Blog

Takeaways from Gartner Security and Risk Management UK

Posted by Mike Banic, VP of Marketing on Oct 12, 2015 1:53:00 PM

Find me on:

I attended the Gartner Security and Risk Management Summit in London on Sept. 14 and 15 and would like to share some key takeaways from presentations by analysts Earl Perkins, Jeremy D’Hoinne and Neil MacDonald. The following are messages that resonated with me:

Message #1: Prevention only fails

mb1
Gartner Presentation: “Lessons Learned on Advanced \ Threat Defense Strategies and Tools,”
Jeremy D’Hoinne, Sept. 14, 2015

With malware going undetected for 229 days and 67 percent of breaches detected by third parties1, it is clear that prevention alone is not a strategy for success.

After the session, I had a conversation with another delegate about how they already have a wide range of users (e.g., employees, suppliers, partners, customers) who access their network and applications from a wide range of devices (e.g., laptop, tablet, smartphone). This challenge this creates for him is trying to manage the risk created by this huge number of interactions.

Message #2: Defending against targeted attacks is driven by risk

mb2
Gartner Presentation: “Top Trends and Take-aways for Cybersecurity,”
Earl Perkins, Sept. 14, 2015

I asked my fellow delegate about the technologies he is using, which include next-generation firewalls and a SIEM. The “SIEM Wizard” in his security operations team just left for another company and the team is struggling with the number of discrete alerts received by the SIEM. He wants a solution that is more automated. He said he plans to shift more of his security investment from prevention to detection.

Message #3: There is more than one way to detect advanced threats

mb3
Gartner Presentation: “Lessons Learned on Advanced Threat Defense Strategies and Tools,”
Jeremy D’Hoinne, Sept. 15, 2015

Before using any new technology, it is important to understand the capabilities of the products we already have, determine the security gaps and determine how new technology will fit into existing processes or deliver process improvement.

Another delegate I met determined that there was a huge gap in understanding if threats had evaded their firewall. She was evaluating a network traffic solution and hired a firm to conduct a penetration test during the proof-of-concept trial to determine how well the new product would fill their gap. We exchanged cards because I want to learn whether the new technology would detect the actions of the penetration tester.

Message #4: Our world view is flawed

mb4
Gartner Presentation “Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats,”
Neil MacDonald, Sept. 15, 2015

We no longer live in a world where we can have pure black lists, white lists and grey lists. The best example is when Wired magazine reported that hackers are using Gmail drafts to update their malware and steal data2. Gmail is an approved application for nearly every company and the traffic is from a reputable website.

Message #5: Models of both “good” and “bad” are needed

mb5
Gartner Presentation: “Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats,”
Neil MacDonald, Sept. 15, 2015

This resonated with me because sometimes the most dangerous attacks may not use malware that is detectable with a signature or payload analysis via a sandbox. Some attacks simply use the same tools that are used everyday on an organizations network in order to steal from them. One great example is the Carbanak APT3, where the attackers used the same tools as bank administrators in order to steal money from the bank.

The notion of creating a baseline to understand what “good” looks like makes sense, but I don’t know that it is a best practice adopted by many organizations. The baseline would reduce the false-positive detections of systems that are looking for “known bad” threats and reduce false negatives of systems that will simply pass through “known good” traffic that may have hidden threats in them.

My first thought is that more organizations would do this if it could be automated with algorithms since they are already short on staff and the budget to hire more talented personnel.

Message #6: The adaptive security architecture offers a model for the future

mb6
Gartner Presentation “Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats,”
Neil MacDonald, Sept. 15, 2015

The adaptive security architecture has four key building blocks – prevent, detect, respond and predict – and each has three functional block for a total of 12 elements.

Vectra Networks fully automates the real-time capabilities of “detect incidents” and “confirm and prioritize” in the “Detect” phase. To learn more about how Vectra delivers advanced threat defense with network traffic analysis, watch this webinar with Vectra CTO Oliver Tavakoli featuring Gartner analyst, Lawrence Orans, vice president.

Register to watch the webinar


1. 2014 Mandiant Malware Report, https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf.
2. Hackers are using Gmail drafts to update their malware and steal data, Andy Greenberg, Wired magazine, Oct. 29, 2014.
3. The greatest heist of the century: hackers stole $1 bln, https://blog.kaspersky.com/billion-dollar-apt-carbanak/7519/, Feb 16, 2015.

Subscribe to the Vectra Blog



Recent Posts

Posts by Topic

Follow us