Forrester Predictions: What’s In Store For Privacy In 2016?

Heidi Shey

When evaluating the top 10 critical success factors that will determine who wins and loses in the Age of the Customer in 2016, it comes as no surprise that privacy is one of them. In fact, privacy considerations and strategy augments all of the 10 critical factors to drive business success in the next 12 months.

 

So, what does this mean for businesses moving forward?

 

Read more

Blue Coat Systems Buy Elastica after Perspecsys

Andras Cser

As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects Blue Coat Systems will assemble their Cloud Security Gateway solution:

* Elastica intellectual property (IP): will be used for a) behavioral profiling, b) predictive analytics and c) anomaly detection in access to cloud applications.

* Perspecsys IP: will be used for a) cloud encryption and b) key management.

Blue Coat Systems has a herculean task on their hands: they have to successfully manage

1) Understanding existing Elastica and Perspecsys product portolios

2) Integrating Elastica and Perspecsys product portfolios into one single CSG offering

3) Integrating the resulting CSG solution with existing Blue Coat Systems solutions,

4) while managing the natural differecens,  post-acquisition attrition of key management and engineering resources from both acquired companies. 

Forrester expects that Blue Coat Systems will be able to the above in 9-12 months successfully.

Starting soon: Threat Intelligence Platforms research

Rick Holland

In my last threat intelligence blog I discussed my new research on threat intelligence providers. I included a graphic which carved four functional threat intelligence areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. In December, I will start the next piece of research in the series focusing on Threat Intelligence Platforms (TIPs). This will likely be two reports one focusing on people, process and use cases and the other focusing on the vendor landscape. My presentation at the 2016 SANS Cyber Threat Intelligence Summit will include some perspective on the state of threat intelligence platforms.  

I will be looking into the following functional areas. I'm also going to look beyond TIPs to see how traditional analytics platforms like SIEMs are including these capabilities.  I also will look into how SIEMs and TIPs should function in the same environment. I will also address the "roll your own platform" phenomenon that is common in technology firms and large financial institutions. Depending on the size and maturity an organization, multiple solutions could be involved in addressing the use cases, I will also break that functionality out. 

  1. Ingestion 
  2. Enrichment 
  3. Analysis (Important: How does TIP improve tradecraft?)
  4. Exploration 
  5. Integration 
  6. Collaboration
  7. Sharing 
Read more

Maximizing Your Investment In Cyberthreat Intelligence Providers

Rick Holland

I just published my latest research on threat intelligence: Vendor Landscape: S&R Pros Turn To Cyberthreat Intelligence Providers For Help. This report builds upon The State Of The Cyberthreat Intelligence Market research from June. In the new research, I divide the threat intelligence space into four functional areas: 1) Providers 2) Platforms 3) Enrichment 4) Integration. This research is designed to help readers navigate the crowded threat intelligence provider landscape and maximize limited investment resources. In this report, we looked at 20 vendors providing a range of tactical, operational, and strategic threat intelligence.

When developing threat intelligence capabilities, one of the most important requirements is to collect and develop your own internal intelligence. Nothing will be as relevant to you as intelligence gathered from your own environment, your own intrusions. Before you invest six figures (or more) in 3rd party threat intelligence, make sure you are investing in your internal capabilities. Relevancy is one of the most important characteristics of actionable intelligence; check out "Actionable Intelligence, Meet Terry Tate, Office Linebacker" for more details on the traits of actionable intelligence.

In the report, I use the traditional intelligence cycle as a framework to evaluate threat intelligence providers. The intelligence cycle consists of five phases:

Read more

Forrester’s Security & Risk Research Spotlight: Stuck Between A Hack & Frustrated Customers

Stephanie Balaouras

Are passwords a dying breed? With every other organization getting hacked, many S&R pros would argue that if passwords aren’t dead yet, they should be. Yet many companies such as LogMeIn and LastPass continue to make strategic acquisitions, proving that interest in password management solutions remain high among enterprises and consumers (check out their press release, here.) It’s hard to have any confidence in a method that appears to be ineffective, frustrating, and highly outdated. Many companies are attempting to gain back consumer trust by offering voice biometrics, multi-step authentication methods, or other authentication alternatives to supplement or replace their existing policies.

Unfortunately, fraudsters are getting smarter and customers don’t want to spend more than 30-seconds logging into their accounts. With the addition of the multiple banking accounts, online shopping IDs, and social media platforms that almost every consumer uses daily, the challenge for these companies to keep all online accounts secure while also providing the painless log-in that customers are demanding can quickly turn into a catch-22. What is easy and convenient for customers is also incredibly insecure, thus making them the perfect bait for cybercriminals.

