By Jason Pappalexis, John Whetstone, Will Fisher, Mike Spanbauer
The only constant in security is change. Over the last few years, we have witnessed a growing consensus among security practitioners that everyone is at risk of a breach, and that it is hard to do security well all the time. At NSS Labs, we spend our days helping enterprises choose the right technologies for their organizations and become more aware of gaps that may exist within their security controls. Organizations measure their own efforts against security “best practices,” though “best” is a pinnacle that is nearly impossible to reach. We believe that instead, there are always “better practices,” a number of which revolve around the concept of change and control management, where iterating improvements continuously improve the operation.
Optimal security is, by its very nature, dynamic. Each new vulnerability, vector, and technique requires that an enterprise carefully assess whether its current approach will provide effective protection. Organizations understand that change is constant, but the ability to effectively manage, track, and document that change is what differentiates truly great technology programs. Attackers are iterating faster, threat tools are more effective and propagating faster than ever before, and social media makes it simpler for threat actors to capitalize on the latest vulnerability—it’s no wonder choosing the right protections is incredibly difficult. Security controls must integrate well into existing environments while simultaneously being easily managed and operated by staff . . . This is no small task.
To succeed in cybersecurity today, we believe the following key points must be considered:
Every member of your organization is a potential partner in reducing risk.
Elegant change management requires change competency. Each team and function should have an advocate or ambassador to facilitate changes across the organization.
Mistakes will happen; there must be risk tolerance and a supportive environment for risk-taking. Innovative approaches to managing new technology often require thinking outside the box. Change introduces anxiety, and so organizations must build a culture that supports those willing to take on the task.
In this blog, we’ll share our perspective on technologies and trends that ought to be considered by enterprises in 2018.
Will Fisher, PhD: Research Analyst, Enterprise Research Architecture
Machine learning: Conceived more than 50 years ago, machine learning is a hot topic once more—but buyer beware.
Despite sweeping and effusive marketing claims, machine learning (ML) is simply a new term for the computer-assisted application of statistical models that have been around for decades. Every vendor now touts its product’s machine learning capabilities, but that’s only because everything is now machine learning—from the simplest logistic regression to newer and more complex statistical models like support vector machines. We aren’t suggesting that these models aren’t effective; rather, we are recommending that folks take a look under the hood of marketing claims. Not all machine learning models are created equally.
SD-WAN: SD-WAN technology is predicted to own a significant portion of the corporate perimeter within the next 12–24 months.
Software-defined wide-area-network (SD-WAN) technology is broadly utilized in US enterprises in hardware, cloud-based, and hybrid deployments, and NSS predicts that adoption of this technology will continue to grow rapidly. Enterprises are leveraging this technology for a number of reasons, such as management of multiple networks, automation, increased WAN visibility, and more. The potential for SD-WAN to reshape the way enterprises buy and use carrier-connected services is enormous, as both enterprises and carriers are poised to benefit. We predict that in the future, SD-WAN will incorporate a significant portion of the corporate perimeter. In a recent NSS study, 72% of information security professional respondents stated that they consider SD-WAN appliances to be security products. In 2018, NSS will conduct its first-ever test of this technology—keep an eye out for results.
Jason Pappalexis: Managing Director, Enterprise Research Architecture
Encryption: Enterprises will see a rise in the number of threats that use encryption. Additionally, trust will become even more important as end users learn that encryption provides confidentiality and integrity.
Encryption will remain in the spotlight in 2018, as it is a foundational security concept that impacts all aspects of digital communication. Expect an increasing level of awareness over the next 12–18 months, as users begin to educate themselves about encryption use cases—for instance, the difference between end-to-end encryption and perimeter-to-perimeter encryption. In addition, expect an increase in public awareness of the need for standardization of reporting certificate validation levels within browsers. For example, free, domain-validated certificates are the lowest tier of validation, despite the presence of a padlock in the browser URL bar.
We predict that encryption discussions will include topics such as the need for decrypting network traffic within the enterprise and the performance impact of decryption on hardware appliances.
Interoperability: While security effectiveness and performance are the product selection criteria most often discussed, interoperability must also be considered. No enterprise wants a technology that “does not play well with others,” as the operational burden is incredible, in terms of costs of deployment and further maintenance.
Security control product selection includes multiple phases, the first of which is typically based on security effectiveness and performance. Almost immediately thereafter, the ease of which these devices are deployed and share information becomes paramount.
