Gartner presentation risq dec 2016 jie zhang
-
Upload
colloquerisq -
Category
Technology
-
view
90 -
download
1
Transcript of Gartner presentation risq dec 2016 jie zhang
CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Top Security Trends and Take-Aways
Jie Zhang
1 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Security for the Next Generation of Threat
A pervasive digital presence is expanding into business, industry
and society
Once networked, this digital presence substantively alters risk
for digital businesses
Digital security is the next evolution in cybersecurity
to protect this pervasive digital presence
2 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Security Macro Trends You Face in the Ageof the Pervasive Digital Presence
Risk and Resilience Seek Balance
Security Disciplines Converge
Secure Digital Supply Chain Needs Grow
Security Skills Options Expand
Adaptive Security Architecture Embraced
Data Security Governance Arrives
Digital Business Drives Digital Security
4 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Security Moves to an Embedded State in the Organization
Governance
Compliance
Control
Protection
Reliability
Speed
Assurance
Transparency
RISK RESILIENCE
PrivacySafety
ValueCost
5 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Security Principles for Trust and Resilience
Business Outcomes
Risk-Based
Data Flow
Facilitator
Detect and Respond
Principle of Trust and Resilience
People-Centric
6 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Take-Aways for Risk and Resilience Balance
Revisit the security organizational structure to ensure it reflects current mission
Revise the methods used to calculate IT risk to incorporate new variables and factors
Refine the security communication and education process to emphasize agility
8 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Digital Security for the Pervasive Digital Presence
Defense
Offense
Reactive
Proactive
IoT Security
Information Security
IT Security
OT
Security
Physical
Security
You Are Here
Digital Security
9 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
"Digital Safety" Becomes a New Force and Responsibility
The CIAS Model of Digital Security
Integrity
Data
People
Environments
Confidentiality
Availability
Safety
Graphics: Can Stock Photo
10 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Take-Aways for Security Convergence
Establish security governance and
planning relationships with physical
and industrial counterparts
Improve cross-discipline procurement
methods for security requirements
Modify security architecture to include
additional layers where required
Investigate changes in security
management and operations that may
be required to accommodate
convergence
12 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Integrated Digital Security for the Supply Chain(s)
SUPPLY CHAIN
DIGITAL SUPPLY CHAIN
DIGITAL SECURITY FOR THESUPPLY CHAIN(S)
IoT Security
Information Security
IT Security
OTSecurity
PhysicalSecurity
Digital Security
13 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
SIEM
Software Asset
Management
Expanding (and Confusing) SaaS Control Add-On Markets
Today's enterprise suffers from coordination frustration. Encouraging evolution of multicloud, multifunction management consoles.
Activity Threat Control
Archive and Recovery
Cloud Access Security Broker
EMM
Confidentiality
IDaaS
SaaS
Aggregation
Tool
Mobile Device Management
Before and During Login
After Login
Service Monitoring
Malware Control
14 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Take-Aways for Securing the Cloud (Supply Chain)
Develop an enterprise public cloud strategy.
Implement and enforce policieson usage responsibility and cloud risk acceptance.
Follow a cloud life cyclegovernance approach.
Develop expertise in the security and control each cloud model used.
Implement technologies to fight cloud diffusion complexity.
Conduct Risk Assessment(decision establishesrequirements for technical andprocess controls)
Medium
Exposure
Potential Impact of Security FailureB
usin
ess C
ontr
ibution
(Valu
e o
f S
erv
ice)
Low High
Always Allowed
Low
High
Do N
ot A
llow
Do N
ot A
llow
16 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Assess the Most Critical Skills Impacts of Digital Security
Already, Traditional Security Strategies Are Shifting To:
Contextual Security Monitoring and Response
Ubiquitous Identity Management
Data Classes,Data Governance
Security Awareness, Privacy & Behavior
01011Embedded Security
Network Segmentation, Engineering
PhysicalSecurityAutomation
17 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Take-Aways to Accelerate Skills Generation and Convergence
Build a long-term security
workforce plan.
Make coaching and skills development
first task.
Embed security skills within
the lines-of-business.
Change security specialists
to "versatilists."
Mix traditional and agile
recruitment techniques.
Evaluate current skills gaps.
