Gartner Security & Risk Management 2017 Opening Keynote Highlights

Free Services to help you during COVID-19 Learn More

Support Request a Demo Contact Us Blog
Gartner's Security and Risk Management summit explored topics such as security analytics, the CARTA model and other keynote topics.

Gurucul shares its experience at the 2017 Gartner Security and Risk Management Summit in Washington, D.C. in an overview. Some of the top keynote topics include security analytics, Gartner’s new CARTA model, and adaptive security architecture.

Hot and sunny 90 degree temperatures in D.C. this week, attending the Gartner Security & Risk Management (SRM) Summit 2017 event with 3,000+ other security professionals. Inside the sessions it was dark, cooler and loaded with good insights. Here are some of the top keynote highlights:

  1. Gartner introduced a model called CARTA (Continuous Adaptive Risk & Threat Assessment) with the goal to manage risk, build trust and embrace change with adaptive security architecture leveraging increased context for automated response.  Bad and unknowns are already inside with too much complexity and noise not being monitored by people you do not have.  CARTA consists of Build, Run and Plan elements.

  2. Digital business will not slow down for security, it will move forward with or without you.  The need to move at the speed of digital business at zero risk means zero opportunity and zero trust is not viable.  Security has a big data analytics problem today and prevention is not possible with the average time to detect at 99 days and the mean cost of a breach at $4 million.

  3. Security analytics and risk scores drive a continuous SOC and the Run part of the CARTA model where the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) are security metrics with board level visibility.  A customer case study for a regional bank highlighted the value of increased context from end points to reduce SIEM events from more than 1500 per day to 30 per day.  The lesson here was to move closer to endpoints to see things you cannot see on the network.  Keep your defense in depth strategy and drive for faster results to detect.

  4. Leverage adaptive access with risk scores at run time and move away from defined roles and access, as one time authentication is no longer viable.  Static policies are being replaced with a just-in-time trust model.  Also drive for data democracy as data locked up in a solution silo or data warehouse is a wasted asset; access to data with APIs for bidirectional closed integration is required.  A second customer case study reviewed overcoming traditional security to block or allow user activity by leveraging a cloud access security broker (CASB) to enable adaptive response such as encrypting downloaded data with digital rights, while behavior can be monitored for access and activity, including peer groups for anomalies.

  5. DevOps combines development and operations, however it’s missing security.  The Build part of CARTA highlights the assembly process and the need to assess the parts for vulnerabilities.  All source code and open source must be analyzed for vulnerabilities for multiple releases per day in fast moving environments.  A third customer case study leveraged automation tools to scan, build and deliver apps, providing pre-built security components ready to use.  Perfect is the enemy of good enough; there are too many false positives for perfection to move at the speed of digital business.

  6. Risk management expands to a partnering environment where over half of businesses by 2020 will be integrated. Partner risk is your risk and defines trust level, and vice versa.  One time assessment is no longer viable as continuous monitoring for event-driven actions with benchmarks for partners, customers and business development are required.  A large manufacturer or retailer can drive a risk ecosystem on partners where those with bad risk are out of the partnership.

  7. The Plan part of CARTA is where adaptive governance is required.  Password rotation is out and has been proven more harmful than good.  Pragmatic security is required where risk governance is data-driven to determine levels and costs of risk for non-IT leaders. Also, to evaluate vendors we need less point solutions and more open APIs, cloud and new environments, adaptive controls, big and open data, and multiple detection methods.  Look for an adaptive contextual security solution.

In summary, Plan sets the governance guardrails; Build removes vulnerabilities in DevOps; and Run leverages risk assessment for adaptive response.  Move beyond the known good and bad, embrace the gray zone of risk with a dynamic risk-based architecture and assessment strategy.  At Gurucul as a provider of advanced security analytics and risk management scoring, we could not agree more with Gartner.

Share this page:

Related Posts