Some vendors just cannot let go of their "precious appliances!"

Rick Holland
We just published my latest research, the Forrester Wave: SaaS Web Content Security, Q2 2015. Forrester categorizes web gateways/forward proxies into this web content security category. I did something different with this evaluation, instead of looking at on-premise appliances; I only evaluated the SaaS deployment model. If a vendor didn't have a SaaS delivery model, we didn't include them in the Wave. 
 
The decision to focus this wave on the SaaS model, wasn't popular with some of the vendors we evaluated. The majority of vendors who sell web proxies lead with the on-premises delivery model and relegate SaaS to a niche deployment option. As users, their endpoints, and their applications move outside the perimeter and into the cloud, the traditional web gateway model is being disrupted; yet many vendors are still very attached to their appliances.  Instead of evaluating a very mature on-premise market, I wanted to focus this Wave on the future.

Read more

The State Of The Cyberthreat Intelligence Market

Rick Holland

If the RSA Conference was any indicator, threat intelligence has finally joined the ranks of cloud and advanced persistent threat as ambiguous/overused terms that mean many different things to many different people. If you were given a dollar, pound or euro every time you heard "threat intelligence," there is no doubt you could fund your security budget for decades to come. Your biggest challenge would be determining how to invest some of that money into threat intelligence capabilities.

To help Forrester clients navigate the threat intelligence market I have several pieces of research underway. The first report, "The State Of The Cyberthreat Intelligence Market" has just published. In it I discuss the frenzied venture capital and vendor investment in the threat intelligence space.  I also provide guidance on how security and risk professionals should navigate the marketing hype to make the best investment of their limited resources. I am currently writing the second report "Market Overview: Threat Intelligence Providers." Here is a snippet from the latest research that illustrates just how much vendor focus we have seen. Since October of 2014:

\

  • There have been three acquisitions and eight fundraising rounds.
  • iSight Partners (Critical Intelligence) and Lookingglass (Cloudshield) have each raised funds and made an acquisition.
  • Of the acquisitions, only one company publicly disclosed the acquisition amount: $40 million (Proofpoint.)
  • The eight fundraising rounds raised a total of $102.5 million dollars.
Read more

Forrester's Security & Risk Research Spotlight -- Don't Let Cloud Go Over Your Head

Stephanie Balaouras

With great convenience comes great responsibility...

Once a month I use my blog to highlight some of S&R’s latest and greatest. The cloud is attractive for many reasons -- the possibility of working from home, the vast array of performance and analytical capabilities available, knowing that your backups are safe from that fateful coffee spill, etc. Although the cloud is not a new concept, the security essentials behind it unfortunately remain a mystery to practically all users. What’s worse, the security professionals tasked with protecting corporate data rarely have visibility into all the risk -- it’s simply too easy for users to make critical cloud decisions without process or oversight.   

Underestimating or neglecting the necessary security practices that a cloud requires can lead to hacks, breaches, and horrendous data leaks. We’ve seen our fair share of security embarrassments that range from Hollywood execs to the US government, and S&R pros know that these are far from done.

Read more

Samsung keyboard bug highlights vulnerability of passwords

Andras Cser

Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on this topic. Stay tuned.

The FCC is the Most Powerful Privacy Regulator in the Land...What Will Happen Next?

Renee Murphy

Since the bulk collection of telephone metadata began, the NSA has been keeping those records in a vast database and maintaining and querying that data for 5 years before being required to purge it. Now that the data will be back in the hands of the telecom companies, the Federal Communications Commission’s regulations will determine the retention of the metadata.

Prior to the 1980's, the FCC retention schedule was 6 months, but in the 1980’s, during the war on drugs, the Department of Justice asked the FCC to change that requirement to 18 months to make it easier to get RICO convictions for the drug cartels and the FCC complied. Since then, telephone data has been used to convict many organized crime syndicates with great success. Now that the NSA is also an agency that would like access to the same data that they FBI has been using since the 1970’s, will they ask the FCC to maintain the data for five yeas as they had been?

