Transcript Presentation Title

The Future of Global Information
Security: Information Security
Five-Year Scenario
Perry Carpenter, MSIA, C|CISO
Leadership Partner
EITL Security & Risk Management
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in
any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on
gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner di sclaims all warranties as to the accuracy, completeness
or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research
organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a
discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these
firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information
on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Controls Help Us Achieve the Target
Level of Security
But with hundreds of potential controls, we need
a way to select the right ones
The Strategy Tool: Four strategies for selecting controls
Search & Destroy
Castles & Moats
Psy Ops
Behavior Jujitsu
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Fact: The Real World Changes
• It no longer works to base control decisions on
past performance
• We need a way to plan for the ways the world
might become, not how it was
• We need a five-year planning guide that:
- Identifies possible future conditions
- Provides a way of detecting shifts in
direction (guideposts)
- Calls out control requirements early
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Problem Statement
How will the Nexus of Forces
(cloud, mobile, social and
big data) plus other forces and
trends, transform the practice
of information security and
IT risk management between
2014 and 2019?
• What are the two most powerful
uncertain forces driving change?
• How might those forces interact?
What evidence exists now?
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Critical Issues
• How the world might change?
• How shall we detect that change?
• How shall we deal with that change?
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Threats Against Targets: A Moving
Target
As servers move into the cloud
As enterprise security improves
As mobility drives increased connectivity out to
the edge
As the value at the edge increases
As end-node compromise tools continue to
become more automated
And …
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Orders of Magnitude
… as the number of highly trained cyber-students
increases by orders of magnitude:
- Over 100 "white hat" hacker university degree programs
in U.S. funded by NSA and DHS.
- Similar programs in UK.
- 10th through 12th grade training for all in Israel.
- Similar programs growing worldwide.
- China in a leadership position?
Now assume that 90%
stay on the "white hat" side.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Trend: Our X Axis
Security compromise of enterprise accounts may become
more heavily weighted to indirect attacks through captured
end nodes, or may focus even more clearly on servers.
Enterprise
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
TARGET
Individual
Who Will Save Us …
… From the chaos that is the Internet?
• Nation-states want to carve the Internet into
manageable pieces.
• Cloud and Big Data push toward less regulation.
• Governments threaten to regulate.
• "Critical infrastructure" is continuously redefined.
• But very little actually gets done.
• And what does get done takes a looooong time.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Trend: Our Y Axis
The level of market intervention can vary dramatically,
shifting costs and influencing business flexibility.
Tribal
AUTHORITY
Monolithic
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
The Gartner Security Scenario 2014-2020
Coalition
Rule
Neighborhood
Watch
Regulated
Risk
Controlling
Parent
How we select from and apply our four control strategies will
depend on how the world changes for our organization.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
The Gartner Security Scenario
2014-2020
Tribal
AUTHORITY
2
4
Enterprise
Individual
TARGET
1
3
Monolithic
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Enterprise Target
Centralized Authority
•
•
•
•
Regulated Risk
Governments use regulation to provide safety
An attack can become an act of war
All infrastructure becomes critical infrastructure
Enterprises are held responsible for actions of employees
PUSHING TOWARD THE CORNER
Evidence: Critical infrastructure directive
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
1
Enterprise Target
Fragmented Authority
•
•
•
•
•
Coalition Rule
2
Warlords and cartels rule
Corporations establish fiefdoms, suppress independent innovation
Aggressive corporate and national espionage
Supply chain for offensive activities
Underground economy grows
PUSHING TOWARD THE CORNER
Evidence: Cyber and Cloud Security Alliances;
drug cartel use of Internet
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Individual Target
Centralized Authority
•
•
•
•
•
•
Controlling Parent
Attacks against individuals push government to act
Governments try to establish a norm of personal responsibility
Theft-oriented botnets proliferate
Surveillance society grows
Strong privacy regulations emerge
Mobile devices become closed, curated
PUSHING TOWARD THE CORNER
Evidence: Do not call list; FISA amendments
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
3
Individual Target
Authority Breakdown
•
•
•
•
•
•
Neighborhood Watch
E-militia emerge — self-organizing protection societies
Extreme anarcho-hacktivism
Internet resembles gangs of New York
Corporate and communal walled gardens form
Extensive darknet and dependence on anonymity
E-commerce declines due to distrust
PUSHING TOWARD THE CORNER
Evidence: Islamic Internet efforts; increase in identity theft;
"net nanny" approaches
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
4
The Gartner Security Scenario:
Evidence for Every Direction
Tribal
CSA
Islamic
Internet
NOW
Enterprise
CID
DNC
Monolithic
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Individual
So Watch for the Milestones
Tribal
Enterprise
Individual
Monolithic
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Four Different Threats
and Opportunities
• Regulated Risk:
- Threat: Over-regulation increases cost without decreasing risk
- Opportunity: Lobbying can influence direction and degree
• Coalition Rule:
- Threat: Increase in attacks could cause severe damage
- Opportunity: Found (then dominate) an industry standards group
• Controlling Parent:
- Threat: Privacy regulations will inhibit business operations
- Opportunity: Surveillance society benefits those who do Big Data well
• Neighborhood Watch:
- Threat: E-commerce drop; reputation and trust failures
- Opportunity: Form your own protection society for your customers
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Understanding the Strategy Tool
Active
Controls
Search & Destroy
Castles & Moats
Psy. Ops.
Behavioral
Controls
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Technical
Controls
Behavior Jujitsu
Passive
Controls
Four Control Directions
• Castles and Moats:
- Traditional passive technical controls
- Isolation via network architecture and access controls
• Behavior Jujitsu:
- Improved security training programs as passive
(defensive) behavioral controls
• Search and Destroy:
- Active technical approach to returning fire
• Psy. Ops.:
- Advanced behavioral intervention
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
The Controls We Need Vary With
the Environment We Are in
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Coalition
Rule
Neighborhood
Watch
Regulated
Risk
Controlling
Parent
Control Interdependence
ACTIVE
TECHNOLOGICAL
SWG
Admin
BEHAVIORAL
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
SIEM
Usage Guideline
PASSIVE
Building a Strategic Response
ACTIVE
Event
Log
Report
Incident
BEHAVIORAL
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
TECHNOLOGICAL
Confront
Tailgaters
Acceptable
Use Guide
PASSIVE
Using the Strategy Tool —
an Example
Coalition
Rule
Neighborhood
Watch
Neighborhood Watch:
• Threat: E-commerce drop; reputation and trust failures.
Regulated
Risk
Controlling
Parent
• Opportunity: Form your own protection society for
your customers.
Control requirements?
• Distributed, autonomous:
˗ Can run in isolation on
consumer endpoints.
• Extended perimeter (VPN):
˗ Centrally managed but
remotely initiated.
• Endpoint neutralization:
˗ DDoS of attack sources.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Control options?
• Passive behavioral:
˗ Observe and report.
• Passive technological:
˗ EPP platform with VPN agent.
• Active technological:
˗ Identify and attack apparent
attack sources via
neighborhood watch botnet.
To Do List
• Gartner:
- Special report phase 1
- Special report phase 2
- Ongoing research publication
• You:
- Analyze the impact of the four quadrants
on your organization
- Outline your response to each of the four quadrants
using the strategy tool
- Monitor the environment for milestones as they occur
- Shift your controls strategy as change happens
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.