Cybersecurity & Networking

Detecting and responding to cyber-threats quickly can mean the difference between a cybersecurity annoyance and a costly data breach. This makes threat detection and response a critical business requirement.

Given this, you’d think that threat detection and response would be well resourced with highly-tuned processes running as efficiently as a Swiss watch. Unfortunately, this is far from true. According to ESG research, threat detection and response is fraught with numerous issues. Here is a list of the top 5 threat detection and response challenges, according to 372 enterprise cybersecurity and IT professionals:

(more…)

My colleague Jon Oltsik had a running blog series entitled “If I Were the Next CEO of Symantec” that he updated every few years when new leadership was introduced. With the recent announcement of Broadcom’s intention to purchase Symantec’s enterprise business unit for $10.7 billion, I thought I would beat him to the punch and create a new blog series, “If I Were the CEO of Broadcom.”

Of course, I’m not a silicon analyst, so my recommendations will be limited to the security side of Broadcom’s business. However, if I were the CEO of Broadcom and my goal was to optimize Symantec’s portfolio and properly leverage my investment, here are a few of the things I would focus on:

• Retire or divest legacy and non-core products: There are areas of the Symantec portfolio that may have made perfect sense at one time but no longer do. Much of this is due to the long (and inconsistent) acquisition history of the company. These product lines represent a small part of the business and, in many cases, limited growth opportunities. Symantec may be better off moving on from them.
  • Network Performance (Blue Coat) and Endpoint Management (Altiris) fall outside of the cybersecurity realm and don’t add a lot of incremental value to the company.
  • Control Compliance Suite (CCS) doesn’t have the breadth of more full-scale risk management platforms like RSA Archer, and has lost ground to smaller players like Tripwire.
  • VIP, Symantec’s two-factor authentication solution, has seen enhancements over the last few years in an attempt to break into the B2C space, but with CA’s Identity suite already under the Broadcom umbrella and limited B2B traction, I’d expect some changes here.
• Continue to invest in the Integrated Cyber Defense approach: ICD is Symantec’s platform architecture and represents an important opportunity moving forward. ESG research has shown that 62% of organizations would consider using a single security vendor for the majority of their security solutions, with efficacy, automation of processes, and operational efficiency being top reasons why. Symantec’s ICD vision puts it in contention to compete for these organizations’ business. Yet further development is required to expand its platform support through the rest of its portfolio, including the cloud, and increase its analytics capabilities. If this happens, Symantec will have a very compelling story to share with its customer base.
• Build deeper integrations between SWG, CASB, and DLP: Symantec has been a market leader in SWG for years but was behind the curve with the shift to cloud. That’s finally been addressed, but the vendor needs to leverage its advantages in CASB and DLP in order to not miss another seismic market shift. ESG has talked about the emergence of elastic cloud gateways, which fully integrate SWG, CASB, and DLP functionality (among other capabilities) in a cloud native, highly scalable platform that provides a globally distributed yet locally accessible experience to users. Symantec has the tools to be a key player in this space, but more work needs to be done both to integrate the products and push the huge ProxySG installed base into the cloud with Symantec rather than a competitor.
• Maintain a presence in email security: It seems like from a solution perspective this is fast becoming one of the forgotten areas of cybersecurity, even though it continues to be the preferred threat vector for attackers. Some of this can be attributed to O365 adoption and the built-in controls Microsoft offers. Yet like with all cloud services, there’s room for native controls and third-party solutions. Symantec has a robust offering here, accounting for filtering, advanced threat detection and response, isolation, and user awareness training. Symantec’s lost a good deal of ground to Proofpoint in this space, but these products provide important telemetry to the rest of the portfolio and will represent a key aspect of any platform strategy.
• Allow services to flourish: Symantec has done most of the hard work of building a strong services organization that boasts consulting and incident response, managed services, and threat intelligence. It’s expanded into the MDR realm recently as well, as that space continues to drive massive amounts of interest. Services is a lower margin business, so some changes may be coming to better fit the Broadcom operating model. But Symantec has been smart about its’ investments here, and the services portfolio gives it differentiation from many competitors. Also, ESG research has found that outside of having a full SIEM product, organizations think that having threat intelligence feeds/analytics and managed services are some of the most important analytics capabilities for enterprise-class vendors.
• Focus on the enterprise, without neglecting the upper mid-market: This will not be Broadcom’s strategy, but I’ll call it out anyway. There’s clearly an opportunity to cross-sell Symantec into the Broadcom strategic enterprise base (via CA). There’s also still expansion possible within existing Symantec accounts, both as the ICD vision comes to fruition and through ensuring the SEP installed base is fully utilizing all related products (i.e., EDR and SEP Mobile). However, some of the fastest growing cyber security companies are focusing further down market—not in the SMB, but to midsize and small enterprises. While we know it’s less expensive to sell to an existing customer than win a new one, Symantec has had limited success in this space for years and it represents another avenue to growth. To grow within the enterprise, you either need a new technology that has few or no competitors, or great technology to displace existing vendors. If Broadcom fully delivers on Symantec’s ICD vision, it can succeed in the enterprise—but in parallel, it should be looking to expand its potential customer base.