Read more

Market Overview: Cloud Workload Security Management Solutions — Automate Or Die

Andras Cser

Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option.

However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? Because S&R must ensure that installation and setup bootstraps with the right security and network configuration. They must control access to workloads as well as management consoles, file and configuration integrity, intrusion and endpoint protection. Manual management is simply not an option, you either automate security hardening for a large number of workloads or "die", i.e. fall victim to a breach.

Enter a new class of solution to offer a solution to this problem: Cloud Workload Security Management Solutions. These offerins  typically install a small agent on endpoints, connect these agents to a central service (available as SaaS or on-premises product) then offer centralized management of all the above cloud workload security aspects.

Our CWS market overview looks at and compares the features and company profiles of the most important vendors in this space.

https://www.forrester.com/Market+Overview+Cloud+Workload+Security+Management+Solutions+Automate+Or+Die/fulltext/-/E-RES121266

Forrester’s Security & Risk Analyst Spotlight – Andras Cser

Stephanie Balaouras

Last week, we learned that cybercriminals undermined the identity verification of the IRS’ Get Transcript app and gained access to the tax returns on 104,000 US citizens, so it’s only fitting in this analyst spotlight, we interview one of the team’s leading analysts for identity and access management (IAM), VP and Principal Analyst, Andras Cser. Andras consistently produces some of the most widely read research not just for our team but across all of Forrester. And clients seek his insight across a number of coverage areas beyond IAM, including cloud security, enterprise fraud management, and secure payments. As the tallest member of our S&R team at 6’5”, Andras also provides guidance to clients on the emerging fields of height intel and altitude management.

Read more

Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)

Rick Holland

For years cybersecurity professionals have struggled to adequately track their detection and response capabilities. We use Mean Time to Detection/Containment/Recovery. I wanted to introduce an additional way to track your ability to detect and respond to "sophisticated" adversaries: Mean Time Before CEO Apologizes (MTBCA). Tripwire’s Tim Erlin had another amusing metric: Mean Time To Free Credit Monitoring (MTTFCM).

Here are some examples (there are countless others) that illustrate the pain associated with MTBCA:

1) CareFirst breach announced 20 May 2015

2) Premera breach announced 17 March 2015

Your CEO doesn't want to have to deliver a somber apology to your customers, just like you don't want to have to inform senior management that a "sophisticated attack" was used to compromise your environment. Some of these attacks may have very well been sophisticated but I'm always skeptical. In many cases I think sophisticated is used to deflect responsibility. For more on that check out, "The Millennium Falcon And Breach Responsibility."  

Read more

Forrester’s Security & Risk Research Spotlight – The IAM Playbook For 2015

Stephanie Balaouras

Once a month I use my blog to highlight some of S&R’s most recent and trending research. When I first became research director of the S&R team more than five years ago, I was amazed to discover that 30% to 35% of the thousands of client questions the team fielded each year were related to IAM. And it’s still true today. Even though no individual technology within IAM has reached the dizzying heights of other buzz inducing trends (e.g. DLP circa 2010 and actionable threat intelligence circa 2014), IAM has remained a consistent problem/opportunity within security. Why? I think it’s because:
 

Read more

Are Passwords Dead? Take the Forrester Password Usage & Trends Survey!

Merritt Maxim

To paraphrase the great humorist Mark Twain, rumors of the death of passwords have been greatly exaggerated. While people lament the challenges and problems posed by passwords, they remain a core authentication and security technology.

My colleague Andras Cser and I have been fielding so many client inquiries around passwords that we are undertaking a quantitative, anonymous survey from end user organizations to gauge their current password policies and usage. This online survey asks about your organization’s current password policies and challenge as well as the future role of passwords in your organization. We also are using the survey to gain perspectives on the future of passwords and how other technologies might replace passwords completely.

The survey is completely confidential, but participants who provide contact details will receive a complimentary copy of the report when it’s published later this year.

You can access the survey here:

http://forr.com/PWTrends2015

We look forward to your responses!