Wednesday, January 20, 2016

From my Gartner Blog - Security Market Madness

There has been a common feeling of confusion these days during vendor briefings related to “what the product is about”. It’s crazy, but we’ve been spending a lot of time just trying to match the products to existing definitions. It could be just a case of outdated definitions and the need to create new ones (Noooooooooo), but it’s deeper than that: We are seeing many different capabilities being packaged in completely different ways. So, you talk to a vendor known as an “Endpoint Detection and Response” vendor, who could also be seen as a regular (or NG) Antivirus or, wait for it, a behavior analytics tool vendor!

 That’s not only confusion for us analysts; it also makes it harder for clients to assess and select products. We know that it is happening when we talk to clients and vendors and see that tools presumably from different “categories” are competing against each other in the same initiatives. There are organizations out there comparing a UBA tool with EDR, or NFT with SIEM, etc. Why is this happening?

 I can see two possible explanations:

  • No one has a clue about what they need to buy or even what they need: This is the cynic in me speaking. Organizations working on a crazy reactive mode to the pressure of “doing something”, converting that to “buying something” without necessarily knowing what is necessary and what should be bought. Of course, this is a very common and well known path to failure.
  • Organizations are approaching the same problems in vastly different ways: There is that old saying of “many ways to skin a cat”. There are many ways of “doing security” too. Security organizations can be split in different roles and groups, using a different set of tools and building on top of different architectures. Of course, much of it will be very similar, but there’s room for different approaches. The diversity in product packages could be explained by organizations approaching the vendors with the same requirements grouped in different sets according to how they chose to operate.

I believe the truth is in the middle of those two. Is there anything else I’m missing here? Maybe the incentives to vendors to get VC funding are modeling how they present their offerings too? What do you think is behind this craziness?

Anyway, I believe the RSA Conference next month will give us a good opportunity to try to answer that. Let’s see how the Expo floor will look like and what people will be saying there.

The post Security Market Madness appeared first on Augusto Barros.

from Augusto Barros

Tuesday, January 19, 2016

From my Gartner Blog - Webinar on Security Monitoring Use Cases

As I mentioned (many times) before, our current research covers Security Monitoring Use Cases. We’ve been busy writing about that and the paper will be available soon to Gartner clients. However, I’m also delivering a webinar on the subject later this month. Good news: This one is open to everyone! Feel free to sign up on the link below, and please, bring your questions too :-)

Developing Security Monitoring Use Cases: How to Do It Right
January 28th, 9AM EST

Discussion Topics:

  • How to select security monitoring use cases
  • How to prioritize use cases for implementation
  • How to optimize security monitoring use cases

Security monitoring systems are only effective when the appropriate content is implemented and optimized to provide results. This webinar provides guidance on how to effectively identify, prioritize, implement and optimize security monitoring use cases.


The post Webinar on Security Monitoring Use Cases appeared first on Augusto Barros.

from Augusto Barros

Thursday, January 14, 2016

From my Gartner Blog - Yes, Give Deception a Chance!

So, Anton finally brought the deception subject up on his blog, leaving a small bait for me at the end of his post. Ok, that’s a great subject to return to my blogging activities in 2016.

A few years ago I jumped into a discussion about honeypots evolution and how to make them more useful for enterprises. The “Honeytoken” term was born at that moment, but it was in fact an old concept (just check Cliff Stoll’s “Cuckoo’s Egg” book, where he applied the idea to catch the hacker playing with his systems back in the 80’s). The idea was widely discussed at that time, but as many other deception techniques, it has never become a mainstream thing and the majority of organizations still don’t do anything similar. Why, we keep asking?


The main reason is that applying deception (I’m considering here deception as a detection mechanism only) is hardly seen as a requirement for having decent security. With most organizations struggling to keep their heads above the water, it wouldn’t make sense to invest time and resources in something that is not a “must”. Deception is certainly not a basic and fundamental security control, and it doesn’t make sense to invest on it when you’re still struggling with the basics. I admire the vendors that offer exclusively deception based solutions: their sales job is far more difficult than those selling things considered required for a minimum level of security.


People would usually read what I just wrote and think “ok, so I can’t forget about deception, as there’s still a lot to be done that is more important”. Not necessarily. The selection of tools and practices to apply is not a simple decision. It is mostly a resource (budget, people, time) allocation problem, but there are many additional factors that make it far more interesting that it seems. In fact, when planning detection capabilities, constraints and opportunities come in all different shapes and colors. Those will create situations where deception will make sense as the next step or measure to apply. You may have a strong monitoring infrastructure on the perimeter, for example, and not enough resources for big initiatives such as rolling our EDR or NFT for the internal network. Why not put some honeypots in place to minimize some of that gap? I believe this is not as simple as “only the most mature organizations should apply deception”. I believe there is a point in the maturity scale (not the highest!) when deception starts to be one of the things that could be useful for the organization.  You know those videogames where you “unlock” new weapons and items that you can use to keep going? Yes, deception is one of the items that are unlocked in the middle of the game.


We’ve been seeing a lot of guidance about how to look for threats inside the organization, working with red and blue teams, considering all phases of the attack chain, etc. We are far past the point where there was a generic recipe of how to do security monitoring right. Your security monitoring capabilities should be a composition assembled according to your environment and the threats you are concerned about. For many cases, applying some deception will eventually make sense. The question is not if organizations in general should be doing it, but if they have it and consider it as part of what they can do.


Apart from organizations planning their own security, there are also the security tools vendors working on the evolution of their products. That’s also an opportunity for deception techniques to be applied. Tools that track users and other entities behavior for anomalies can benefit from deception techniques (with access to honeypots and honeytokens being the ultimate behavior anomaly), and some vendors are already adding that to their feature set. An organization selecting detection products should consider those that can also apply deception techniques, as they will expand the range of available detection capabilities.


As our own research indicates, deception use by organizations is increasing (“By 2018, 10% of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers”). However, I doubt it will ever be considered a “must do” security control. But security practitioners should not discard it as a viable option to improve detection, and those keeping it as part of their toolbox will always have more options to build a good security monitoring environment.

The post Yes, Give Deception a Chance! appeared first on Augusto Barros.

from Augusto Barros