world-class cybersecurity:lessons from the experts...world-class cybersecurity:lessons from the...
TRANSCRIPT
![Page 1: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/1.jpg)
World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson
CEO, Nemertes Research
[email protected], @johnatilljohnso
July 17, 2018
© 2018 Nemertes Research DN6741 1
![Page 2: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/2.jpg)
About Nemertes
Topics We Cover Research We Conduct Services We Provide• Contact Center & Customer Engagement
• Cloud and Networking
• Digital Transformation
• IoT
• Next Generation Endpoints
• Security and Risk Management
• Unified Communications & Collaboration
• Benchmarks: Live discussions with IT leaders
• Surveys: Industry-leading data integrity methodology
• Vendor discussions: Product, technology analysis
• Research advisory service
• Strategy & roadmap consulting
• Vendor & technology assessment
• Cost models
• Maturity models
• Annual conference
Global IT research and strategic consulting firm focusing on the business impact of emerging technology. Founded in 2002 by IT professionals, for IT professionals.
© 2018 Nemertes Research DN6741 2
![Page 3: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/3.jpg)
The Current State: July 2018
© 2018 Nemertes Research DN6741 3
![Page 4: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/4.jpg)
The World Today
© 2018 Nemertes Research DN6741 4
New Breaches
![Page 5: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/5.jpg)
The World Today
© 2018 Nemertes Research DN6741 5
Cloud
New Breaches New Vectors
Mobile
IoT“Shadow IoT”
Collaboration
Chips/Firmware
Blockchain
![Page 6: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/6.jpg)
The World Today
© 2018 Nemertes Research DN6741 6
Ransomware
New Breaches New Vectors
New Threats
OSX Attacks
Industrial botnets
Cryptocurrency malware
![Page 7: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/7.jpg)
The World Today
© 2018 Nemertes Research DN6741 7
Russia
New Breaches New Vectors
New Threats New Actors
China
North Korea
![Page 8: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/8.jpg)
The World Today
© 2018 Nemertes Research DN6741 8
June 13, 2017
“Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.”
![Page 9: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/9.jpg)
“Red Blinking Lights”
© 2018 Nemertes Research DN6741 9
Director of National Intelligence Dan Coats, 07/13/18
"The warning signs are there. The system is blinking… we are at a critical point. Today, the digital infrastructure that serves this
country is literally under attack.”
![Page 10: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/10.jpg)
What Now?
© 2018 Nemertes Research DN6741 10
![Page 11: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/11.jpg)
Defining “World Class”
© 2018 Nemertes Research DN6741 11
![Page 12: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/12.jpg)
What Is “World Class” Cybesrsecurity?
Technology deployment?
Spending and investment?
Operational metrics?
Organization and governance?
© 2018 Nemertes Research DN6741 12
![Page 13: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/13.jpg)
Nemertes’ Security Benchmarking
• 2017-2018 Security and Risk Management Research Study
• Interviewed and surveyed during 2017 and 2018:
o 625 companies
o 12 countries
o 13% (80 companies) financial services
• Validated/invalidated range of hypotheses
© 2018 Nemertes Research DN6741 13
![Page 14: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/14.jpg)
Unprepared (Level 0)
Reactive (Level 1)
Proactive (Level 2)
Anticipatory (Level 3)
Success Metric 1: Nemertes Maturity Model
Have basic platforms and structures to react to business requirements; cannot proactively prevent problems from arising
Have platforms, structures, organizational processes to proactively address current issues and challenges
Have platforms, structures, organizational processes to proactively address futureissues and challenges
Lacking necessary information to take effective action; unaware or unable to respond to current or emerging issues
© 2018 Nemertes Research DN6741 14
![Page 15: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/15.jpg)
Success Metric 2: Operational Metrics
98th
percentile
75th percentile
50th percentile
© 2018 Nemertes Research DN6741 15
![Page 16: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/16.jpg)
• Median time to detect incursion: 1 hour
• Two clusters of higher performers: 10 minutes and 30 minutes
• Cluster of lower performers requiring days to weeks
SecOps Metrics: Detection Time
Under 1 hr Hrs to weeks
© 2018 Nemertes Research DN6741 16
![Page 17: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/17.jpg)
• Median time to understand incursion: 180 minutes (3 hours)