Symantec has good technology and a well-known brand but has seen sluggish growth for years. The Blue Coat acquisition had promise, but ultimately failed to deliver the success financially. Symantec is desperate for an injection of operational excellence, which Broadcom can clearly provide. However, for the business to truly succeed there needs to be additional investment—not necessarily through acquisition, but through the realization of the ICDx vision and further product enhancements to deliver the full value of the portfolio. Once the deal closes, Broadcom should quickly and clearly provide specifics on the future of the portfolio to protect Symantec’s installed base. Security is a competitive space, and customers won’t sit back and wait while uncertainty swirls.

About this time every year, the cybersecurity industry heads to “summer camp” in Las Vegas, heading to BSides, Black Hat, and/or DefCon. I attended Black Hat last week along with many members of the ESG cybersecurity team. Here are a few of my takeaways:

1. The “vibe” has changed. There used to be a clear difference between Black Hat and its larger cousin, the RSA Conference. RSA has become an industry show where you talk about business relationships, M&A activities, and VC investments. Alternatively, Black Hat was always a practitioners’ show where the buzz centered on exploits, IoCs, and defensive tactics. Alas, billions of security dollars are taking its toll on poor Black Hat – there was a definite “hurray for the industry” vibe, fraught with banal cocktail parties, Merlot-drinking VCs, and ambulance-chasing vendors. The industry needs a cold shower to remember that its job is protecting critical digital assets, not celebrating 10-baggers. (more…)

Judging by this week’s Capital One breach and Equifax settlement, cybersecurity remains a topical if not ugly subject. The timing couldn’t be better for these unfortunate events. Why? Because the cybersecurity community will get together next week in Las Vegas for Black Hat and Defcon to discuss how to better deal with security vulnerabilities and improve threat prevention, detection, and response. 

I’ll be there along with an assortment of my ESG colleagues. Here are some of the things we’ll be looking for: 

