Companies going through digital transformation initiatives need their IT organizations to support an increased business tempo. While DevOps practices have helped IT increase their pace to keep up with market dynamics, security teams still need to follow suit.
InfoSec practitioners must modernize their practices to realize efficiencies in some of their most burdensome processes, like patching, credential management, and compliance.
By embracing a ‘secure by default’ posture security teams can position themselves as enabling innovation rather than hindering it.
Join Pivotal’s Justin Smith and guest speaker, Fernando Montenegro from 451 Research, in a conversation about how security can enable innovation while maintaining best security practices. They will examine best practices and cultural shifts that are required to be secure by default, as well as the role processes and platforms play in this transition.
SPEAKERS:
Guest Speaker: Fernando Montenegro, Senior Analyst, Information Security, 451 Research
Justin Smith, Chief Security Officer for Product, Pivotal
Jared Ruckle, Product Marketing Manager, Pivotal
9. Slow Enforcement
● Not enough security
team staffing
● Enforcement stuck on a
local maximum
Project-based Mass Casualties
● Team-based decisions
and choice
● Massive variation across
the organization
● Too many systems with
poor compliance
● Triage becomes the vital
skill
● Low morale
● No-clear answer
● Mundane, never-ending
tasks
Intractable
The Typical Scenario
10. INFORMATION SECURITY:
BUDGETS AND OUTLOOK 2017
INFORMATION SECURITY: BUDGETS AND
OUTLOOK 2017
Source: 451 Research, Voice of the
Enterprise: Information Security, Budgets
and Outlook 2017
Q5. Approximately, how is
your organization’s total
information security spending
currently distributed across the
following vendor based
security tools today? Please
sum to 100%.
40.0%
26.3%
19.6%
10.2%
3.9%
37.5%
29.4%
17.4%
8.9%
6.8%
35.9%
24.9%
20.0%
14.9%
4.3%
Network security
Endpoint security
Security management
Application security
Other
Percent of Sample
2015 Q4
(n=724)
2016 Q4
(n=401)
2017 Q4
(n=371)
Information Security
Spending Distribution
Among Security Tools
Information Security Respondents
13. Build Prestige
Shift away from domination and
enforcement as primary tools.
Collaborate and demonstrate value.
● Security Inceptions with teams
● Invest in external learning
● Reserved use of the Big Stick
Spread Awareness
Create the ability to rotate people onto
the security team for 2-3 months. It
will change the organization.
● Quarterly rotations
● Lunch & Learns
● Retros and stories
Generalists &
Specialists
Mix domain knowledge and
generalists. New graduates tend to
have higher security awareness.
● You gotta code
● Build tools others want to use
● Very little is rocket surgery
Skills & Hiring
Rotations &
Education
Reputation
CONCEPTS CONCEPTS CONCEPTS
Culture
14. INFORMATION SECURITY:
BUDGETS AND OUTLOOK 2017
INFORMATION SECURITY: BUDGETS AND
OUTLOOK 2017
Source: 451 Research, Voice of the
Enterprise: Information Security, Budgets
and Outlook 2017
Q2. What are your top
strategic security objectives
for 2018? Please select up to
3.
Top Strategic Security
Objectives
Information Security Respondents
34.5%
31.5%
24.2%
22.1%
21.5%
20.5%
19.4%
18.7%
18.7%
18.5%
15.3%
13.0%
11.2%
4.4%
Implement or improve security monitoring
Minimize the probability or impact of a possible data breach
Improve network security
Secure emerging architectures including the cloud
Implement or improve security analytics
Achieve regulatory compliance
Improve application security
Improve incident response
Automate common security tasks
Build (staff) the security team
Integrate new endpoint security tools
Raise the security team’s profile in the business
Securing Internet of Things (IoT) devices
Other
Percent of Sample
n = 562
15. App Scorecards
Centralize scoring for applications,
turn it into a game that attracts
participation and best-practices.
● Security.yaml in repos
● Visible badging
● Opt-in participation
● Iterative scoring
Build Service Brokers
Automate onboarding and offboarding
for accessing systems and API-
specific tasks like AuthN/AuthZ &
credentials.
● Control connection points
● Control credentials
● Ensure visibility
● Ensure consistency
Tiered Scanning
Dynamic, Static, Vulnerability, Logs,
and Configuration assurance scanning
can all be completely automated.
● Control app stacks
● CI/CD scanning
● Ingestion Scanning
● Logging alerts to SOC
● Configuration Drift alerts
CONCEPTS CONCEPTS CONCEPTS
Automation
16. INFORMATION SECURITY:
BUDGETS AND OUTLOOK 2017
INFORMATION SECURITY: BUDGETS AND
OUTLOOK 2017
Source: 451 Research, Voice of the
Enterprise: Information Security, Vendor
Evaluations 2017
Q6. How is usage of
application security tools
allocated across the following
teams in your organization?
Please sum to 100.
22.7%
17.5%
57.3%
2.5%
27.6%
19.9%
46.2%
6.2%
30.5%
16.6%
44.7%
8.1%
Application Development
Quality Assurance
Information Security
Other
Mean percent
Q3 2015
(n=181)
Q3 2016
(n=256)
Q3 2017
(n=159)
Application Security
Vendor Usage Allocation
Respondents with application security in
use or in pilot
17. Compliance as Code
Inherit controls and compliance from
the platform. Automate the
documentation of controls and SSPs
as part of team motion.