• Higher performers understand in 30 minutes or less
• Lower performers requiring days to weeks
SecOps Metrics: Understanding Time
Under 3 hr Hrs to weeks
© 2018 Nemertes Research DN6741 17
![Page 18: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/18.jpg)
• Median time to resolve incursion: 6 hours
• Bimodal distribution: cluster around 2 hours, cluster around 2 days
• Highest performers resolve in half an hour or less
SecOps Metrics: Resolution Time
2 days +Under 2 hr 2 hr- 2 day
© 2018 Nemertes Research DN6741 18
![Page 19: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/19.jpg)
Success Metric 2: Operational Metrics
98th
percentile
75th percentile
50th percentile
8 minutes
109 minutes
410 minutes
© 2018 Nemertes Research DN6741 19
![Page 20: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/20.jpg)
Budgeting Maturity
Ad-hoc
37%
Framework
13%
Benchmark
31%
Risk
19%
How Security Budget Set
Best practice: Risk-based budget setting
Second-best practice: Benchmarks from peers based on internal metrics Percentage of IT spend
Percentage of revenue
“I get whatever I ask for” is not good enough Ad-hoc is least successful,
even in an environment of perceived unlimited funding, and usually results in lower spending
© 2018 Nemertes Research DN6741 20
![Page 21: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/21.jpg)
36.7%
11.7%
15.0%
16.7%
20.0%
68.5%
11.1%
9.3%
9.3%
1.9%
0.0% 20.0%40.0%60.0%80.0%
Lessthan$100
$100ormorebutlessthan$500
$500ormorebutlessthan$1000
$1000ormorebutlessthan$2000
$2000ormore
2018SecurityBudgetPerEmployee
Lesssuccessful
Moresuccessful
Annual Per-Employee Security Spend
Most successful more likely to spend more, and 10X more likely to spend more than $2000 per employee
© 2018 Nemertes Research DN6741 21
![Page 22: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/22.jpg)
Annual Per-Employee Security Spend
Mean spend by
financial services
firms in 2018
$3,361
More-successful companies are more likely to include as line item in infosec budget: Network security Mobile security Facilities DR/BCP IoT security AppSec/DevOps SecOps IAM Third-party risk Education/awareness training Cybersecurity Insurance Forensics Threat detection Governance Cloud security
© 2018 Nemertes Research DN6741 22
![Page 23: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/23.jpg)
What is Zero Trust Security and Why Does It Matter?
© 2018 Nemertes Research DN6741 23
![Page 24: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/24.jpg)
Zero Trust: All Assets Untrusted
• Originally developed by Google as part of BeyondCorp™ architecture
• Assumes all assets untrusted; inside the firewall is no safer than outside
• Impacts on all devices, applications, services:o Data-centric approach; requires detailed asset inventoryo Highly granular and scalableo Authentication, authorization, access control at every levelo Firewalls no longer delineate “safe” from “risky”o Encryption everywhere!
© 2018 Nemertes Research DN6741 24
![Page 25: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/25.jpg)
Zero Trust: All Assets Untrusted
©2016 Google
© 2018 Nemertes Research DN6741 25
![Page 26: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/26.jpg)
Zero Trust: Classification is Key
©2016 Google
© 2018 Nemertes Research DN6741 26
![Page 27: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/27.jpg)
Key Trends: State of Zero Trust Today
© 2018 Nemertes Research DN6741 27
![Page 28: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/28.jpg)
50.0%
28.6%
14.3%
0.0%
7.1%
23.3%
7.8%
23.3%
3.9%
41.7%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
BTAAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Current State: by Success
Successful organizations 2X to 3X more likely to be deploying or planning
© 2018 Nemertes Research DN6741 28
![Page 29: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/29.jpg)
Enabling Practices for Zero Trust
© 2018 Nemertes Research DN6741 29
![Page 30: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/30.jpg)
73.2%
10.7%
10.7%
3.6%
1.8%
50.0%
7.8%
17.6%
1.0%
23.5%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
DataClassificationAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Data Classification
Adopters 50% more likely to have implemented
© 2018 Nemertes Research DN6741 30
![Page 31: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/31.jpg)
Security Automation
Adopters up to 70% as likely to be automating security
© 2018 Nemertes Research DN6741 31
![Page 32: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/32.jpg)
Firewall Architecture
0.0%
46.0%
24.0%
30.0%
8.0%
17.8%
35.5%
29.0%
17.8%
11.2%
Nofirewalls
Centralized
Distributed
Virtualized
Cloud-based
FirewallArchitecture
ZeroTrustNon-Adopters
ZeroTrustAdopters
