predictions: your network security in 2018
DESCRIPTION
Predictions: Your Network Security in 2018. Greg Young Twitter: @ orangeklaxon Research Vice President and Global Lead Analyst, Network Security. We’re Getting More Vulnerable. Source: Symantec Internet Security Threat Report 2014. Attacks Are Hurting More. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/1.jpg)
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Greg YoungTwitter: @orangeklaxon
Research Vice President and Global Lead Analyst, Network Security
Predictions: Your Network Security in 2018
![Page 2: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/2.jpg)
We’re Getting More Vulnerable
2
Source: Symantec Internet Security Threat Report 2014
![Page 3: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/3.jpg)
Attacks Are Hurting More
3
![Page 4: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/4.jpg)
Compliance is not Good Enough, but We can’t Even Get It
4
Source: Verizon 2014 PCI Compliance Report
![Page 5: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/5.jpg)
We Have Fewer Of Our Staff Securing Us
5
IT Security Support Full-Time Equivalents as a Percentage of Total IT Full-Time Equivalent
From 2008 to 2012
![Page 6: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/6.jpg)
Security Spend Continues To Take Larger Share of IT Pie
Cumulative %
Source: Only required for non-Gartner research
2012 2013 2014 2015 2016 20170
10
20
30
40
50
60
Security
IT
Year
![Page 7: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/7.jpg)
Security Spending by Segment 2014
User Provisioning (UP)
Web Access Management (WAM)
Other Identity Access Management
Endpoint Protection Platform (Enterprise)
Other Security Software
Secure Email Gateway
Secure Web Gateway
Security Information and Event Management (SIEM)
Security Testing (DAST and SAST)
Data Loss Prevention
IPS Equipment
VPN/Firewall Equipment
Consulting
Hardware Support
Implementation
IT Outsourcing
Consumer Security Software
- 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000
Millions
Millions
![Page 8: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/8.jpg)
Security Spending by Segment 2014
Endpoint Protection Platform (Enterprise)
Other Security Software
Secure Email Gateway
Secure Web Gateway
Security Information and Event Management (SIEM)
Security Testing (DAST and SAST)
Data Loss Prevention
IPS Equipment
VPN/Firewall Equipment
- 1,000 2,000 3,000 4,000 5,000 6,000 7,000
Millions
Millions
![Page 9: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/9.jpg)
Market Subdivision: Tech. Maturity
From: "Hype Cycle for Infrastructure Protection, 2013," 31 July 2013 (G00251969)
Innovation Trigger
Peak ofInflated
Expectations
Trough of Disillusionment Slope of Enlightenment Plateau of
Productivity
time
expectations
Plateau will be reached in:
less than 2 years 2 to 5 years 5 to 10 years more than 10 yearsobsoletebefore plateau
As of July 2013
Application ShieldingDynamic Data MaskingInteroperable Storage Encryption
Hypervisor Security ProtectionIaaS Container EncryptionSecurity in the Switch
Advanced Threat Detection AppliancesOperational Technology Security
Penetration Testing Tools
Cloud-Based Security ServicesIntrospection
Context-Aware SecurityOpen-Source Security ToolsSoftware Composition Analysis
Secure Web Gateways
DMZ Virtualization
Endpoint Protection PlatformNext-Generation IPS
Database Audit and ProtectionUnified Threat Management (UTM)
Application ControlNetwork Access Control
Static Application Security Testing Static Data Masking
Network Security SiliconNext-Generation Firewalls
Web Application FirewallsSIEM
DDoS DefenseMobile Data ProtectionWeb Services Security Gateway
WLAN IPS
Vulnerability Assessment
Dynamic Application Security Testing
Network IPS
Secure Email GatewayStateful Firewalls
![Page 10: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/10.jpg)
No, Sorry — Still No Massive Netsec Convergence in 2018
EPPNGFW SWGATA
In 2018, most of you will still have a stand-alone next-generation firewall (NGFW), secure Web gateway (SWG)
and other stuff
![Page 11: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/11.jpg)
Some of Your Netsec Moves Into the Cloud
• Off-premises SWG is growing fastest: 13% cloud today, with predictions of 25% by 2015; but it's slow moving and likely to still be 25% in 2018.
• ATA will continue to have cloud assistance.
• Firewall and IPS remain on-premises.
• Hosting remains the exception where all can be in the cloud.
![Page 12: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/12.jpg)
Some of Your Netsec Does Converge
• ATA coordination capability moving into SWG and NGFW.
• SSL VPN moves mostly into firewall.
• URL filtering, already converged, can go in a few places.
• NGFW expansion continues; ATA incorporates traditional IPS.
• Stand-alone IPS becomes rarer.
• Firewalls optimized for data center produced by mainstream firewall vendors: one-brand bias continues.
![Page 13: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/13.jpg)
Security Intelligence
• SIEM platform maintains its role as primary information and event correlation point. Wide, yet shallow, and will not be a console replacement.
• SIEM will expand its capabilities and handle more events, rather than point products for "security intelligence" being deployed.
• Consoles will remain the best primary source, yet remain silos — what analysts use after SIEM.
Security will not be that intelligent in 2018
In other words…
Security Intelligence will remain undefined in 2018
![Page 14: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/14.jpg)
![Page 15: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/15.jpg)
SDN Security in 2018 Will Be Either …
or
Protecting controllers
Third-party vendors
Logically, the same as we do today
A standard, multivendor protection
Infrastructure provided
Self-defending controller
Security interoperability
Change control doesn't … change
Compliance doesn't change
SDN Security Securing SDN
So which of the two is it?
![Page 16: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/16.jpg)
We’ve Seen Shifts Before
16
Worms
Not solved, but reduced to mostly minor annoyance levels
Viruses
Or Shifted To New, More Difficult Paths
Always followed by spending changes
Spam
![Page 17: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/17.jpg)
Reduced Impact
17
Source: Symantec Internet Security Threat Report 2014
![Page 18: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/18.jpg)
Security Sustainability
Source: Wikipedia, Sustainability
![Page 19: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/19.jpg)
Impediments to Sustaining the Current Trajectory
Spying
Spending
Alerts
Staffing
SMB
Open Source
Partial Source: Wikipedia, Sustainability
![Page 20: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/20.jpg)
In 2018 Your Netsec Will….
• Be expensive and mostly point solutions.
• Use out-of-band inspection — still mainstream for WAN/LAN and very-high-speed links.
• Need to secure your SDN and virtualization, as they won't be self-defending.
• Require accommodation of mixed IPv4/v6.
• Have more hybrid aspects.
• Still be deployed in depth.
• Not be fully virtualized, but accommodate virtualization.
Call to Action: 2018 is less than one firewall refresh away.
![Page 21: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/21.jpg)
Likely 2018 Crisis Points
• Common criteria devalued without replacement.
• Advancing rate of security product vulnerabilities and poor disclosure.
• Security of IPv6 within products lags behind IPv6 adoption rates.
• No let up in threat will stress netsec budgets and operations.
![Page 22: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/22.jpg)
Secure Network Design Principles
22
1. No single element compromise should compromise the whole application stream.
2. Put trust in trusted components.
3. Isolation to isolate. Segmentation to segment.
4. Hosts are not self-defending.
5. Correlation, visibility, least privilege, and compliance.
By jove, these principles stand thetest of time and are
not some faddish feature.
Like my wig. Or my pen. The frilly shirt still rocks, yes?
![Page 23: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/23.jpg)
Recommended Gartner Research
Ending the Confusion About Software-Defined Networking: A TaxonomyJoe Skorupa and others (G00248592)
Magic Quadrant for Enterprise Network FirewallsGreg Young (G00229302)
Hype Cycle for Infrastructure ProtectionGreg Young (G00229303)
For more information, stop by Gartner Research Zone.
![Page 24: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/24.jpg)
Additional Material
24
![Page 25: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/25.jpg)
The Controller Needs Protecting
25
Controller
But they promised
I’d be self-defending
Spoofing switches
DDoS
Resource consumption
Controller Vulnerabilities
![Page 26: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/26.jpg)
So, Protect The Controller
26
ControllerSpoofing switches
DDOS
Resource consumption
Controller VulnerabilitiesIPS
Redundant
Paths
IDS
HardenedAuthentication
Specific QoS
Default SSL On
New Safeguards
![Page 27: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/27.jpg)
Look To Your Current Security Vendors… But Most Are Not There Yet
27
Security control plane integration into orchestration for context sharing
Better integration of 3rd party security ecosystem
Better isolation of security control plane
It is still the early days
Infrastructure vendor sales force has trouble letting go
SPA: Through 2018, more than 75% of enterprises will continue to seek network security from a different
vendor than their network infrastructure vendor.
Limited firewall rule self-
provisioning
Get your polygraph warmed up – most security vendors are not on top of SDN/NFV
![Page 28: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/28.jpg)
What Does IPv6 and DOS Mean to Security in 2018?
![Page 29: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/29.jpg)
Volumetric Defenses Go More Hybrid
2014
2018
2010
2006
CPEOff-Premises
"The attacks are bigger than my pipes"
"Cloud-only is too much $"
"These need to work together better"
![Page 30: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/30.jpg)
IPv6 Security Needs IPv6
Source: Google
![Page 31: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/31.jpg)
Commonly Seen Characteristics of Security Threats that are Peaking
31
• Lowered impact of attacks notwithstanding lowered or increased occurrences.
• Enterprise response has become ‘operationalized’, and is now handled by an established safeguard with little staff interaction, workflow, helpdesk, or vulnerability management procedure.
• The acquisition or disappearance of the majority of pure-play products specific to the threat.
• The threat is being subsumed into a newer or more advanced threat.
• Point products are converging into existing security products as a feature— especially when offered at no additional charge.
![Page 32: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/32.jpg)
Buy Hedges (And Maybe Save Anyway)
32
Lease
Commitment
MSSP
Off Prem
Cloud
As-A-Service
![Page 33: Predictions: Your Network Security in 2018](https://reader036.vdocuments.site/reader036/viewer/2022062321/56812aba550346895d8e7dd6/html5/thumbnails/33.jpg)
Breaking A Link In the Kill Chain
33
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command&Control
Actions On Objectives
Anti-evasionPre-filters
SSL-inspection
Cloud lists
Reduced Gray Lists
Getting good at one can hinder across multi-vectors
Behavioral ATA