Lawrence Pingree

A member of the Gartner Blog Network

Lawrence Pingree
Research Director
2 years with Gartner
16 years IT industry

Lawrence Pingree's responsibilities include coverage of security technologies and the cloud security space. His main focus is on conducting research targeted at the security aspects of products in the data center… Read Full Bio

Security Practitioners – Stop being a pwnie pawn!

by Lawrence Pingree  |  July 9, 2014  |  Comments Off

Although I haven’t written to my blog in quite some time, I wanted to take a moment to address a major issue that I believe continues to plague organizations globally. Far too often, security practitioners face IT management or business executives that either fail to or refuse to implement prevention measures due to concerns of their potential negative impacts. My belief is that this fear based “detect only” culture we have developed is entirely insufficient and needs to change drastically. Much of the attacks (even from more advanced threats) are actually quite well understood with prevention capabilities available to us.

I speak regularly with IT Security organizations that continue to be fearful of their executive management and thus configure relaxed security enforcement policies or implement security controls without any blocking or prevention capabilities turned on. This has got to change if we are to successfully defend and prevent data loss. We must understand that being resistant to properly implementing blocking policies or deploying responsive automated defenses may indeed be the root cause leading to many of the major data breaches we are currently seeing across the headlines.

Much of our defenses are ready to actively defend us with prevention so if you have hired an IT Security staff, please stop handcuffing them to the “detect only” tree. If you do, expect your organization to get pwned.

Stop being a “pwnie pawn” and block what you can.

Now off my soapbox. :)

Comments Off

Category: Security     Tags:

My team’s research next year… Intelligence Aware Security Controls (IASC)

by Lawrence Pingree  |  October 31, 2013  |  Comments Off

Hi Folks,

I wanted to give you a brief intro to a new concept emerging for Gartner’s security technology and service provider audience. The concept we will be using for next year’s theme is “Intelligence Aware Security Controls (IASC)” pronounced “I ASK”. This concept will be elaborated much more in our research in 2014 and will be available to our technology provider audience as part of the “PMM” (Product Marketing and Product Management) subscription.  The idea is to combine two areas of research on Context Awareness and Security Intelligence. We will explore a framework for sharing intelligence between security controls across the common silos that exist in many security technologies today and how we believe these capabilities can be adapted to provide information and intelligence sharing as well as enhance the security market with adaptive responses. Be on the lookout for our Agenda overview.

The future of Security will be intelligent and adaptive taking in behavior based intelligence and performing intelligence based responses. The latest tools will want to support the IASC framework and support this concept in order to provide better security globally. More to come!

Comments Off

Category: Security     Tags:

How do you define “defense in depth”?

by Lawrence Pingree  |  August 29, 2013  |  1 Comment

I’ve had some recent conversations that lead me to believe there may be some misunderstanding of the term defense in depth. Some practitioners may propose that this is a simple architecture that translates into a specific finite set of products and architectures. In a note I wrote last year (which is currently being updated) I used the term to bolster the support that our clients (for example a security manager, engineer or architect) may need to be able to increase their security capabilities (see Best Practices for Mitigating Advanced Persistent Threats). When some practitioners hear this term (especially those that are senior) they cringe and sometimes have the reaction or believe that  its “old school” philosophy.  I disagree.  I’m saddened when I hear that some security practitioners seem to have abandoned this concept, in fact I feel it may need to be expanded.

  • Defense In Depth – Implement preventative controls as much as possible/affordable.

Should we expand the terms used to be (DDR):

  • Defend In Depth – Implement preventative controls as much as possible/affordable.
  • Detect In Depth – Implement detective controls as a final “last straw” approach.
  • Respond in Depth – Respond as quickly as possible to avoid the negative effects of security control failures.

Should practitioners expand their thinking and this new strategic approach to their security programs?

What are your own thoughts?

1 Comment »

Category: Security     Tags:

Advanced Persistent Threat Actor Levels and Goals

by Lawrence Pingree  |  July 18, 2013  |  1 Comment

Carrying forward an idea to categorize advanced targeted attackers proposed by Eric Ahlm here at Gartner, I am proposing the following profiles and “levels” of attacker. Feel free to comment or propose other ways to portray this information. If you are interested in defending against or detecting advanced targeted attacks, see my research titled “Best Practices for Mitigating Advanced Persistent Threats”.

Level 1

Attacker Profile: Organized Crime

Motivation: In it for the easy money targets

Level 2

Attacker Profile: Industrial Espionage

Motivation: They want your intellectual property, trade secrets, customer data, business strategies etc.

Level 3

Attacker Profile: Activist or terrorist groups

Motivation: They want to make a statement, cause harm

Level 4

Attacker Profile: Nation States

Motivation: Economic, Political or Militarily

1 Comment »

Category: Security     Tags:

Threats come from everywhere, so you must deal with it as such.

by Lawrence Pingree  |  March 22, 2013  |  Comments Off

How great a threat does Gartner perceive state sponsored cyber espionage?

