© 2015 Forrester Research, Inc. Reproduction Prohibited 4
Familiar?
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 5
Targeted-Attack Hierarchy Of Needs
Source: January 7, 2015, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Forrester report
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 6
Step #1
Have an actual strategy
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 7
Expense in depth
Source: January 7, 2015, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Forrester report
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 8
Return on expense in depth?
Source: January 7, 2015, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Forrester report
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 9
Before you
invest:
• Assess your
current state
• Conduct a
gap analysis
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 10
Components of a sound strategy
› Adopt a Zero Trust model.
• Trust but verify
• Networks are designed from the
inside out
• Inspect and log all traffic
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 11
Components of a sound strategy
› Adopt a Zero Trust model.
• Trust but verify
• Networks are designed from the
inside out
• Inspect and log all traffic
› Data-driven security, not alert-driven
security
› Know your data
• What generates revenue?
• What assets align to this revenue?
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 12
Step #2
Focus on fundamentals
@rickhholland
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 13
Focus on the fundamentals
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
Reduce attack surface with Vulnerability Management
› VM has always been fundamental, yet it
has been overlooked.
› The recent open source vulnerabilities
brought VM back into the spotlight.
› VM has a renewed focus within
organizations.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 15
Step #3
An integrated portfolio that enables orchestration
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 16
Friction
› “Create friction for the attacker. Slow
them down, and make their job more
difficult.”
› What about all the friction we create for
ourselves?
› Reduce your internal friction and
become more agile.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 17
Reduce operational friction
› Evaluate your technology stack;
automate any manual tasks.
› Add developers to your team (recent
college graduates)
› Prioritize vendors who integrate within
their own portfolio as well as others.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 18
Integration use case examples
› Endpoint + Automated malware
analysis
• Use endpoint visibility to confirm whether
or not malware executed.
› Vulnerability remediation validation
• Integrate vulnerability management with
ticketing to automate remediation
validation.
› Vulnerability management +
Governance Risk Compliance
• Provide asset states directly into GRC
solutions.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 19
Step 4
Prevention
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 20
Prevention is dead, long live prevention!
› Prevention isn’t dead, imagine a world
without prevention.
› Prevention is shifting.
› Actionable threat intelligence can be used
for proactive defense.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 21
Step 5
Detection and response
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 22
The threat landscape is overwhelming; threat models are dynamic
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 23
Adversary tiers
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 24
Fall back to detection and response
› Detection is the only option when dealing
with higher tier adversaries.
› No single control is your breach detection
system.
› Your aggregate controls and your people
are your breach detection system.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 26
Network controls aren’t enough
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 27
Endpoint’s role in detection and response
› Hunting with threat intelligence
• Search for threat indicators/indicators of
compromise.
• Behavioral hunting as well, not just signatures.
› Incident response
• What other hosts have been compromised?
• How are legitimate windows tools being used
by the adversary?
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 28
Final thought: Breach Detection Solution
› There is no single “breach detection”
solution.
› Your security tools ran by skilled staff who
are enabled by process are your breach
detection platform.
› Reduce internal friction to enable your
analysts.
@rickhholland | @terlin | @TripwireInc
© 2015 Forrester Research, Inc. Reproduction Prohibited 29
Free research plug
› Not a Forrester client, interested in free
research?
› If you participate in a confidential research
interview, I will provide a complementary
copy of the research
@rickhholland | @terlin | @TripwireInc
Adaptive
Threat
ProtectionEndpoint Intelligence
Vulnerability Intelligence
Threat Intelligence
Threat Analytics
Forensics
Zero-Day Detection
Threat Response
Log & Event Intelligence
@rickhholland | @terlin | @TripwireInc
DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAPDETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
@rickhholland | @terlin | @TripwireInc
Trusted: by over half of Fortune500 and over 9,000 customers worldwide
Open: Architected for a choice of multiple threat intelligence and security
integrations
Accurate: Hi-fidelity real-time detection and prioritization - focus on what really
matters
Resilient: Proven, reliable platform for security vulnerability management and threat
protection
@rickhholland | @terlin | @TripwireInc