BC & DR Pros, We Need Your Help!

Stephanie Balaouras

Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business resiliency. Each year, we focus on a particular resiliency domain: IT disaster recovery, business continuity, or overall enterprise risk management. The studies provide BC pros, DR pros, and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to understand if you’re in line with industry best practices and/or you need to convince skeptical executives change is necessary.

Read more

Automation And Sharing Are Common Themes

Joseph Blankenship

After years of shunning automation and information sharing efforts, the security industry is now embracing them. Every vendor conference I attended this fall talked about the need to automate some security functions in order to increase security teams' efficiency and ability to quickly detect and respond to incidents. The vendors also focused on the need to break down the silos and share information across the security and IT organizations, between vendors, and throughout the security community.

Why the change? The pace of attacks along with the continued stress of resource-constrained organizations are forcing security leaders to find new solutions.

Read more

Grading Forrester’s 2016 Cybersecurity Predictions Plus A Sneak Peek Into Our 2017 Predictions

Amy DeMartine

Every fall Forrester’s Security & Risk team comes together to make a set of predictions on the issues that will have the greatest impact on our clients in the next year. We don’t make broad, Nostradamus-like predictions like “There will be a breach at a large company in a great city.”  Instead, we go out of our way to make detailed predictions that force us to take strong stances, can easily prove wrong or right and are actionable by security and risk professionals. Before we provide a sneak peek into our 2017 predictions, it’s worth looking back and grading our 2016 predictions. 2016 was a particularly tumultuous year for cybersecurity. News agencies kept themselves busy as companies and public figures struggled with breaches, companies experienced embarrassing downtime and individuals felt their privacy rights slip away. The result? Cybersecurity has now vaulted from the boardroom to the Senate floor and to the Presidential debate stage. So how'd we do?

Read more

The 2016 Forrester Data Privacy Heatmap Points To Continued EU Influence On Global Regulations

Christopher Sherman
To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries. Earlier today, we published the 2016 version to the tool, as well as a free version with access to only the U.K. and U.S. ratings. We have updated the map every year since it’s initial publication in order to keep pace with the constantly-evolving landscape of global data privacy laws.
 
As we roll out the 2016 update and reflect back on the past 5 years of annual assessments, three high-level trends emerge:
 
  • Countries continue moving toward the EU standard for data protection. New legislation outside of the EU often follows the EU’s lead by adopting provisions similar to those in the existing Directive 95/46/EC regulation. The slow global convergence toward the requirements outlined in the regulation continued through 2016. For example, Argentina and Japan strengthened pre-existing policies, while Nigeria passed its first comprehensive cybercrime legislation. Japan also established an independent regulatory body (“Privacy Protection Commission”) that oversees privacy issues—a requirement of both the current Directive and the superseding European General Data Protection Regulation (GDPR).
Read more

Exploring The IoT Attack Surface

Jeff Pollard

Merritt Maxim and I just published our research on the IoT Attack Surface. This report gives a realistic, but not sensationalized, view of how enterprises need to think about IoT. Three factors motivated our research for this topic - attacks on IoT will transcend the digital-physical divide, the sheer scale of IoT will challenge security teams, and IoT devices collect massive amounts of data.

The following methodology allowed us to hone in on concrete enterprise scenarios:

  • We went for offense first. We started by interviewing prominent security researchers that spend their days thinking about how to attack IoT devices and systems. Our outside in approach allowed us to develop a threat model for intrusions, as well as identify weak points in the defenses of IoT makers, users, and operators.
  • We explored the ramifications of an attack. We wanted to understand what an attacker would - or could - do when successful. We also wanted to understand the amount of friction that existed for whatever came next - credential harvesting, persistence, or disrupting operations.
  • We examined existing security practices to understand what works, and what doesn't when defending IoT devices. This step highlighted that while IoT is different, defending IoT looks similar to other security problems S&R pros have dealt with. You can bring security lessons forward and apply them to IoT without having to learn them all over again.
Read more

Introducing The Forrester Wave™: Digital Risk Monitoring, Q3 2016

Nick Hayes

We recently published our Forrester Wave™: Digital Risk Monitoring, Q3 2016 report. We evaluate nine of the top vendors in this emerging market that offer solutions to continuously monitor “digital” -- i.e., social, mobile, web, and dark web -- channels to detect, prevent, and mitigate any type of risk event posing a threat to organizations today.