Since Gartner does not track individual threats or actors it is difficult to say for certain which attacks are state sponsored or not. The recent mandiant report highlighted China as the threat actor. Gartner does not believe that the country of origin is as important as the protection mechanisms that must be in place.

 

What are are the biggest threats, and from where do they originate?

Threats originate globally, and in the hacker underground the most sophisticated hackers most often originate from Russia. In general, a nation state actor (if targeting you) will likely be successful since they often are given time and resources in order to breach the security of your organization with many different capabilities beyond just cyber assets.  Attribution of attacks is extremely difficult since counter intelligence can be used on the internet such as spoofing source IP’s, using proxy servers, using botnets to deliver attacks out of other locations, developers using keyboard maps of different languages, for example a Chinese American or European that understands Chinese but develops their exploits for their country of origin will result in problematic or impossible attribution.

 

In the recent report published by the company Mandiant titled “APT1″ hackers appear to originate in China. These threat actors were utilizing common forms of zero day exploitation, botnets and other tools readily available in the underground hacking community. Given they are using the same tools and capabilities of the underground hackers, it is most important to focus on generic security controls that protect against all of these attack capabilities. An organization should take a general approach to combat threats from any location and not focus on the country of origin. In a report published by Gartner last year titled “Network Security Monitoring Tools for ‘Lean Forward’ Security Programs” to call out technologies that can assist in advanced targeted attack detection at the network layer.

 

What responses are organizations making?

I have written a report titled “Best Practices for Mitigating Advanced Persistent Threats” as a guide for raising the bar for prevention and detection of advanced forms of malware and targeted attacks and these technologies and security techniques are what organizations today are focusing on refining/deploying. The two primary attack vectors of choice for today’s  threat actors is malware to gather unstructured data and web-based attacks such as SQL injection to grab database stored structured data types. The malware can be handled by a number of technologies  at the network layer and  at the windows endpoint. Web attacks can be addressed with a combination of Intrusion Prevention System and Web application firewalls. See report titled “Best Practices for Mitigating Advanced Persistent Threats” and “Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012“ for advanced Malware threats and “Competitive Landscape: Web Application Firewall Market, Worldwide, 2012” for web application firewalls.

 

Are organizations in a regulated environment facing a greater threat?

Nation states do not often target structured data types such as financial data, however disruption of a banking system or critical infrastructure can be akin to a nuclear attack if an entire banking system, power or water delivery system is properly disrupted. Government regulations target sensitive areas of the economy. Most attackers are financially motivated and thus regulated environments such as Financial organizations often face the largest threat from these actor groups. A nation state would likely consider disruption of critical infrastructure as an end goal during a time of war vs. data acquisition. Prior to wartime, a nation state would likely be focused on distributing “capability” for disruption as a preparatory measure for evocation at a later date. Although we don’t have direct research in this area, we do have many supporting research notes. Please see the list below as a very comprehensive way to deal with both threat actor groups.

 

Research:

-          Best Practices for Mitigating Advanced Persistent Threats

-          Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012

-          Malware, APTs, and the Challenges of Defense

-          Decision Point for Anti-malware

-          Competitive Landscape: Web Application Firewall Market, Worldwide, 2012

Comments Off

Category: Security     Tags:

Where do the most hackers come from?

by Lawrence Pingree  |  March 8, 2013  |  8 Comments

Recently, there have been a lot of stories surrounding the Chinese and hackers originating from their intelligence agency.  Although I do not want to diminish the findings of a particular technology company that disclosed some of their own investigations, I do believe it is necessary to draw some attention towards  locations of the globe where  many of the attacks actually originate to be fair.  It is fairly well known  by most security professionals that the best hackers on the planet often originate from Russia,  however it is  more newsworthy to talk about  a country such as China whom we trust with many of our manufacturing facilities and research and development activities and have greater resources at their disposal if they intended to inflict harm.

There certainly political motivations for talking about China  and I think it’s fair to say  they are certainly many participants in the global stage of cyber security and intelligence gathering.  In fact, the United Stateshas a long history with its intelligence agencies for performing signals intelligence (SIGINT).  I would like to point out  that as far as sophistication goes, the United States is unmatched with its intelligence gathering capabilities and extends this capability across the globe with an extensive  array of spy satellites and listening stations with strong support of several other countries.  It does not strike me as odd  or newsworthy that governments across the planet attempt to track each other’s  military capabilities and monitor situations through signal intelligence and other intelligence gathering capabilities.  These activities are a necessary function to enable transparency across borders between governments and be ready if another country is planning some sort of attack.  I do think however it is important to mention that I believe that all countries should uphold  strong intellectual property rules in order to maintain fair competition  which creates a dynamic that encourages new developments and technologies and enables fair competition across the globe.

Now lets turn to some of the data often known  ”behind the scenes”  that many security practitioners know and consistently defend against. Deutsche Telecom publishes a real-time dashboard of hacking attacks detected by its global network of attack sensors known as a “honey net”. As many practitioners know, a “honey net” the reference to honey is an analogy to how one might attract a bear in the woods, the bear being the hacker in the case of a “honey net”. For some fun, I used some statistics from the Deutsche Telecom dashboard located at http://www.sicherheitstacho.eu/ to provide data points for some basic analysis. At the time of this writing, the total number of attacks detected over the last month globally were 30,144,538 when tallying the “Top 5 of Attack Types (Last month)” table. They also publish a table called “Top 15 of Source Countries (Last month)” with detected attack values which I found interesting but I wanted to extract percentages so I used those values and threw them into excel to calculate percentage values by top 15 countries and the following is my output.

