Persistent external factors shape emerging trends in security and risk management, from a widening skills gap to threats of ransomware. And the pandemic brought changes that are also shaping strategy.
The combination of existing cybersecurity hurdles and ones that became "the new normal" in the last 18 months have led to increased reliance on managed security and cloud-based services.
Businesses have more endpoints because of remote work than they would in an office and it's not something Gartner sees decreasing anytime soon.
The research firm expects fully remote or hybrid workers to increase by 30% over the next couple of years, "and it will be a persistent delivery model for the foreseeable future," said Peter Firstbrook, VP analyst at Gartner, while speaking during the virtual Gartner IT Symposium/Xpo 2021 Monday.
Here are Gartner's top eight trends in security and risk management:
Settle into remote work
While enterprises have the freedom to recruit talent from anywhere, security challenges test the convenience. Businesses are replacing on-premise software with cloud-based solutions as focus shifts toward management and security in cloud-delivered services to achieve sufficient visibility.
The physical security that an office provided for devices is no longer there, so companies have had to pivot their data privacy management. "You have to start thinking about things like your backup and restore policy if they're no longer connected to the LAN. How do you back up these remote machines?" Firstbrook said.
Companies can begin breaking down their long-term remote security and privacy management by identifying different types of users, determining what transaction systems some rely on or what risk a given user carries. Firstbrook recommends companies create a matrix of policies for remote users to refer to.
"This is not something that's going to go away, you have to be able to support almost every worker in a remote capability over the next couple of years," he said. Aim to adopt modern management infrastructure that can oversee all end user devices in a remote landscape.
Cybersecurity mesh architecture
Gartner has found many clients are still locked into LAN-centric security, including firewalls and intrusion detection services, according to Firstbrook. "The reality is they have to start to break that out … What we want to start focusing on now is more composable security services, that we can apply enforcement where the asset is, and then we can centralize policy."
Last year, Gartner projected cloud access security broker (CASB) investments would grow, and adoption will continue to increase this year. CASBs "allow you to apply a single policy for multiple, different, distributed cloud applications," including Office 365, Salesforce or Workday, Firstbrook said.
In security mesh architecture, "we can apply policy across these different realms that is independent of those assets that we're trying to protect" in cloud applications and end users, Firstbrook said. In addition to CASB, other mesh examples include analytics, policy management and threat intelligence, all triaged in layers.
These solutions will help create a mesh architecture that "allows us to apply or build a central policy and apply it at the point of consumption, rather than relying on a physical infrastructure that we control," he said.
Additionally, companies should aim for interoperability of API security controls, so different IT solutions can "talk" to each other. If the email security solution cannot talk to the firewall or inform the incident response process, security silos remain. The integration of these controls is what's leading to extended detection and response (XDR), another example of mesh architecture.
CISOs are striving for simplification, according to Firstbrook. "They're no longer satisfied with buying independent, siloed, best-of-breed products to cover their security architecture. They're looking for an integrated platform where these products can talk to each other [and] they can share indicator of compromise (IOC) information."
In a global survey, Gartner found 80% of respondents are planning a vendor consolidation strategy in the next three years, while 30% are already undergoing the move today. "There's a huge pent-up demand for doing this," Firstbrook said. CISOs should have metrics to be able to measure how consolidation is progressing in efficiency and risk reduction.
This is not a cost-saving move. Only a small percentage of companies (15%) have seen cost savings since consolidating vendors. The benefits are primarily found in decreased response times, though it's a slow process.
"You want to start with easy consolidation targets, and you want to be patient. The consolidation strategy that most [Gartner] customers are undergoing now typically takes three to five years," Firstbrook said.
Identity-first solutions are one of the "foundational cybersecurity mesh controls," Firstbrook said. "This is a future security control that you're going to have for the next 20 years — you've got to focus on this. Treat identity policy process monitoring as comprehensively as you used to treat traditional LAN controls."
Prior to mass remote work, a company's network perimeter was "the definition of their assets and control," Firstbrook said. With end users now reliant on cloud-based solutions, Gartner estimates about 80% of corporate traffic will not be "going over corporate LAN anymore."
This means "identity is the one thing you continue to control," he said. Having cloud applications means companies don't have control of the infrastructure running them, again, leaving identity as the only control a company has.
Cybercriminals know this too. Ransomware actors particularly pursue identity infrastructure, which allows for privilege escalation. In the SolarWinds hack, the threat actors "started on the LAN and then they went to the Active Directory. And then they use their privilege in the Active Directory environment to jump to Azure," Firstbrook said.
Single sign-on and multifactor authentication investments have been underway for years. The catch is monitoring those infrastructures for when a breach occurs. Network and endpoint detection and response isn't enough, companies need identity detection and response.
Machine identity management
"Applications are not monolithic. You build a small bit of application and you connect it via restful APIs with other bits of applications and then other bits of applications," Firstbrook said. Of those applications, companies may own some and not own others.
Because of this, machine identity works similarly to user identity, determining which data or transactions machines should have access to. Consider the SolarWinds hack: Threat actors leveraged the APIs in email access to leapfrog the Office 365 environment.
"Think about all of the SaaS applications you have. A lot of them have utility applications that enhance — Salesforce, ServiceNow, Office 365 — to make them better or more secure. And all of those applications use API access to get access," Firstbrook said. If the sub suppliers are hacked, attackers gain access to a customer's cloud apps.
The cybersecurity mesh architecture is partially done through APIs, which calls for a machine identity management program. The process will look similar to user identity management, because it starts with assigning responsibilities.
Breach and attack simulation
Simulation tools provide companies insight into how an attacker could move through their environment, showing organizations a map for where attackers could laterally move.
"Eventually I can define a path from my original access point, all the way to your critical resources," Firstbrook said. Again, using SolarWinds as an example: Attackers breached the privilege management system working their way to Azure.
With every integration of new security solutions, red teams can test them using simulation tools. The majority of companies rely on pen testing, but the "problem with that is the penetration tester will find the easiest path to the goal. And they'll do it once," Firstbrook said. Applying a patch to a singular path will not close the possible remaining ones.
"Breach and attack simulation tools can test multitudes of paths and they can do it repeatedly throughout the year," he said.
Privacy-enhancing computation tools are the answer to data protection amid data processing.
There are three ways to do this:
- Data transformation, where data is transformed so the original value is not represented but computable.
- Secure computation, where a type of data transformation is mixed with a secure multiparty computation environment.
- Hardware-based security, where a trusted execution environment sits in a hardware system where untrusted entities can handle the data.
"These are very different technologies, and a lot of them are emerging out of academia. This market is growing at a rapid pace," said Firstbrook. These solutions are helping companies overcome privacy-, regulatory- and data-secrecy hurdles.
Companies will have to consider different types of technologies, because they are not a one-size-fits-all for all use cases.
"We're seeing a lot of new projects move from sort of theoretical implementations to practical implementations in the real world through service providers," Firstbrook said.
Following the SolarWinds attack, the company added a cyber-specific committee to its board of directors. This is a trend more companies are following.
Boards are realizing "they have to get smarter, and they need a liaison between the technical capabilities of the IT department and the security department," with the business knowledge the board possesses, said Firstbrook.
Former CISOs are joining more boards and consultants serving as cyber translators. This means CISOs should expect the cyber literacy of their boards to increase over time. In the interim, Gartner recommends CISOs continue to present cyber risk in the context of overall business risk.
"For example, privacy enhancing computation will allow us to share information with some of our partners and competitors so that we can have better market understanding so that you can sell more widgets. That's the kind of communication they want," said Firstbrook.