Adopters almost twice as likely to have virtualized firewalls
© 2018 Nemertes Research DN6741 32
![Page 33: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/33.jpg)
Firewall Architecture
0.0%
46.0%
24.0%
30.0%
8.0%
17.8%
35.5%
29.0%
17.8%
11.2%
Nofirewalls
Centralized
Distributed
Virtualized
Cloud-based
FirewallArchitecture
ZeroTrustNon-Adopters
ZeroTrustAdopters
Adopters more likely to have centralized firewalls
© 2018 Nemertes Research DN6741 33
![Page 34: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/34.jpg)
Enabling Technologies for Zero Trust
© 2018 Nemertes Research DN6741 34
![Page 35: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/35.jpg)
Bellwether Technology: Advanced Endpoint Security
• Software that protects endpoints from malware, using a variety of mechanisms (eg microsegmentation)
• Goes far beyond list-based protection offered by traditional anti-malwareWhat it Is
• Represents an architectural/technical “step function” increase over existing technology
• Aligns well with additional strategic initiatives (eg virtualization)
Why We Selected It
• Bromium, Crowdstrike, Invincea, Tanium, Carbon Black (also current versions of Trend Micro, McAfee, Symantec, some capability in Microsoft)
Example Providers
© 2018 Nemertes Research DN6741 35
![Page 36: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/36.jpg)
58.9%
23.2%
10.7%
1.8%
5.4%
28.2%
6.8%
21.4%
6.8%
36.9%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
AESAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Advanced Endpoint Security (AES)
Adopters 2X as likely to have implemented AES
© 2018 Nemertes Research DN6741 36
![Page 37: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/37.jpg)
Bellwether Technology: Behavioral Threat Analytics
•Software that integrates multiple sources of data (logs, analytics platforms such as Splunk, SEIM) to capture and display anomalous behavior of users, devices, and systems
What it Is
•Effective use of BTS requires “table stakes” of solid analytics already in place; therefore characterizes more mature organizations
•UBA enables proactive protection against attacks
Why We Selected It
•Bay Dynamics, Gurucul, Exabeam, Splunk/CaspidaExample Providers
© 2018 Nemertes Research DN6741 37
![Page 38: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/38.jpg)
50.0%
28.6%
14.3%
0.0%
7.1%
23.3%
7.8%
23.3%
3.9%
41.7%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
BTAAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Behavioral Threat Analytics
Adopters morelikely to have implemented BTA
© 2018 Nemertes Research DN6741 38
![Page 39: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/39.jpg)
Bellwether Technology: Network Access Control
• Tools that authorize devices on the network based on security policiesWhat it Is
• To deploy NAC, organizations need to have a solid authorization and authentication policy in place; that policy becomes the foundation of the zero-trust environment
Why We Selected It
• Cisco, Forescout, HP/Aruba, TrustwaveExample Providers
© 2018 Nemertes Research DN6741 39
![Page 40: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/40.jpg)
61.1%
22.2%
11.1%
0.0%
5.6%
29.7%
6.9%
24.8%
4.0%
34.7%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
NACAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Network Access Control (NAC)
Adopters 2X morelikely to have implemented NAC
© 2018 Nemertes Research DN6741 40
![Page 41: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/41.jpg)
Bellwether Technology: Cloud DLP
• Premise or cloud based software that protects content stored on cloudsWhat it Is
• Critical to manage cloud use by employees
• Use implies a relatively mature cloud initiative, including defined policies
Why We Selected It
• Skyhigh, GTB, Cyphercloud, VormetricExample Providers
© 2018 Nemertes Research DN6741 41
![Page 42: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/42.jpg)
53.6%
23.2%
16.1%
3.6%
3.6%
34.0%
10.7%
24.3%
1.9%
29.1%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
CloudDLP
ZeroTrustNon-Adopters
ZeroTrustAdopters
Cloud: Data Loss Prevention
Adopters 60% more likely to have implemented DLP for cloud
© 2018 Nemertes Research DN6741 42
![Page 43: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/43.jpg)
Bellwether Technology: CASB
• Premise or cloud based software that automatically detects cloud usage by employees, assesses business and technical risk, and enforces policies
What it Is
• Critical to manage cloud use by employees
• Use implies a relatively mature cloud initiative, including defined policies
Why We Selected It
• BitGlass, BlueCoat/Symantec, Microsoft, Netskope, Skyhigh
Example Providers
© 2018 Nemertes Research DN6741 43
![Page 44: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/44.jpg)
51.8%
25.0%
8.9%
1.8%
12.5%
