Gartner Summit Reports
Mark Nicolett, managing vice president at Gartner Research, reviews the security perception among corporates:
Manoj Agrawal: What are the cyber criminals thinking these days?
Mark Nicolett: It is difficult to discern what is coming from that community. Attackers have done extremely well by focusing on vulnerabilities that have been exposed for a while and they find lots of such opportunities. They also have zero day exploits. Once it is exploited, its value decreases.
What is your evaluation of the preparation and response by the companies at large?
Most companies work in a reactionary mode. The vast majority are not at the point where they are integrating threat intelligence of past and present attacks. So, the first step is for organizations to prioritize both their patching and blocking activities. That is an area where some improvement would be bring in productivity. What is holding them back is the lack of ability to automate this until recent times. Common practice is to prioritize remediation based on severity of the attacks. Only a tiny fraction of the vulnerabilities that are exposed are being using for attacks. Blocking functions come by the user company.
On a practical level, the focus is more on detection and response and less on patching and blocking. That trend is well underway. There is increasing demand for managed detection and response compared to alerts. Security monitoring is broad but noisy.
When a company makes a deliberate choice-based pricing decision, what security aspects typically get compromised?
What gets compromised is staffing. There is budget to acquire products or service, but it requires labor and that is where the problem is. It is true that talent is hard to find and retain. Also, process development is slow. Companies have budget for technology, but there are restrictions on head count. There are so many technologies to operate that they operate each one poorly. The technology runs but neither effectively nor efficiently.
The solution is to challenge the conventional wisdom on risks and controls. For example, strict password hygiene is known not to be effective, but it is still required.
What are the recent initiatives in companies to defend themselves?
There is a big jump in the interest in detection and response. Efforts are focused more on detection rather than documenting. Use of behavior analytics – use and network – is a big leap. Similarly, using profile for anomaly detection. There is vendor supplied content such as threat model. It is difficult to go outside the models provided by vendors. Signal to noise ratio is still too low.
How effective are the various new companies that are coming into the market? How are the large security vendors reacting?
There is a tension in the market. There is pressure to create point solutions, especially by startups. They gain traction and lot of VC money is thrown at them. Some of these get acquired by the larger vendors and the new capability is incorporated by the big companies. Financial companies are early adopters of the point solutions – in some cases they become co-developers.
Other companies wait until their incumbent vendor acquires the solution and offers it. Maybe there is room for a few point solutions. A lot of companies are okay with the good enough and not the best. Stable vendor helps productize the solutions.
Most new solutions are driven by higher signal to noise ratio. Later on, they face issues around developing support for whatever they are offering. There is need for content for other use cases and generic cases. That is where differences in products show up. Also there is the issue of developing user interface.
Many a times, big vendors have multiple priorities and cannot focus.
Mark Nicolett affirms cyber criminals have done extremely well for a while and they find lots of opportunities