Read more

Europe Leads In Global Privacy – Announcing Forrester's 2015 Data Privacy Heat Map

Christopher Sherman

Businesses are moving toward personalization, which means they’ll increasingly collect personal data to get a better idea of what their customers want and need. In the age of the customer, defined by Forrester as a 20-year business cycle when successful enterprises will reinvent themselves as digital businesses in order to serve their increasingly powerful customers, protecting customer data is a critical aspect of fostering trust and building long-lasting relationships.

Regardless of location, all countries should have this goal in mind, but privacy regulations vary from country to country and often conflict with each other. For global organizations, navigating these laws can be daunting. To help businesses tackle this challenge, Forrester published its 2015 Data Privacy Heat Map. Originally created in 2010, the tool leverages in-depth analyses of the data privacy-related laws and cultures of 54 countries around the world, helping security leaders and decision-makers better design their own approaches to privacy and data protection.

Read more

Fingerprint authentication enters online banking at Bank of America - and signals FIDO's first major adoption event

Andras Cser

Bank of America's website and press release says that you can use your TouchID on iOS to sign into BofA's mobile  application on iOS.

This move is a major milestone in FIDO's and fingerprint biometrics' adoption in the mainstream consumer authentication market. Forrester expects fingerprint authentication will greatly improve the customer experience - no more fumbling with hard-to-type passwords on small smartphone keyboards. It's important to note that matching the fingerprint to authenticate the user happens in the mobile application on the mobile device. As such it is not a true two factor, strong authentication where the match happens on the server side.

CyberArk acquires ViewFinity underscores endpoint privilege escalation's importance in privileged identity and access management

Andras Cser

Today's acquistion of ViewFinity (an endpoint privilege escalation vendor) by CyberArk signals an important taxonomy shift in Priivileged Identity / Access Management.

Of major PIM suite vendors, BeyondTrust, CA Technologies and Centrify have their own endpoint privilege escalation solutions for Windows and Linux. Dell and Microfocus have only Linux based solutions. Balabit, Hitachi-ID, Lieberman, and Thycotic do not have any, they usually partner with Avecto, and Bit9.

Today's acquisition will a) further reduce the already small number of eligible/acquirable endpoint privilege escalation vendors and b) create further differentiation between partial and full PIM suite providers.

Forrester’s Security & Risk Spotlight – Rick Holland

Stephanie Balaouras

Newly minted Vice President and Principal Analyst, Rick Holland, is one of the most senior analysts on our research team. But for those of you who haven’t had the opportunity to get to know him, Rick started his career as an intelligence analyst in the U.S. Army, and he went on to hold a variety of security engineer, administrator, and strategy positions outside of the military before arriving at Forrester. His research focuses on incident response, threat intelligence, vulnerability management, email and web content security, and virtualization security. Rick regularly speaks at security events including the RSA conference and SANS summits and is frequently quoted in the media. He also guest lectures at his alma mater, the University of Texas at Dallas.

Rick Holland Image

Rick holds a B.S. in business administration with an MIS concentration (cum laude) from the University of Texas at Dallas. Rick is a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA), and a GIAC Certified Incident Handler (GCIH).

Read more

What Does It Mean To Have Privacy As A Competitive Differentiator?

Heidi Shey

In 2015, 26% of global security decision makers consider privacy as a competitive differentiator for their organization.* But what does that even mean? And how would an organization achieve this?

Last week I was out in Las Vegas for Privacy. Security. Risk. and moderated a panel on this topic. Panelists included Michael McCullough (CPO, VP, Enterprise Information Management and Privacy, Macy's), Nathan Taylor (Partner, Morrison & Foerster), and Jamie May (VP of Operations, AllClear ID). Two things were clear:

  1. The ability and desire to use privacy as a competitive differentiator heavily depends on the nature of the business. For example, a cloud provider would approach this differently vs a company that sells gasoline.
  2. Treating privacy as a competitive differentiator vs marketing/selling with it are separate concepts. Some organizations may choose to embrace both. Treating privacy as a competitive differentiator has more to do with corporate culture, privacy practices, and your privacy team. The notion of responsible information management came up several times during the panel session. There is also risk involved with marketing/selling with privacy as a competitive differentiator; if you make a promise, you must be able to fulfill it.
Read more