16.5%
7.8%
27.2%
7.8%
40.8%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
CASBAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Cloud: Cloud Access Security Brokers
Adopters 3X more likely to have implemented CASB
© 2018 Nemertes Research DN6741 44
![Page 45: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/45.jpg)
Bellwether Technology: Single Signon as a Service
• Cloud based software that enables single signon to cloud and on-premise resourcesWhat it Is
• Critical to manage cloud and on-premise use by employees
• Use implies a relatively mature cloud initiative, including defined policies
Why We Selected It
• Microsoft, Okta, PingExample Providers
© 2018 Nemertes Research DN6741 45
![Page 46: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/46.jpg)
71.4%
19.6%
7.1%
0.0%
1.8%
35.6%
13.5%
19.2%
3.8%
27.9%
Havenow
Planningfor2018
Evaluating
Notplanning(assessedandrejected)
Notplanning
SSOaaSAdoption
ZeroTrustNon-Adopters
ZeroTrustAdopters
Cloud: Single Signon as a Service
Adopters 2X morelikely to have implemented SSOaaS
© 2018 Nemertes Research DN6741 46
![Page 47: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/47.jpg)
What Else? “Shadow” Security
© 2018 Nemertes Research DN6741 47
![Page 48: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/48.jpg)
Special Focus: UC Security
• UCC suites may have a range of weaknesseso Lack of privacy (no end-to-end encryption)o Lack of integrated authentication/authorizationo Lack of DLPo Inadequate logging/auditing
• UCC suites are vulnerable to a range of attackso Man in the middle (MITM) attacks exploiting TLS/SSL interceptiono Other TLS/SSL vulnerabilitieso Session hacking
• More-successful companies are ahead of less-successful companies, but very few have effectively addressed all critical areas of UCC security
© 2018 Nemertes Research DN6741 48
![Page 49: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/49.jpg)
“Shadow IoT” Security
Planned IoT initiative: • Strategy, architecture, roadmap• Clear business goals• Defined security budget• Defined project team• Can be integrated into
overarching security strategy
Shadow IoT:• No strategy,
architecture,roadmap• No clear business goals or
operational processes• No defined project team
(responsibility split among facilities, lines of business, IT)
• No budgetBiggest IoT threat!!
© 2018 Nemertes Research DN6741 49
![Page 50: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/50.jpg)
Putting “Sec” Into DevSecOps
Configuration management
Continuous Delivery
MonitoringVersion Control
Test and Build
Security
© 2018 Nemertes Research DN6741 50
![Page 51: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/51.jpg)
Current State: Slouching Towards DevSecOps
InfoSec AppSec
DevOps AppSec
DevSecOps
© 2018 Nemertes Research DN6741 51
![Page 52: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/52.jpg)
AppSec Staffing: More is Better
9.0%
15.0%
4.8%
22.2%
12.6%
9.0%
10.2%
17.4%
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
More than one person (indicate
how many)
None; we don't have an infosec person
responsible for
AppSec
One person, and s/he has ONLY
AppSec
responsibility
One person, but s/he has other infosec
responsibilities in
addition
AppSec Staffing: More vs Less Successful
Less Successful
More Successful
Successful companies more likely to have larger AppSec team
© 2018 Nemertes Research DN6741 52
![Page 53: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/53.jpg)
Conclusions and Recommendations
• Benchmark SecOps metrics
• Assess cybersecurity maturity
• Develop roadmap for improvement
• Initiate project to assess ZTM
• Review “shadow” infosec areas; launch remediation projects if necessary
© 2018 Nemertes Research DN6741 53
![Page 54: World-Class Cybersecurity:Lessons from the Experts...World-Class Cybersecurity:Lessons from the Experts Johna Till Johnson CEO, Nemertes Research johna@nemertes.com, @johnatilljohnso](https://reader034.vdocuments.site/reader034/viewer/2022042413/5f2d69ab445cbb6c5c4cffcf/html5/thumbnails/54.jpg)
Additional Resources
Nemertes Security Strategic Support Program
• For Technology Users (IT, InfoSec, Marketing, other professionals): o Assistance developing policy, business cases, strategy, architecture, roadmap, vendor strategic selection o Data-based guidance on staffing, spending, budgeting, governance, operationso Success metrics for comparable organizations
• For Technology Providers (Vendors, Carriers, VARs):o Market trend and customer sentiment analysiso Data-based guidance on marketing, product strategy, and go-to-market strategieso Objective third-party marketing collateral
• As part of all Nemertes Services:
Ongoing support, telephone advisory service, written inquiries and access to all research
© 2018 Nemertes Research DN6741 54