Attacks by percentage of total global attack detections.

Russian Federation 2,402,722 7.97%
Taiwan, Province of China 907,102 3.01%
Germany 780,425 2.59%
Ukraine 566,531 1.88%
Hungary 367,966 1.22%
United States 355,341 1.18%
Romania 350,948 1.16%
Brazil 337,977 1.12%
Italy 288,607 0.96%
Australia 255,777 0.85%
Argentina 185,720 0.62%
China 168,146 0.56%
Poland 162,235 0.54%
Israel 143,943 0.48%
Japan 133,908 0.48%
7,407,348 24.61%

Source: http://www.sicherheitstacho.eu/

As you can see with this quick analysis, roughly 24.61% of total detected attacks were from the top 15 attacking countries and roughly 8% of all attacks came from the Russian Federation and only half a percent came from China. So the question is, who will you pay most attention to?

8 Comments »

Category: Security     Tags:

Concerned about NY Times type malware attack? Read this research.

by Lawrence Pingree  |  January 31, 2013  |  1 Comment

For those of you reading the latest news about “Advanced Persistent Threats” (aka. Advanced Targeted Attacks) you’ll want to read through a few notes that Gartner has published on this topic. See the following and examine what you can do about it today:

Best Practices for Mitigating Advanced Persistent Threats (Lawrence Pingree, Neil MacDonald)

Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012 (Lawrence Pingree)

Competitive Landscape: Network Behavior Analysis Market, Worldwide, 2012 Lawrence Pingree)

Malware, APTs, and the Challenges of Defense (Dan Blum)

Information Security Is Becoming a Big Data Analytics Problem (Neil MacDonald)

Network Security Monitoring Tools for ‘Lean Forward’ Security Programs (John Pescatore, Lawrence Orens)

1 Comment »

Category: Security     Tags:

An estimated $650 million dollars spent by Venture Capitalists on security start-ups in 2012

by Lawrence Pingree  |  January 17, 2013  |  2 Comments

Below is a list of estimated venture capital (VC) funds provided to security start-up companies in 2012. A surprising total estimate of $649 million dollars were invested in 2012. Please feel free to comment if you know of any others.

Note: The table below are Gartner Estimates (actual numbers may vary).

Company Name 2012 (Millions USD)
Norse Corporation 3.5
Tenable 50
zScaler 38
Mocana 25
Lockpath 6
Alienvault 30
Bit9 34.5
Alarm.com 136
Alertlogic 12
Xceedium 7.5
Unikey 1.5
Bromium 30
Securekey 30
AnchorFree 52
Pindrop 1
Appthority 6.25
41st Parameter 13
Cloudpassage 14
IntrinsicID 6.57
Veracode 30
Shape Security 6
Itadsecurity 0.07
Watchdox 9
CloudLock 8.7
ThreatMetrix 18
StoptheHacker 1.1
Duo Security 5
Vaultive 10
CrowdStrike 26
LookingGlass 5
Accellion 13.4
Solera Networks 20
Stormpath 1.5
Total 650.59

2 Comments »

Category: Security     Tags:

Morning Coffee Thoughts: Quote of the day

by Lawrence Pingree  |  October 16, 2012  |  1 Comment

“There are a billions of un-executed ideas  each day in the world, only those who evoke their vision create a chance to progress themselves or the people around them.” – Lawrence Pingree

1 Comment »

Category: Uncategorized     Tags:

Software Defined Networks

by Lawrence Pingree  |  July 19, 2012  |  1 Comment

Some rambling brainstorming on software defined networks….

My sense is that most cloud service providers and enterprises will likely gravitate their preference to the hardware or hypervisor infrastructure provider rather than a third party software provider. My position stems from a belief that a strong relative background in networking or a closely tied hypervisor is likely to be preferred by customers over a third party software defined network provider that has limited deployment time in the networking industry.  Personally when I receive inquiry on the topic of proper zoning within a virtualization infrastructure.  I generally gravitate towards the infrastructure provider over third parties as the provider of network segmentation (see Gartner’s Burton research on “Zones”). I lean towards the traditionalist path with physical versus software based zoning for sensitive security zones rather than deployment within a single hypervisor environment. This is likely also why the recent FedRamp program does not intend to move sensitive workloads into Fedramp certified entities. In general I question the ability of a third-party software packages to deliver all of the adequate network technologies within a virtualization infrastructure one step removed from the traditional network infrastructure providers or the hypervisor provider as they likely have divergent business goals for product stickiness and meeting contractual obligations of providing high stability. I’m interested in hearing from you, what do you feel are the security risks or operational risks of relying on a third party software defined network provider and what would you prefer?

 

1 Comment »

Category: Security     Tags: