Blog-Gartner SRM 2017 Opening Keynote Highlights

Gartner SRM 2017 Opening Keynote Highlights

Author: Tom Clare

VP Marketing, Gurucul

June 16, 2017

Hot and sunny 90 degree temperatures in D.C. this week, attending the Gartner Security & Risk Management (SRM) Summit 2017 event with 3,000+ other security professionals.  Inside the sessions it was dark, cooler and loaded with good insights as follows:

  1. Gartner introduced a model called CARTA (Continuous Adaptive Risk & Threat Assessment) with the goal to manage risk, build trust and embrace change with adaptive security architecture leveraging increased context for automated response.  Bad and unknowns are already inside with too much complexity and noise not being monitored by people you do not have.  CARTA consists of Build, Run and Plan elements.

  2. Digital business will not slow down for security, it will move forward with or without you.  The need to move at the speed of digital business at zero risk means zero opportunity and zero trust is not viable.  Security has a big data analytics problem today and prevention is not possible with the average time to detect at 99 days and the mean cost of a breach at $4 million.

  3. Security analytics and risk scores drive a continuous SOC and the Run part of the CARTA model where the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) are security metrics with board level visibility.  A customer case study for a regional bank highlighted the value of increased context from end points to reduce SIEM events from more than 1500 per day to 30 per day.  The lesson here was to move closer to endpoints to see things you cannot see on the network.  Keep your defense in depth strategy and drive for faster results to detect.

  4. Leverage adaptive access with risk scores at run time and move away from defined roles and access, as one time authentication is no longer viable.  Static policies are being replaced with a just-in-time trust model.  Also drive for data democracy as data locked up in a solution silo or data warehouse is a wasted asset; access to data with APIs for bidirectional closed integration is required.  A second customer case study reviewed overcoming traditional security to block or allow user activity by leveraging a cloud access security broker (CASB) to enable adaptive response such as encrypting downloaded data with digital rights, while behavior can be monitored for access and activity, including peer groups for anomalies.

  5. DevOps combines development and operations, however it’s missing security.  The Build part of CARTA highlights the assembly process and the need to assess the parts for vulnerabilities.  All source code and open source must be analyzed for vulnerabilities for multiple releases per day in fast moving environments.  A third customer case study leveraged automation tools to scan, build and deliver apps, providing pre-built security components ready to use.  Perfect is the enemy of good enough; there are too many false positives for perfection to move at the speed of digital business.

  6. Risk management expands to a partnering environment where over half of businesses by 2020 will be integrated.  Partner risk is your risk and defines trust level, and vice versa.  One time assessment is no longer viable as continuous monitoring for event-driven actions with benchmarks for partners, customers and business development are required.  A large manufacturer or retailer can drive a risk ecosystem on partners where those with bad risk are out of the partnership.

  7. The Plan part of CARTA is where adaptive governance is required.  Password rotation is out and has been proven more harmful than good.  Pragmatic security is required where risk governance is data-driven to determine levels and costs of risk for non-IT leaders. Also, to evaluate vendors we need less point solutions and more open APIs, cloud and new environments, adaptive controls, big and open data, and multiple detection methods.  Look for an adaptive contextual security solution.

In summary, Plan sets the governance guardrails; Build removes vulnerabilities in DevOps; and Run leverages risk assessment for adaptive response.  Move beyond the known good and bad, embrace the gray zone of risk with a dynamic risk-based architecture and assessment strategy.  At Gurucul as a provider of advanced security analytics and risk scoring, we could not agree more with Gartner.

Previous
Next
Request a Meeting

Request a Meeting

captcha


What a name!

What a name!

GURUCUL (goo-roo-cool)  

The name Gurucul comes from Sanskrit (गुरुकुल). This word is a contraction of the Sanskrit word ‘guru’ which means teacher or expert and ‘cul’ means extended family or group. In ancient times this was the place of learning. As a security analytics company expertise and learning hold a very special meaning as it reflects in our name.