For the last week or so, a lot of my inquiries remain sun-tanned with the post-RSA Conference 2017 glow that is “We need some of that machine learning, please”. In fact, it’s been more common than “We need some of that next-gen AV, please”. One of the recurring phrases* I have been using is “You should be planning from the inside out, not outside in” – what does your organization need to do to improve your security maturity. You’re heading toward a bad time if you’re making tactical purchasing decisions based on vendor claims, instead of addressing the requirements and gaps in your security strategy (you do have a strategy, right?).
Think about realistic threat models that actually apply to your organization, and spend less time thinking about protecting against the next media-hyped cache of zero-day kernel threats.
So, how can you figure out what is the right next step? What can you realistically do that will actually improve your security? Rather than allowing the “hot” security startup of the day to define security investments, evaluate existing investments, policies, and processes, to determine where they are deficient. You should be thinking about how mature your security controls are, and what will take them to the next level. More often than not, hiring staff will allow you to accomplish more than deploying another system.
Mario de Boer – Research VP in the Gartner for Technical Professionals team – has an excellent upcoming research paper and tool-kit that will not only help identify where your organization ranks on a security maturity scale, but also help you understand what policies and security controls are implemented at the next level on that scale. If you really are still stuck for what to do next, then I bet there is always work to be done in your patch and vulnerability management.
In the meantime, I noticed a small trend through February of EPP vendors publishing quick guidelines on how to protect against an attack vector that is still growing in use: abusing Microsoft PowerShell. (Although, IMO you should be preventing the use of PowerShell, except for those user accounts that actually need it…)
- Hats off to Carbon Black for posting this way back in 2015: Block PowerShell from Launching via Office Macros and Scripts
- Intel Security/McAfee (Feb 2nd 2017) : Fileless Malware Execution with PowerShell is Easier than You May Realize
- Crowdstrike (Feb 6th 2017) : Blocking Malicious PowerShell Downloads
- Symantec (Feb 21st 2017): Preventing PowerShell from running via office
Note: These are just examples. Other EPP vendors are able to provide this protection in varying ways, this isn’t endorsement… etc etc, yadda yadda..
* Other recurring phrases include:
- What does “next-gen” AV mean to you? You probably already have shiny “next-gen stuff” in your existing EPP.
- Don’t let talk of zero-day threats distract you from the bigger picture.
- Yes, that NSS Labs report was interesting, but it’s only useful as one data point of the highly pixellated image that is “right for your organization” protection.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.