There is an increased awareness of the effort required to integrate security controls within an environment. Today’s security controls must be able to ingest content and share data with a number of adjacent systems. Since few organizations (only the very small or very new) have the luxury of using a single security control brand (not to mention models and firmware versions), deployment and management efforts are resource-intensive. Expect in the next 12–18 months for enterprises to drive interoperability discussions in every technology decision.
Internet of Things: The lack of security for Internet of Things (IoT) products will continue to enable an “Internet of DDoS.”
Expect the train wreck caused by a lack of security for IoT products to continue for the foreseeable future, as consumers’ demands for convenience technology will quickly surpass their knowledge of fundamental security principles. The saying “just because we can, doesn’t mean we should” easily applies to embedded Internet connectivity. Each one of the billions of connected, embedded microprocessor devices could potentially be involved in large denial-of-service (DoS) campaigns; it is not a stretch to expect a large DoS attack to occur in 2018.
John Whetstone: Research Architect, Enterprise Research Architecture
Cloud security and SaaS concerns: Enterprise use of cloud-delivered applications will remain high in 2018.
Applications delivered through the software-as-a-service (SaaS) model enable enterprise users to take advantage of business-critical applications from any location. In addition to ubiquitous access, enterprises who deploy SaaS-based applications typically realize improved ROI, since license fees are largely nonexistent and no hardware is required to support the applications.
At face value, this seems fantastic—however, SaaS presents its own set of challenges for enterprise security teams. Often, enterprise security teams turn to cloud access security brokers (CASBs) to centralize identity and access management, roll out global policies, and block unauthorized SaaS use.
In a recent NSS study, 62.9% of responding security professionals reported being subscribers of SaaS products, while 60.7% indicated the utilization of a CASB. Over the next 12–18, months expect the CASB market to experience rapid, double-digit year-over-year growth, which compliments an ever-expanding SaaS market.
Microsoft makes a move in the cloud space: Microsoft Azure will continue to challenge Amazon Web Services (AWS) for control of the large enterprise vertical.
According to our recent study of cloud adoption across US enterprises, Azure leads AWS in both large enterprise (LE) and very large enterprise (VLE) private cloud deployments. This makes sense, as many IT professionals have worked in homogenous Microsoft environments for decades. One of Microsoft’s latest offerings, Azure Stack—an on-premises version of Azure—allows for enterprises to physically deploy Azure cloud computing services within their own data centers. It also enables consumption of traditional, cloud-based Azure services on-demand. Unlike yesterday’s on-premises hardware deployments, Stack adopts the pay-as-you-grow pricing model that cloud-consuming enterprises have grown accustomed to. When it comes to the private and hybrid cloud deployment models, Azure Stack could be the silver bullet that enables Azure to conquer the LE and VLE verticals.
Mike Spanbauer: VP Research Strategy
Cloud visibility and resource management: Enterprises must take control of their cloud use (before the cloud takes control of them).
As the digital economy continues to accelerate along with the cloud-based service model, so too does the need for enterprises to manage or at least maintain visibility of the cloud’s operational impact. Whether an enterprise abdicates management responsibility (but not liability or shared responsibility) to a provider or chooses to utilize virtual private cloud (VPC) options, it is necessary to ensure that each instance of the VPC behaves, reports, and handles data the way it is supposed to.
Policy management used to be less complicated; for example, firewalls and ACLs were very simple, and active directory solutions had explicit account policies. But the cloud is not run on your own hardware, and in some cases each discrete data element is managed and processed by another entity—and may even simultaneously be in use by other tenants. Policy technology is undergoing a transformation, ranging from CASB to virtualized security, and there are a number of challenges associated with the elastic expansion capability of cloud-based workloads, which demand real-time policy synchronization beyond any we have seen.
In conversations with enterprises, the NSS architecture team has discovered that many organizations are looking to regain control of the cloud; vendor marketing often makes it difficult to separate fact from fiction. 2018 will be a break-out year for some policy and cloud management solutions as enterprises look for ways to address the operational pain felt today.
If you’re considering purchasing one of the technologies mentioned above or are looking for a partner you can trust to provide direct, actionable guidance, we’d love to talk with you. Every choice an organization makes involves change; managing that change well and making the right choice based on interoperability has considerable influence on the outcome of any project. You can also visit the NSS Labs Research Library to view and download group test reports, analyst briefs and other valuable resources that help enterprises to make informed cybersecurity purchasing decisions.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.