Blog - article

Takeaways from Gartner Security and Risk Management UK

By:
Mike Banic, VP of Marketing
October 12, 2015

I attended the Gartner Security and Risk Management Summit in London on Sept. 14 and 15 and would like to share some key takeaways from presentations by analysts Earl Perkins, Jeremy D’Hoinne and Neil MacDonald. The following are messages that resonated with me:

Message #1: Prevention only fails

Gartner Presentation: “Lessons Learned on Advanced \ Threat Defense Strategies and Tools,”Jeremy D’Hoinne, Sept. 14, 2015

With malware going undetected for 229 days and 67 percent of breaches detected by third parties1, it is clear that prevention alone is not a strategy for success.

After the session, I had a conversation with another delegate about how they already have a wide range of users (e.g., employees, suppliers, partners, customers) who access their network and applications from a wide range of devices (e.g., laptop, tablet, smartphone). This challenge this creates for him is trying to manage the risk created by this huge number of interactions.

Message #2: Defending against targeted attacks is driven by risk

Gartner Presentation: “Top Trends and Take-aways for Cybersecurity,” Earl Perkins, Sept. 14, 2015

I asked my fellow delegate about the technologies he is using, which include next-generation firewalls and a SIEM. The “SIEM Wizard” in his security operations team just left for another company and the team is struggling with the number of discrete alerts received by the SIEM. He wants a solution that is more automated. He said he plans to shift more of his security investment from prevention to detection.

Message #3: There is more than one way to detect advanced threats

Gartner Presentation: “Lessons Learned on Advanced Threat Defense Strategies and Tools,” Jeremy D’Hoinne, Sept. 15, 2015

Before using any new technology, it is important to understand the capabilities of the products we already have, determine the security gaps and determine how new technology will fit into existing processes or deliver process improvement.

Another delegate I met determined that there was a huge gap in understanding if threats had evaded their firewall. She was evaluating a network traffic solution and hired a firm to conduct a penetration test during the proof-of-concept trial to determine how well the new product would fill their gap. We exchanged cards because I want to learn whether the new technology would detect the actions of the penetration tester.

Message #4: Our world view is flawed

Gartner Presentation “Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats,” Neil MacDonald, Sept. 15, 2015

We no longer live in a world where we can have pure black lists, white lists and grey lists. The best example is when Wired magazine reported that hackers are using Gmail drafts to update their malware and steal data2. Gmail is an approved application for nearly every company and the traffic is from a reputable website.

Message #5: Models of both “good” and “bad” are needed

Gartner Presentation: “Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats,” Neil MacDonald, Sept. 15, 2015

This resonated with me because sometimes the most dangerous attacks may not use malware that is detectable with a signature or payload analysis via a sandbox. Some attacks simply use the same tools that are used everyday on an organizations network in order to steal from them. One great example is the Carbanak APT3, where the attackers used the same tools as bank administrators in order to steal money from the bank.

The notion of creating a baseline to understand what “good” looks like makes sense, but I don’t know that it is a best practice adopted by many organizations. The baseline would reduce the false-positive detections of systems that are looking for “known bad” threats and reduce false negatives of systems that will simply pass through “known good” traffic that may have hidden threats in them.

My first thought is that more organizations would do this if it could be automated with algorithms since they are already short on staff and the budget to hire more talented personnel.

Message #6: The adaptive security architecture offers a model for the future

Gartner Presentation “Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats,” Neil MacDonald, Sept. 15, 2015

The adaptive security architecture has four key building blocks – prevent, detect, respond and predict – and each has three functional block for a total of 12 elements.

Vectra Networks fully automates the real-time capabilities of “detect incidents” and “confirm and prioritize” in the “Detect” phase. To learn more about how Vectra delivers advanced threat defense with network traffic analysis, watch this webinar with Vectra CTO Oliver Tavakoli featuring Gartner analyst, Lawrence Orans, vice president.

1. 2014 Mandiant Malware Report, https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf.2. Hackers are using Gmail drafts to update their malware and steal data, Andy Greenberg, Wired magazine, Oct. 29, 2014.3. The greatest heist of the century: hackers stole $1 bln, https://blog.kaspersky.com/billion-dollar-apt-carbanak/7519/, Feb 16, 2015.

About the author

Mike Banic

Mike Banic is the vice president of marketing at Vectra with extensive experience in global marketing, product marketing, and product management to previously serving on the board of the Ronald McDonald House at Stanford.

Most recent blog posts from the same author

Security operations

Fatal SIEM flaw: No body, no murder

November 7, 2017
Read blog post
Cybersecurity

What’s an adaptive security architecture and why do you need it?

February 2, 2017
Read blog post
Cybersecurity

Time to update how we manage and address malware infections

June 28, 2016
Read blog post