Gartner’s Top 10 for InfoSec in 2016: 10 More Useless Acronyms?

On June 15th, Gartner released it’s Top 10 Technologies for Information Security in 2016. As a security ‘professional’ with over 15 years front-line experience, it has taken me this long to find out what half of these things are even trying to achieve. My initial impression was that this was just an attempt to corner the market on acronyms.

Now that I’ve had a little more time to look at them, it’s not just about acronyms, it’s about selling things. Things the vast majority of businesses don’t need. Things that if you DID introduce them into your current environment it would be like building a castle on a swamp (hope you got the Monty Python reference);

Utterly useless, expensive, and completely missing the point.

The breakdown:

  1. Cloud Access Security Brokers (CASBs), provide a “…critical control point for the secure and compliant use of cloud services across multiple cloud providers.” – In the real world this is called performing proper due diligence, before you outsource to a cloud provider. The right reporting should be built into the SLAs. Good God, even the PCI DSS makes this a requirement!
    o
  2. Endpoint Detection and Response (EDR), “EDR tools typically record numerous endpoint and network events, and store this information either locally on the endpoint or in a centralized database.” then compare the output to “known indicators of compromise (IOC)“. [Ed. note the 2-for-1 on the acronym front] – Why the Hell would you wait for a ‘known indicator of compromise’ instead of trying to fix the problem pro-actively first?!  Hardening guides, vulnerability management, system baselining, FIM et al are all designed to produce baselines of known-good configs thereby minimising exposure. This is nothing more than a rebranding of basic security tenet in order to sell a technology.
    o
  3. Non-Signature Approaches for Endpoint Prevention, uses “machine learning-based malware prevention using mathematical models as an alternative to signatures for malware identification and blocking.” – Seriously (see 2. above)? Once you have your system at a known-good config, stop anything NOT that. Are you seriously going to spend God-knows how much on a new technology instead of doing what you SHOULD have doing all along …for free(ish)?
    o
  4. User and Entity Behavioral Analytics (EUBA), “…provides user-centric analytics around user behavior, but also around other entities such as endpoints, networks and applications.” – This one just pisses me off, and I can only assume Gartner were paid a ton of money by EUBA vendors to add this to the list. This is the THIRD nod to baselining and I’m only at number 4 on the list.
    o
  5. Microsegmentation and Flow Visibility, which is basically more granular segmentation (think system-to-system instead of the usual network-to-network). – So let’s see; most organisations have horrible segmentation at the network level, so to combat this, buy a technology that puts the ‘firewalls’ on each endpoint and maps your traffic flows at that level. I have an idea, why don’t you just do segmentation properly with the infrastructure you have and THEN decide if you need more. I seriously doubt you will unless you’re an IaaS/PaaS provider.
    o
  6. Security Testing for DevOps (DevSecOps) – In other words; building security and security testing into every step of the development process. This is new? I have to assume this was just padding to avoid a Top 9 scenario.
    o
  7. Intelligence-Driven Security Operations Center Orchestration Solutions, “an intelligence-driven SOC [ISOC] also needs to move beyond traditional defenses, with an adaptive architecture and context-aware components.” – So what you’re saying is; Let me know if something happens that’s not normal? Errr, isn’t that reporting events outside of a KNOWN-GOOD BASELINE!?!
    o
  8. Remote Browser solutions “…remotely present the browser session from a “browser server” (typically Linux based) running on-premises or delivered as a cloud-based service.” – This one kinda makes sense, but haven’t we had jump-servers for decades that could do something very similar?
    o
  9. Deception “technologies are defined by the use of deceits and/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or disrupt breach progression.” – Anyone who uses this technology deserves to be hacked. This is perhaps the stupidest concept I have ever seen and I cannot believe it’s on anyone’s list. Gartner should actually be ashamed of themselves.
    o
  10. Pervasive Trust Services, “As enterprise security departments are asked to extend their protection capabilities to operational technology and the Internet of Things, new security models must emerge to provision and manage trust at scale.” – Finally we agree on something; centralised management of end-points based on known-good configs.

As far as I am concerned, 99.9% of organisations can effectively ignore this Top 10 list. You will NEVER find a technology that fixes stupid. Just do security properly and you’ll achieve what every organisation is looking for; appropriate, value-for-money, security.

It’s a shame Gartner can’t monitise a ‘Top 10 Information Security Back to Basics’, that would actually be worth a read.

 

7 thoughts on “Gartner’s Top 10 for InfoSec in 2016: 10 More Useless Acronyms?

  1. Totally David. Yes.

    Additionally:

    1. AD/LDAP and federation. Benefits of adding another layer? > /dev/null
    2. the war on endpoints was lost before the good guys even knew there was a war. Write off user subnets. Use firewalls to prevent direct connections to critical infrastructure.
    3. As you said, see point 2.
    4. See point 2 and 3 after a psychologist.
    5. We are doing a lot of “big” as in “big data” before even starting to do small data. If you put an Oracle 10g in a cloud, you should never use the word ‘big’. Again. And now here – “micro” segmentation, for organisations who struggle with even 1 segment. Their ops girls bypass the inner DMZ firewall with dual homed XP boxes because the firewall annoys them. So yes, lets have a firewall on everything. This one worries me because of the blow back. Exisitng OS firewalls can be setup to do simple stuff like just block all incoming on remote devices…but the reaction to messing with local packet filters and having false positives will be for Ops to disable all firewalls. Internet cafe – wifi – open SMB.
    6. yes, because Devops don’t have enough to worry about with security. Devops crews are one of the few who take it seriously, then we’re even to alienate those folks too. #happydays
    7. the word “orchestration” is there, hey where’s my procurement manager? I’m signing up. This one is possibly the most vile i’ve seen in recent times.
    8. Yes, sounds like a proxy or presentation layer concept as in the old X-term days. Still needs something local on clients though. At least this one isn’t obviously insane from first glance.
    9. never was a big fan of e.g. honeypots – its another device that requires management, and therefore comes with an ops cost…like to keep an open mind but its just more stuff to manage.
    10. If they’re talking detecting changes…this is a good move. Facebook bought into this effort https://osquery.io/ …this is quite a wide focus though. And there’s Netdelta (shameless self promotion) for the network – still in its early days

  2. David. Great BLOG. As I used to tell all my students at QSA Class; if you don’t come up with a NEW acronym, I may fail you! LoL

  3. Hi David

    This made me laugh a lot and i was reminded of the coversation we had yesterday at PCI London over a glass of wine over acronyms….

    BIA – Bollax In Abundance

    Keep up the good work
    Dave

Leave a Reply

Your email address will not be published. Required fields are marked *