ESG Blogs

One of the marketing campaigns that resonated the most with me over the last few years is the messaging behind Trend Micro’s XGen campaign because it aptly captures the challenge cybersecurity teams face: the complexity of securing multiple generations of technology. That is, it’s not just about next-gen. It’s also about protecting the last gen, and whatever comes after next-gen.

After all, while we still have mainframes, tape libraries, and Oracle running on UNIX, appdev teams are leveraging public cloud platforms and a rich set of microservices to rapidly build and deliver applications. Such heterogeneity represents a requirement to secure a diverse set of applications stacks deployed across hybrid, multi-clouds. Palo Alto Networks' stated intention to acquire Twistlock and PureSec, the former for container security, and the latter for serverless security, is a strong move to add cloud-native application security controls to companies' already extensive product portfolio.

In this video blog, ESG’s new principal analyst, Christina Richmond, and I preview what we expect to see at RSA Conference 2019. The scope and scale of RSA Conference continues to grow with adjunct events held by industry organizations such as the Cloud Security Alliance, vendors, and ESG with our own breakfast event. A few of the topics we expect to be front and center at this year’s RSA Conference include:

As a follow-up to VMworld US in Las Vegas this past August, VMware reiterated its compelling albeit ambitious strategy at VMworld Europe in Barcelona. From my perspective, that strategy is well aligned with the flexibility today’s enterprises require – the ability to run any app on any cloud accessed from any device with intrinsic security. This is the true essence of hybrid clouds for which VMware has a comprehensive definition – private cloud, public clouds, as well as Telco clouds – and a plan to offer a hybrid cloud control plane with equally flexible delivery options.

As a cybersecurity industry analyst, I am admittedly guilty of being myopic in looking for security to be the leading act in the keynote at major industry events. Such was the case at AWS re:Invents of the past when security was front and center starting with a discussion about the shared responsibility security model, the foundation of any cloud security program. That started to change in the last few years with security playing more of a supporting role in Andy Jassy's and Werner Vogels' keynotes. To be clear - it’s not that AWS is now being dismissive of security by any stretch, it’s simply that security is no longer an impediment to the adoption of public cloud platforms, at least those operated and secured by major CPS such as AWS, who has always treated security as job #1. AWS no longer needs to convince the market the cloud is secure, the conversation is now about how to meet your part of the shared responsibility model.

Integrating, and thus automating, security via the continuous integration and delivery (CI/CD) processes of DevOps, an approach referred to as “DevSecOps,” is a topic that had, until somewhat recently, been discussed largely only at DevOps and cloud-specific forums and events. But DevSecOps is coming of age. The ongoing adoption of DevOps by enterprise organizations, and the growing interest in bringing security along for the ride, is getting the topic a bigger stage, with DevSecOps being presented in sessions at more mainstream events such as RSA Conference, the CISO Summit at Black Hat, and VMworld. The adoption of application containers and the Kubernetes environment that orchestrates their lifecycle across the build-ship-run continuum has also been a catalyst for CI/CD integrated security. Because DevSecOps starts with a cultural shift, leverages CI/CD methods, and requires purposeful controls, it is an amorphous concept not only hard to define, but challenging to make actionable.

Amidst the backdrop of a stated intent to relieve cybersecurity point tool fatigue by consolidating vendors, there is a lot of discussion, and confusion, around cybersecurity platforms. We’ve seen this before in both cybersecurity and other IT domains as products become features and products get aggregated into suites delivered on a platform comprised of a set of shared services.

In this video, my colleague Jon Oltsik and I share some of our thoughts from the recent CISO Summit at Black Hat 2018. While respecting the event’s Chatam House Rules that require us to keep CISO comments anonymous, we have a conversation about some of the takeaways from the panels and presentations at the event on central cybersecurity topics including:

Over the last few months, some established cybersecurity brands have made strategic moves while emerging market leaders have announced compelling capabilities and initiatives. This notable level of industry activity is indicative of an acceleration of market maturity driven by a cloud security readiness gap. That is, most IT and cybersecurity teams are catching up to secure the cloud services, applications, and infrastructure, their organization is already using, and to do so, they are retooling their processes, policies, skills, and technologies.

Endpoint security is one of the most dynamic areas of cybersecurity and one that is in a state of constant change. To combat both the relatively pedestrian and more sophisticated range of attacks, most organizations, according to research conducted by the Enterprise Strategy Group, are implementing multiple compensating measures. The actions taken to improve endpoint security are across the dimensions of processes, skills, and technologies. In fact, ESG’s research reveals that 69% of organizations regularly reevaluate the effectiveness of their endpoint security strategies. Why all the attention on endpoint security? The epidemic levels of ransomware experienced in 2016 through 2017 and that are sure to extend into this year served as a catalyst for many IT and cybersecurity professionals to rethink how they secure their endpoints.

Ransomware incidents reached epidemic levels in 2016 with high profile attacks on health care organizations highlighting the operational impacts of cyber extortion by impeding the ability of some targeted organizations to deliver patient care. Cybercriminals continued to employ tried and true attack vectors and methods, principally phishing, to execute a transactional ransomware business model across multiple industries.