By Neil MacDonald, vice-president & distinguished analyst, Gartner Inc.
With security a top priority in most organizations these days, it can be overwhelming to narrow down the endless list of potential security projects.
Chief information security officers (CISO) should focus on projects that reduce the most amount of risk and have the largest business impact. Consider these 10 security-improving projects for your organization.
No. 1: Privileged account management
This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access. At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third-party access, such as contractors.
Tip: Phase in using a risk-based approach (high value, high risk) systems first. Monitor behaviors.
No. 2: CARTA-inspired vulnerability management
Inspired by the Gartner continuous adaptive risk and trust assessment (CARTA) approach, this project is a great way to tackle vulnerability management and has significant risk reduction potential. Consider exploring when the patching process is broken and IT operations are unable to keep up with the number of vulnerabilities. You can’t patch everything, but you can significantly reduce risk by prioritizing risk management efforts.
Tip: Require your virtual assistant/virtual machine vendor to provide this and consider mitigating controls in your analysis, such as firewalls.
No. 3: Active anti-phishing
Aimed at organizations that continue to experience successful phishing attacks against their employees. This requires a three-pronged strategy: technical controls, end-user controls and process redesign. Use technical controls to block as many phishing attacks as possible. But make users an active part of the defense strategy.
Tip: Don’t single out groups or individuals for doing the wrong thing; spotlight those who exhibit the right behaviors. Ask your email security vendor if they can undertake this project. If not, why?
No. 4: Application control on server workloads
Organizations looking for a “default deny” or zero trust posture for server workloads should consider this option. This project uses application control to block the majority of malware as most malware is not whitelisted. “This is a very powerful security posture,” said MacDonald. It has proven to be successful against Spectre and Meltdown.
Tip: Combine with comprehensive memory protection. This is an excellent project for the Internet of Things (IoT) and systems that no longer have vendor support.
No. 5: Microsegmentation and flow visibility
This project is well-suited for organizations with flat network topologies — both on-premise and infrastructure as a service (IaaS) — that want visibility and control of traffic flows within data centers. The goal is to thwart the lateral spread of data center attacks. If and when the bad guys get in, they can’t move unimpeded.
Tip: Make visibility the starting point for segmentation, but don’t over segment. Start with critical applications and require your vendors to support native segmentation.
No. 6: Detection and response
This project is for organizations that know compromise is inevitable and are looking for endpoint, network or user-based approaches for advanced threat detection, investigation and response capabilities. There are three variants from which to choose:
- Endpoint protection platforms (EPP) + enhanced data rate (EDR)
- User and entity behavior analytics (UEBA)
- Deception
The latter is a small but emerging market ideal for organizations looking for in-depth ways to strengthen their threat detection mechanisms with high-fidelity events.
Tip: Pressure EPP vendors to deliver EDR and security information and event management (SIEM )vendors to provide UEBA capabilities. Require a rich portfolio of deception targets. Consider MDR “lite” services directly from the vendor.
No. 7: Cloud security posture management (CSPM)
This should be considered by organizations in search of a comprehensive, automated assessment of their IaaS/platform as a service (PaaS) cloud security posture to identify areas of excessive risk. Organizations can choose from several vendors including cloud access security brokers(CASBs).
Tip: If you have a single IaaS look to Amazon and Microsoft first. Make this a requirement for your CASB vendor.
No. 8: Automated security scanning
This project is for organizations that want to integrate security controls into DevOps-style workflows. Begin with an open source software composition analysis and integrate testing as a seamless part of DevSecOps workflows, including containers.
Tip: Don’t make developers switch tools. Require full application programming interface (API) enablement for automation.
No. 9: Cloud access security broker (CASB)
This project is for organizations with a mobile workforce looking for a control point for visibility and policy-based management of multiple-enterprise, cloud-based services.
Tip: Start with discovery to justify the project. Weight-sensitive data discovery and monitoring as a critical use case for 2018 and 2019.
No. 10: Software-defined perimeter
This project is aimed at organizations that want to reduce the surface area of attacks by limiting the exposure of digital systems and information to only named sets of external partners, remote workers and contractors.
Tip: Re-evaluate risk of legacy virtual private network (VPN)-based access. Pilot a deployment in 2018 using a digital business service linked to partners as a use case.
Neil MacDonald is vice president and distinguished analyst at Gartner, Inc. Mr. MacDonald is a member of Gartner’s information security, privacy and risk research team, focusing on securing next-generation virtualized and cloud-based computing environments from advanced attacks.