18 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Adaptive Security Architecture Is Embraced
19 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Software-Defined Everything, Including Security
"Data Plane"
"Control Plane"
APIAPI API API
APIAPI API
Southbound APIs
Northbound APIs
Layers of Abstraction
APIPlatform
APIs
Applications
20 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Respond Detect
Detect incidents
Prevent attacks
Confirm and prioritize risk
Contain incidents
Isolate systems
Predict Prevent
Harden systems
Compliance
Policy
Monitor posture
Adjustposture
Implementposture
Adjust posture
ContinuousVisibility and Verification
Users
Systems
System activity
Payload
Network
Investigate incidents/retrospective analysis
Remediate
Anticipate threats/attacks
Risk-prioritizedexposure assessment
Design/Model policy change
Baseline systemsand security
posture
Develop an Adaptive Security Architecture
21 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Threat Intelligence Platforms Allow You to Visualize, Correlate and Gain Context
EmergingThreats
ShadowserverZeuS
Tracker
Abuse.ch
Open-Source MRTI Feeds
Norse
IIDCyveillance
Malcovery
Commercial Feeds
GeoIPMalwareLookup
Domain Tools
Enrichment Services
News RSSFeeds
Websites
OSINT Sources
Threat Intelligence Platform
Analytics Threat IntelligenceProcessing
VisualizationReporting
ForensicsThreat Intelligence
Sharing
IncidentResponse
SOCAnalyst
Fraud ThreatAnalyst
Management MalwareAnalyst
HelpDesk
People
Process
Circle ofTrust Sharing
Workflow/Escalation
Communication Fraud
Technology
Secure WebGateway
NGFW
IPS/IDS Logs
22 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Take-Aways for Adaptive Security Architecture
Shift security mindset from "incident
response" to "continuous response"
Spend less on prevention; invest in detection,
response and predictive capabilities
Favor context-aware network, endpoint
and application security protection platforms
Develop a security operations center
Architect for comprehensive, continuous monitoring at all layers
of the IT stack.
23 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Data Security Governance Arrives
24 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Develop a Data-Centric Audit and Protection Approach
ActivityMonitoring
Assessmentof Users
and Permissions
User Monitoringand Auditing
Data SecurityPolicy
Data Classificationand Discovery Policy
Data SecurityControls
Protection
Analysis andReporting
Blocking, Encryption,Tokenization
and Data Masking
25 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Take-Aways for Data Security Governance
Prioritize organization-wide data security
governance and policy.
Identify and implement risk-appropriate
data security controls by data type
where possible.
Implement a DCAP strategy that includes
disciplined and formal product selection.
Incorporate big data plans and unique
requirements into security strategy.
26 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Digital Business Drives Digital Security
27 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Securing a Pervasive Digital Presence(the Internet of Things)
Gateways
Things Agents
AnalyticsApplications
Data
Cloud Mobile MES,
ERPPartners
IoT Platform Middleware
Core Business Processes
IoT Edge Processing
CommunicationsIntegration
Integration Communications
Security requirements:
– Policy creation and management
– Monitoring, detection and response
– Access control and management
– Data protection
– Network segmentation
Key challenges:
– Scale
– Diversity (age and type)
– Function
– Regulation
– Privacy
– Standardization
Recommendations: Focus on small scenarios. Use risk-based prioritization. Emphasize segmentation and access initially.
28 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
EnterpriseConsumer
Business Disruption
Espionage and Fraud
Financial Waste
Cyber Risks and Consequences in an IoT Solution
IoTPlatform
Platform Hacking
Data Snoopingand Tampering
Sabotaging Automationand Devices
Edge
Device Impersonation
Device Hacking
Device Counterfeiting
Snooping, Tampering, Disruption, Damage
Dev. Prod.
29 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
IAM Trends of 2015-2016 That Include an Identity of Things
IAM Program Managementand Governance
(Digital)Business and Operational Needs
(Digital)Risk Management and Compliance
Things
People
Apps andData
Relationships
Interactions
30 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Take-Aways for Digital Security
Balance Risk and Resilience
Make the Security Discipline Decision
Enhance Digital Security Supply Chains
Retool Security Skills
Embrace Adaptive Security Architecture
Selective Improve Security Infrastructure
Embrace Data Security Governance