• Network security platforms. While security appliances are far from dead, network security goes well beyond perimeter-based packet inspection of ingress/egress traffic. Alternatively, network security is evolving into a pervasive service inspecting and filtering traffic across physical data centers, virtual servers, and cloud-based workloads of all types. Think central management and distributed enforcement. Vendors like Check Point, Cisco, Forcepoint, Fortinet, Juniper, and Palo Alto Networks get this and are innovating in this direction. That said, how far along are they? Furthermore, are customers buying in or do they continue to look for “best-of-breed” network security technologies of various form factors? We’ll be asking these questions in Vegas conference rooms all week.
• Endpoint security consolidation? Like network security, endpoint security tools are going through a similar amalgamation trend. Endpoint protection platform (EPP) vendors are integrating their endpoint capabilities into more capable platforms and expanding functionality into areas like device coverage, asset management, and EDR. As many EPP vendors innovate to differentiate themselves, the profile of EPP is changing rapidly. Leading vendors have level-set on providing integrated, cloud-delivered multi-layer prevention, detection, and response capabilities combined with managed detection and response (MDR) services, but new services and capabilities are rapidly emerging. We’ll be watching for new announcements about deeper integrations with other security tools, new capabilities for protecting cloud workloads, mobile, and IoT, and extended risk management capabilities.
• Managed detection and response – it’s all about the people. I know I sound like a broken record, but the cybersecurity skills shortage continues to impact every decision CISOs make. Case in point, detecting and responding to threats like Ransomware, phishing, and exploits. Now a lot of the discourse around threat detection will center on threat intelligence synthesis, artificial intelligence, and machine learning (AI/ML) baked into products and services but all the TI in the world and the best ML doesn’t reduce the funnel or accelerate threat detection alone. What does? Experience, processes, and automation. In other words, the human stuff. Yup, humans can reason, see anomalous behaviors that are not apparent to the machines, and then program technology brains for future detection and response actions. Service providers can also work with the cybersecurity staff to map the adversary goals in a way that structures our thinking and response – as in, to the MITRE ATT&CK Framework (MAF), for example. Finally, humans must manage other humans. In this case, enterprise cybersecurity professionals must have the right structure and skills to manage third-party MDR providers effectively. ESG loves technology as much as anyone, but we’ll be looking to find the smartest and most helpful MDR services people next week. 
• Serverless security – the new frontier. Cloud: Serverless functions, or function-as-a-service (FaaS), such as AWS Lambda, Azure Functions, and Google Cloud Functions are becoming more prevalent components of modern cloud-native applications built on a microservices architecture. Because serverless itself is an abstract concept, the associated threat model and security approaches are ambiguous. So, what’s different about serverless? Serverless shifts more of the security responsibility to two parties – the external cloud service provider (CSP) and the internal developer. This changes the shared responsibility model where CSPs are now on the hook for securing the server instances that run the functions, as temporal as they may be. The consumers of these services, absent access to a network tap or the ability to install an agent, needs to gain visibility and control over their use of serverless functions. By shifting left into the development stage, DevOps teams must continuously discover API calls in source code and assess how those APIs are being used at build-time (i.e., with respect to authentication, authorization, encryption of data in motion and more). Logging an audit trail of service-to-service activity and the use of Runtime Application Self-protection (RASP) closes the continuous loop to protect the entire serverless API lifecycle. Do cybersecurity professionals and security technologies get this? We’ll be poking around at Black Hat to find out.
• Security analytics innovation and confusion. A few years ago, security analytics was synonymous with SIEM (security information and event management), but no longer. Security analytics now includes areas like network traffic analysis (NTA), security data lakes, UEBA, threat intelligence platforms (TIPs), etc. Savvy CISOs are playing with many of these but they also want cooperative security analytics where technologies interoperate, complement, and add value to one another. Once security analytics provide high-fidelity data (i.e., alerts, risk scores, etc.) organizations also want to act upon this data through security operations platforms. This is the essence of ESG’s SOAPA (security operations and analytics platform architecture). Yes, there’s tremendous investment and innovation in this area but users are royally confused by the pace of change and market hyperbole. Do they go with a one-stop shop like IBM or Splunk? Do they use open-source software like BRO/Zeek, the ELK stack, or Hadoop? Do they deploy SOAPA on-premises or seek out a cloud-based alternative from the likes of Devo, Google (Chronicle/Backstory), Microsoft (Azure Sentinel), or SumoLogic? I’ll be talking to a lot of SOC analysts at Black Hat to research and help answer these questions.

Despite the heat, crowds, and miles of walking each day, Black Hat is one of my favorite weeks of the year. By the end of the event, I feel like I’ve just gotten a graduate degree in cybersecurity – each year. If you see me or one of my ESG colleagues at Black Hat, make sure to say hello and let us know what you’re up to. Cybersecurity is a collection activity – even in Sin City, it takes a village. 

As Black Hat 2019 quickly approaches, I couldn’t help but think back to the tail-end of my previous life attending industry conferences as an analyst covering network security. By 2014, you couldn’t get a conversation with a user on the show floor if you were a firewall vendor that didn’t offer robust application control. Palo Alto Networks had successfully shifted the industry focus to application layer inspection and next-generation firewalls had all but been accepted as the default standard for network protection. This transition addressed the fundamental shift in internet usage affecting the way we live and work. Traditional Layer 3 and 4 scanning could not provide the visibility and control over Layer 7 traffic required to protect the modern enterprise. Of course, at the time it was the need for control over applications like Facebook, Twitter, and YouTube driving the change. But it clearly foreshadowed the upcoming transition to cloud application usage.