● Explore Open-Control.org
● Always-on, always current
SSP
● Expose as top-down controls
Leverage the Platform
Approach the platform as a way to
gain radical control. Leverage all
platform controls to inherit security in
applications.
● Re-use vs. build
● Shorten the on-ramp
● Internal marketing
ATTACK-centric
Focus on Adversarial Tactics,
Techniques, and Common
Knowledge. Use standards as a way
to benchmark resilience.
● Value-stream mapping
● Start with the adversary
● Describe threats and kill-
chains
CONCEPTS CONCEPTS CONCEPTS
Lean Controls
18. INFORMATION SECURITY:
WORKLOADS AND KEY PROJECTS 2017
INFORMATION SECURITY: WORKLOADS
AND KEY PROJECTS 2017
Source: 451 Research, Voice of the
Enterprise: Information Security,
Workloads and Key Projects 2017
Q10. What is your status of
implementation for each of the
following technologies?
88.6%
80.2%
76.0%
70.8%
70.6%
66.4%
55.7%
54.0%
49.6%
46.9%
44.1%
39.5%
33.0%
29.5%
29.1%
13.5%
5.8%
7.1%
6.0%
6.1%
9.8%
13.2%
8.0%
13.7%
7.0%
10.3%
9.3%
11.2%
4.1%
9.6%
9.2%
4.8%
4.0%
5.8%
8.9%
5.4%
7.2%
6.3%
4.5%
8.0%
5.8%
5.1%
4.8%
5.6%
4.4%
5.4%
5.8%
7.6%
4.9%
6.0%
8.4%
4.9%
4.8%
4.0%
8.1%
5.6%
11.6%
6.3%
10.0%
10.6%
9.7%
7.5%
11.7%
10.2%
7.7%
15.2%
26.1%
20.4%
34.9%
25.8%
35.3%
28.8%
52.1%
39.5%
53.2%
Firewall (Including Next-Generation Firewall) (n = 599)
Web Content Filtering (n = 586)
Vulnerability Management (Scanning) (n = 588)
Intrusion Detection/Prevention Systems (IDS/IPS) (n = 579)
Encryption (n = 588)
Information Security Awareness Training (n = 584)
Multi-Factor Authentication (n = 574)
Web Application Firewall (WAF) (n = 522)
Mobile Device Management (MDM)/Enterprise Mobility Management (EMM)
(n = 568)
Anti-DDoS (Distributed Denial of Service) (n = 525)
Computer Forensics/Incident Response (n = 542)
Identity as a Service (IDaaS)/Single Sign-On (n = 550)
Data Leakage Prevention (DLP) (n = 528)
Managed Security Services Provider (MSSP) (n = 509)
Threat Intelligence Platforms (n = 501)
User Behavior Analytics (UBA) (n = 489)
Percent of Sample
In Use (Not Including Pilots) In Pilot/Proof of Concept
Planning To Deploy in the Next 6 Months Planning To Deploy in the Next 6-12 Months
Planning To Deploy in the Next 12-24 Months Not in Plan
Status of
Implementation
Information Security Respondents
19. SOC Events
Grow operational maturity by
constantly improving the quality and
types of notifications in the SOC.
● Follows ATTACK concepts
● Doesn’t matter where you start
● Forces the right behaviors
Usual Suspects
Patching, vulnerabilities, # apps, #
brokers, # DCs, # users, # FIDs, #
certs, # domains, # security agents,
team size, LOC, etc.
● The basics still apply
● Consider false-positives also
● Reduce friction for adoption
Emphasize Age
Cluster, VM, container, brokers,
credentials - they all have ages worth
measuring and attempting to shorten.
● Older is more fragile
● Requires automation
● Forces the right behaviors
CONCEPTS CONCEPTS CONCEPTS
Metrics
20. INFORMATION SECURITY:
ORGANIZATIONAL DYNAMICS 2017
INFORMATION SECURITY: ORGANIZATIONAL
DYNAMICS 2017
Source: 451 Research, Voice of the
Enterprise: Information Security,
Organizational Dynamics 2017
Q44. Which of the following
metrics does your organization
use/track for information
security staff? Please select all
that apply.
Metrics To Manage
Security
Information Security Respondents
53.0%
42.8%
44.9%
34.2%
34.4%
31.2%
32.4%
21.9%
2.2%
47.5%
39.0%
34.4%
34.2%
32.3%
29.2%
28.3%
21.9%
4.0%
Security Incidents Resolved
Tickets Resolved (e.g., ‘Trouble Tickets’)
Audit Issues Resolved
Application Availability (e.g., Uptime/
Downtime)
Project Completion
Time to Recovery/Restore from an Outage
Lack of Data Breaches
We Don’t Use Metrics
Other
Percent of Sample
Q2 2016
(n=837)
Q2 2017
(n=421)
23. Repair
Repair vulnerable
software as soon as
updates are available.
Turnkey Compliance Repave
Apps inherit controls
from the platform,
simplifying audits.
Repave servers and
applications from a
known good state. Do
this often.
Rotate user credentials
frequently, so they are
only useful for short
periods of time.
Rotate
Call to Action: Investigate Cloud Native Security
Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials