk management. 

Read more

Scenario modeling is anything but a guess

Renee Murphy

Emergency management professionals say,  “The plan is useless, but the planning is priceless.”  There is a lesson in there for risk managers and it’s about the value of scenario modeling.

The Federal Emergency Management Administration (FEMA) conducted a study to determine the likelihood and impact of a hurricane hitting New Orleans. FEMA assembled the paramedics, fire department, emergency room doctors, parish officials, and other responders in a hotel in New Orleans for "Hurricane Pam". Their goal was to plan for the worst-case scenario. The group was given the following scenario:

  1. A slow moving, category-3 hurricane would directly hit New Orleans.
  2. The storm surge would cause the levees to top, but not break.
  3. The National Weather Service showed how the storm would form, what track it would take and what parishes would be effected.
Read more

NASA Flunked Its Cloud Computing Audit: Are You Next?

Renee Murphy

Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements. And, as someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness.  Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.  

The Cloud Is Nebulous

Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula -- after the stellar cloud formation. (I love nerd humor, don’t you?)

Photo Source: NASA

During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.

In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption.  But remember, NASA had already moved its noncritical data (like www.nasa.gov or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009.  Before anyone ever considered the rules for such an adoption of these services.

Audit Recommendations

Read more

Are You In A Decision Trap? You Decide.

Renee Murphy

Before joining Forrester, I ran my own consulting firm. No matter how ridiculous the problem or how complicated the solution, when a client would ask if I could help, I would say yes. Some people might say I was helpful, but I was in an overconfidence trap. There was always this voice in the back of my mind that would say, “How hard could it be?” Think of the havoc that kind of trap can have on a risk management program. If any part of the risk program is qualitative, and you are an overconfident person, your risk assessments will be skewed. If you are in an overconfidence trap, force yourself to estimate the extremes and imagine the scenarios where those extremes can happen. This will help you understand when you are being overconfident and allow you to find the happy medium.

Have you ever padded the budget of a project “just to be safe”? I hate to tell you this, but you are in the prudence trap.  By padding the project budget, you are anticipating an unknown. Many other managers in your company may be using the same “strategy.” But the next time you do a project like this, you will pad the budget again, because the inherent uncertainty is still there. The easiest way to keep your risk management program out of the prudence trap is to never adjust your risk assessments to be “on the safe side,”  There is nothing safe about using a psychological trap to predict risk.

Read more