(more…)

Over the past five years, we’ve seen an explosion in security data collection, processing, and analysis. As part of a recent security analytics research project, ESG found that 28% of organizations claimed that they were collecting, processing, and analyzing significantly more security data than they did 2 years ago, while another 49% were collecting, processing, and analyzing somewhat more data during the same timeframe.

(more…)

Black Hat has gotten a lot bigger over the past few years, so many security insiders now compare Black Hat to the RSA Security Conference circa 2012 or so.

This is an accurate comparison from an attendance perspective but there is still a fundamental difference between the shows. In my humble opinion, RSA is an industry event, while Black Hat is more of a cybersecurity professional gathering. The focus is on cyber-adversary tactics, techniques, and procedures (TTPs), threat intelligence, and defensive playbooks. Rather than host lavish cocktail parties, vendors who participate in Black Hat must roll up their sleeves and demonstrate their technology acumen to gain street cred with this crowd.

In the past, a vendor’s technology prowess was usually used as an introduction to some type of security hardware or software. Technically savvy vendors would bond with security analysts as a means for pitching the latest products. In 2019, however, security technical gurus are looking for more than cool security technology alone – they are looking for help.

What’s going on? A global cybersecurity skills shortage, that’s what. ESG research indicates that 53% of organizations say they have a problematic shortage of cybersecurity skills. Furthermore, the recently published research report from ESG and the information systems security association (ISSA) indicates that 73% of organizations have been impacted by the cybersecurity skills shortage. Sixty-six percent of those impacted say the cybersecurity skills shortage has increased the workload on the infosec team, 47% say the cybersecurity skills shortage has led to the inability to learn or use cybersecurity technologies to their full potential, and 41% have had to hire and train junior employees rather than hire more experienced staff.

There’s one more implication around the cybersecurity skills shortage – nearly one-third (32%) of organizations have had to increase their use of professional/managed services because they remain understaffed and lack advanced cybersecurity skills. Like I said, organizations can no longer toe the cybersecurity line alone – they need help.

This brings me back to Black Hat. Yes, there will still be plenty of geeky technologies on display in areas like security analytics and threat detection/response. That said, I predict that managed services will be one of the main themes at Black Hat 2019.

It’s worth noting that managed security services are already making a big inroad at enterprise organizations. According to ESG research, 51% of large firms are already using some type of managed threat detection and response service (MDR) today, while another 42% will do so in the next 12 to 18 months or are interested in doing so. The research also points to the top reasons for adopting MDR:

• 32% of organizations needed a rapid improvement in threat detection and response and thought an MDR service would be more expeditious than deploying threat detection and response technologies.
• 29% of organizations were already working with a managed security service provider so it was easy to add MDR services as part of their contract.
• 28% of organizations admit that MDR services can do a better job at threat detection and response than they can.
• 27% of organizations say that they tried to deploy some type of threat detection and response technology but found that operating this technology was beyond their ability.

Black hat has always been a bully pulpit for security vendors known for their strong technology and threat intelligence knowledge – CrowdStrike, FireEye, Kaspersky Lab, Palo Alto Networks, Trend Micro, etc. These and other firms will maintain a staring role, but given the rapid adoption of managed services, look for others like Accenture, Booz Allen Hamilton, IBM, KPMG, SecureWorks, and Unisys to elbow their way into the spotlight. The new vendor mantra at Black Hat may be, “how can we help?”

Security professionals must resist the temptation to limit their Black Hat focus to security technology bits and bytes. Rather, they should prepare for this transition by bolstering their ability to qualify and manage third-party security service providers and coming to terms with the fact that they need help. As former President Barack Obama said, “Don’t be afraid to ask for help when you need it. Asking for help isn’t a sign of weakness, it’s a sign of strength. It shows you have the courage to admit when you don’t know something, and to learn something new.”

When it comes to threat detection and response, understanding network behavior really matters. According to ESG research, 87% of organizations use network traffic analysis (NTA) tools for threat detection and response, and 43% say that NTA is a “first line of defense” for detecting and responding to threats.  

(more…)