ESG Blogs

I spent the early part of this week in Orlando, attending Splunk .Conf 2018. Here are a few of my takeaways:

1. Splunk articulated a vision of security analytics/operations for 2020 that included 10 areas:
   1. Data ingestion. Collecting and processing a growing body of security telemetry.
   2. Detection. Finding and blocking known threats.
   3. Prediction. Using advanced analytics to identify new attacks and then spreading the warning around to all connected customers.
   4. Automation. Automate all pedestrian tasks and accelerate more complex tasks.
   5. Orchestration. Use APIs to connect security controls together for investigations and remediation actions.
   6. Recommendation. Monitor and record security operations and then recommend proven actions to the SOC team.
   7. Investigation. Provide intuitive tools to figure out what cyber-attacks are happening and why they are happening.
   8. Collaboration. Offer a workbench for security operations while connecting to collaboration tools like Slack.
   9. Case management. Deliver a security-centric tracking system that spans security incident management lifecycles. 
   10. Reporting. Providing a central place to measure all aspects of reporting.

When you think of security analytics and operations, one technology tends to come to mind – security information and event management (SIEM). SIEM technology was around when I started focusing on cybersecurity in 2002 (think eSecurity, Intellitactics, NetForensics, etc.) and remains the primary security operations platform today. Vendors in this space today include AlienVault (AT&T), IBM (QRadar), LogRhythm, McAfee, and Splunk.

Cybersecurity professionals are paid to be paranoid and tend to want to control everything they can to minimize surprises or third-party dependencies This has always been the case with regards to security technology.  Historically, CISOs mistrusted managed services, preferring instead to “own” the deployment and operations associated with their security technologies. 

Hadoop and NoSQL workloads are pervasive in production environments and require enterprise-class data protection, yet few data protection solutions offer such capabilities. That’s the problem Imanis Data is zooming in on. Imanis Data is demonstrating that it is squarely focused on product execution and is putting its B-round of $13.5 million from earlier this year to good use. The recent announcement of v 4.0 introduces many new data protection features, including some innovative machine learning-based capabilities. More information in this ESG Brief, Imanis Data Launches Version 4.0 and Delivers Machine Learning-based RPO.

Integrating, and thus automating, security via the continuous integration and delivery (CI/CD) processes of DevOps, an approach referred to as “DevSecOps,” is a topic that had, until somewhat recently, been discussed largely only at DevOps and cloud-specific forums and events. But DevSecOps is coming of age. The ongoing adoption of DevOps by enterprise organizations, and the growing interest in bringing security along for the ride, is getting the topic a bigger stage, with DevSecOps being presented in sessions at more mainstream events such as RSA Conference, the CISO Summit at Black Hat, and VMworld. The adoption of application containers and the Kubernetes environment that orchestrates their lifecycle across the build-ship-run continuum has also been a catalyst for CI/CD integrated security. Because DevSecOps starts with a cultural shift, leverages CI/CD methods, and requires purposeful controls, it is an amorphous concept not only hard to define, but challenging to make actionable.

This conversation with Doug Cahill examines the crucial - but all-too-often overlooked - necessity for cooperation between DevOps and Security teams. While there’s pretty much universal agreement that built-in security is better than bolted-on security, nonetheless the apparently (or at least potentially) competing objectives of DevOps (faster, faster, leaner) and Security (careful, careful, preclude risk) can appear to run counter to everyone’s desires. 

Hello dedicated readers! My blog is back from a restful week’s vacation on Cape Cod and ready to tackle the falling leaves, changing temperatures, and cybersecurity issues of Autumn.

Back in August, I wrote a few blogs about cybersecurity trends in small and mid-sized organizations (i.e. between 50 and 499 employees). The first blog looked at the state of cybersecurity at SMB firms and the second blog examined what they are doing to address these issues. 

Each year, ESG conducts a research project with the Information Systems Security Association (ISSA) on the mindset of cybersecurity professionals (the 2017 report is available here). As part of last year’s research, we asked respondents to identify the top actions their organizations should take in the future to improve cybersecurity. We then looked at this data based upon respondents’ roles, so we could look at the specific recommendations from CISOs (or other titles with equivalent job descriptions). 

Based upon this analysis:

Amidst the backdrop of a stated intent to relieve cybersecurity point tool fatigue by consolidating vendors, there is a lot of discussion, and confusion, around cybersecurity platforms. We’ve seen this before in both cybersecurity and other IT domains as products become features and products get aggregated into suites delivered on a platform comprised of a set of shared services.

In this video, my colleague Jon Oltsik and I share some of our thoughts from the recent CISO Summit at Black Hat 2018. While respecting the event’s Chatam House Rules that require us to keep CISO comments anonymous, we have a conversation about some of the takeaways from the panels and presentations at the event on central cybersecurity topics including: