The need for phishing training, automated security scanning and micro-segmentation have been replaced by container security, incident response and business email compromise technology in the top ten security projects for the year.
According to Gartner distinguished VP analyst Neil MacDonald, these projects can help users “reduce risk and improve posture” but too often, “the fear of imperfection holds us back.” Speaking at the Gartner Security and Risk Management Summit in London, of the top ten projects from 2018, five remain the same, while five change. The remaining top five were:
Privileged Access Management – MacDonald recommended tying this into “trouble ticket systems” and advised adding multi-factor authentication for all admins, and put in privileged access management where there is administrator access.
CARTA-Inspired Vulnerability Management – MacDonald said that there is an admission that you will never be completely patched, so users need to patch the critical vulnerabilities that are of most risk. “I believe patching is broken and should be a priority project for this year,” he said.
Detection and Response – MacDonald recommended the use of endpoint detection and response (EDR) technologies to provide a more full detection capability, and advised investing in EDR and incident response processes. Alternatively, he said to consider using premium support and outsourcing.
Cloud Security Posture Management (CSPM) – MacDonald said that “business units are making mistakes in configuration of AWS and Azure.” For a single cloud provider, he recommended looking for native capabilities or cloud access security broker (CASB) technology. For multi-cloud use, prioritize remediation, sign 1-2 year contracts and reassess often.
CASB – The final project of the top five is CASB, which MacDonald said is “becoming a mainstream technology.” He recommended starting with cloud application discovery, favoring a multi-mode CASB (using proxy and APIs).
For the new five projects, these were:
Business Email Compromise – MacDonald said that this has been switched from anti-phishing “as it is not enough” and that BEC is not an anti-malware problem, but a “poorly-designed access problem.” He advised combining technical controls as a solution.
Dark Data Discovery – He said that this is technology to crawl data sources, understand what is sensitive and not and what should be archived. He advised implementing a “defensible deletion” or other data management strategy.
Security Incident Response – MacDonald said that services are needed to create an incident response plan, and be able to “engage it before it happens.” He advised looking for an incident response provider who understands your operations and processes.
Container Security – MacDonald said that this will happen with or without security because of developers, “and it is our job to secure them, and the good news is there are vendors doing this.” He advised integrating or automating this technology natively into your development process, and scanning for known vulnerabilities.
Security Ratings Services – The final new project involves creating a web of interconnectivity where a vendor gives a score of security posture. He said that this will allow visibility of the supply chain, and he advised making security risk services part of a comprehensive program
In conclusion, he recommended picking at least two projects: implement an intelligent, CARTA-inspired approach to vulnerability management project, and MFA for admins.
The five that were removed were:
- Active Anti-Phishing Project
- Application Control on Server Workloads
- Automated Security Scanning
- Micro-Segmentation and Flow Visibility
- Software-Defined Perimeter
Asked why only five of the ten were changed, MacDonald acknowledged that delegates have “resource, staff and budget constraints and you cannot do all ten, so look at the list and see which affect you.”