 

Why now

It’s almost 2017 and yet companies are more exposed and less equipped to handle the slew of risks that run rampant across countless digital channels today. Digital risk monitoring (DRM) solutions are increasingly valuable for organizations because:

  • Digital channels are now ground zero for cyber, brand, and even physical attacks. Cybercriminals use a variety of tactics to weaponize social media, impersonate or embed malware into mobile apps, deface websites, collude in dark channels, and cause financial, reputational, or physical harm. Digital risk monitoring tools combat these methods by deploying a variety of data-gathering and advanced risk analysis techniques. They aggregate data via open-source intelligence (OSINT), technical intelligence (TECHINT), human intelligence (HUMINT), and even covert human intelligence (CHIS). Then they analyze the collected data with data classifiers, machine learning, and risk scoring algorithms to determine the most likely and most threatening risk events in a quick and efficient manner.
Read more

S&R Analyst Spotlight: Josh Zelonis

Stephanie Balaouras

Based on the West Coast, Senior Analyst Josh Zelonis is the newest addition to the S&R team. When he’s not out cruising his Harley, Josh is working with clients to adapt their architecture, policies, and processes to evolving threats and to develop robust incident response programs. His research focuses on threat intelligence, endpoint detection and response (EDR), malware analysis, pen testing/red teaming, forensics and investigations, and of course, incident response.

Josh Zelonis Image

Prior to joining Forrester, Josh accumulated over 13 years of experience as a security practitioner with demonstrated success in product architecture, engineering, and security assessment roles. As a product architect, Josh helped design and build innovative technologies in the breach detection space, architecting both endpoint and appliance products with a focus on data collection and analytics. His background also includes extensive experience in security assessment roles including red team, vulnerability research, and compliance.

Listen to Josh’s conversation with me to hear about his biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:

To download the MP3 version of the podcast, click here.

What do you foresee as the biggest threat to security and privacy in the United States in the next ten years?

Read more

Ping Identity Acquires UnboundID

Merritt Maxim

Yesterday, Ping Identity announced it has acquired Austin, Texas-based UnboundID. Although the financial terms were not disclosed, Forrester estimates the purchase price in the $50M-$75M range, based on typical M&A SaaS revenue multiples of 6X to 8X and Forrester’s estimation of UnboundID’s annual revenue.

This acquisition is not particularly surprising, as UnboundID and Ping have had a healthy reseller relationship since April 2015, so the purchase merely consummates the existing relationship. It also demonstrates how reselling relationships can help software vendors validate how they complement each other and set the stage for a complete acquisition.

For me, there are three key takeaways from the Ping Identity/UnboundID merger:

1.       Customer identity and access management (CIAM) demand is strong and growing. UnboundID’s focus on customer IAM complements Ping’s existing strengths in enterprise IAM and provides further evidence of the strong demand from today’s digital businesses to build compelling, identity-centric digital customer experiences. Forrester has seen a steady increase in the number of CIAM-related inquiries from enterprise clients looking to provide a holistic, omnichannel customer experience that doesn’t compromise on security or privacy. The Ping/UnboundID combination is now positioned to meet that growing demand.

Read more

Cybersecurity Takes Center Stage In US Presidential Election

Stephanie Balaouras
Last week, WikiLeaks posted a treasure trove of internal emails from the Democratic National Committee (DNC). The leaked emails demonstrated a clear bias within the DNC against Bernie Sanders and for Hillary Clinton, when the organization claimed to be neutral. The incident:
 
  • Confirms two of our 2016 cybersecurity predictions:
    • In 2015, we predicted that cybersecurity would become a major issue in the 2016 US presidential election. Not only have candidates discussed cybersecurity issues such as encryption throughout the debates, with the DNC email leak, cybersecurity itself is taking center stage in the election and influencing events. It is worth noting that hacking during election season is not purely a US-related issue. The entire voter registration database of the Philippines, which included fingerprint data, was hacked this spring.
    • We also predicted that an executive would need to step down due to a cybersecurity breach. As the result of the embarrassing emails, the DNC chairwoman, Debbie Wasserman Schultz, has announced her resignation at the end of the DNC convention.
Read more

Cisco buys Cloud Security Gateway vendor CloudLock for $293M

Andras Cser

Given Symantec's recent acquisiton of BlueCoat (and with it BlueCoat's earlier acquired Elastica and Perspecsys cloud security gateway (CSG) assets), and IBM's organic buildout of its Cloud Security Enforcer CSG solution it comes hardly as a surprise that Cisco today announced its intent to acquire CloudLock for US$293M (in Forrester's estimation this purchase price represents at least 10-15x of CloudLock's current revenues).  Considering that CloudLock's DNA and pedigree  is mainly in cloud data governance and data leak prevention using API based connectivity to SaaS (and lately IaaS) apps without an own gateway solution, Forrester expects that Cisco will do the following with CloudLock:

1) Integrate CloudLock's CSG offering with its own Ironport Secure Web Gateway (SWG) offering for interception of on-prem to cloud traffic,

2) invest in improving machine learning and behavioral analytics (already there in CloudLock's CSG solution),

3) improve data protection and cloud encryption in the solution, 

4) use its distribution channels to penetrate the lucrative and fast-growing (Forrester's estimate: 20%-25% y/y global growth) CSG market,

5) start an acquisition of wave in which other large SWG vendors will follow suit and acquire smaller CSG vendors.