Lawrence Pingree

A member of the Gartner Blog Network

Lawrence Pingree
Research Director
2 years with Gartner
16 years IT industry

Lawrence Pingree's responsibilities include coverage of security technologies and the cloud security space. His main focus is on conducting research targeted at the security aspects of products in the data center… Read Full Bio

2015 is the year of Offensive Deceptions

by Lawrence Pingree  |  December 23, 2014  |  1 Comment

During the past, security technologies have largely focused on detection and blocking mechanisms to respond to attacks.   Security of course must continuously evolve to detect and defend against attacker strategies, and these past strategies must continue to include new capabilities as well as old to properly defend against the array of attack techniques. A new emerging technology response capability is to “deceive”  as a response.

The future of security will incorporate defense in depth,  detection in depth, contextually aware adaptive response and increasingly leverage offensive misdirection and deception techniques with the goal of overwhelming and delaying attacker activities. Providers of deception and misdirection techniques are emerging while these same capabilities in some existing security products. Using attacker deceptions as a response strategy will have a game-changing effect on hacker attack campaigns.

In 2015, the Gartner TSP Security Solutions team will evaluate this emerging class of response capabilities and  providers that offer them throughout the security market. We will also explore how existing security technologies can evolve to incorporate some of these response capabilities.  Keep on the lookout for the TSP Security Solutions Agenda Overview for 2015 and track this emerging area of research.

1 Comment »

Category: Security     Tags:

Conflict of interest or not?

by Lawrence Pingree  |  September 3, 2014  |  Comments Off

I had an interesting question posed during inquiry today. The question was:

Client: “Is it a conflict of interest to have a technology provider that specializes in virtual sandbox malware detection also perform incident response and forensic activities?”

Me: At first glance, my thought was that as long as there is no official attestation of security controls themselves and the effort is only to articulate the activities of a bad-actor then it would NOT be considered a conflict of interest. This is because the potential conflict of interest could only potentially arise when the security control provider itself was performing an attestation of the effectiveness of security controls or were performing an audit of security controls with intention to report this effectiveness to third parties.

For example: During my career, when performing a security risk assessment we would engage third party contractors (security risk assessment consultants) to review our security controls and risks as well as alignment to compliance standards. This was a preparatory step that we’d take for remediation of any risks prior to another independent third party audit in which the third party would attest to the effectiveness of our controls and risk management practices.

If you were in a situation where particular provider that sells a security technology targeting risk reduction also wants to perform incident response for you, should that same third party also be performing close examination and attestation in a court case or to the board of directors? The conflict could potentially arise when the incident response function performed by the technology provider itself could obviate the effectiveness of their own technology from being “why” a data breach occurred.

What are your thoughts? If you agree or disagree please explain why? Thanks!

Comments Off

Category: Security     Tags:

A taste of data on some advanced threat search term results

by Lawrence Pingree  |  August 21, 2014  |  Comments Off

I was just curious so I picked some search terms that I felt could be relevant to Gartner customers that are attempting to find advanced threat detection solutions. Below is a sample of what Gartner Search Analytics can do. Below is a sorted list of search terms that I pulled from our search analytics tool. This represents only a sampling of this demand-side output  Gartner’s data can offer to you as a potential client. On you can break down search information by vertical, segment and geography. We also publish inquiry search and analytics research notes with heatmaps and analysis.

Note: The following results are sorted by those search terms with the largest total number of search requests for each term. The search analytics performs a  “contains” keyword match from queries on the website. These results are only from the total results pulled for these specific search terms used. This is not an official ranking and this is not an exhaustive list of search terms or providers. Additionally, there are many more search terms that if added to this list would dramatically change the sorting because of higher number of queries.

I find this information to be a great source of demand side data for my own research planning purposes, I’d imagine access to our search query data can be very valuable for both technology providers and end user clients as well.  If you are interested or want detail on these specific search terms, talk to a Gartner account executive to see if your subscription contains our search analytic capabilities.

Search Term Used Provider
fireeye FireEye
damballa Damballa
fidelis General Dynamics (Fidelis Security Systems)
deep discovery Trend Micro
lastline Lastline
wildFire Palo Alto Networks
cyphort Cyphort
threatgrid ThreatGrid
threatcloud Check Point Software
mcafee advanced threat defence Intel Security (McAfee)
Total Searches 2,457


Comments Off

Category: Security     Tags:

Four quick steps security practitioners must take to enable the intelligence aware future

by Lawrence Pingree  |  July 31, 2014  |  2 Comments

Threat intelligence sharing and exchanges are emerging across the security industry. But there are a few hangups we as security practitioners must overcome in order for us to move the needle in our favor against the attackers.

1. You must get over the paranoia associated with sharing your threat intelligence data.

2. Engage with your legal team immediately and start having conversations about how sharing threat information will need to be addressed in privacy policies and other contracts.

3. Seek providers that offer contractual language binding peers in the intelligence sharing framework from publishing any information shared outside of the sharing fabric.

4. Start sharing!

Happy Hunting! Stepping off my soapbox once again :)


Category: Security     Tags:

Security Practitioners – Stop being a pwnie pawn!

by Lawrence Pingree  |  July 9, 2014  |  Comments Off

Although I haven’t written to my blog in quite some time, I wanted to take a moment to address a major issue that I believe continues to plague organizations globally. Far too often, security practitioners face IT management or business executives that either fail to or refuse to implement prevention measures due to concerns of their potential negative impacts. My belief is that this fear based “detect only” culture we have developed is entirely insufficient and needs to change drastically. Much of the attacks (even from more advanced threats) are actually quite well understood with prevention capabilities available to us.

I speak regularly with IT Security organizations that continue to be fearful of their executive management and thus configure relaxed security enforcement policies or implement security controls without any blocking or prevention capabilities turned on. This has got to change if we are to successfully defend and prevent data loss. We must understand that being resistant to properly implementing blocking policies or deploying responsive automated defenses may indeed be the root cause leading to many of the major data breaches we are currently seeing across the headlines.

Much of our defenses are ready to actively defend us with prevention so if you have hired an IT Security staff, please stop handcuffing them to the “detect only” tree. If you do, expect your organization to get pwned.

Stop being a “pwnie pawn” and block what you can.

Now off my soapbox. :)

Comments Off

Category: Security     Tags:

My team’s research next year… Intelligence Aware Security Controls (IASC)

by Lawrence Pingree  |  October 31, 2013  |  Comments Off

Hi Folks,

I wanted to give you a brief intro to a new concept emerging for Gartner’s security technology and service provider audience. The concept we will be using for next year’s theme is “Intelligence Aware Security Controls (IASC)” pronounced “I ASK”. This concept will be elaborated much more in our research in 2014 and will be available to our technology provider audience as part of the “PMM” (Product Marketing and Product Management) subscription.  The idea is to combine two areas of research on Context Awareness and Security Intelligence. We will explore a framework for sharing intelligence between security controls across the common silos that exist in many security technologies today and how we believe these capabilities can be adapted to provide information and intelligence sharing as well as enhance the security market with adaptive responses. Be on the lookout for our Agenda overview.

The future of Security will be intelligent and adaptive taking in behavior based intelligence and performing intelligence based responses. The latest tools will want to support the IASC framework and support this concept in order to provide better security globally. More to come!

Comments Off

Category: Security     Tags:

How do you define “defense in depth”?

by Lawrence Pingree  |  August 29, 2013  |  1 Comment

I’ve had some recent conversations that lead me to believe there may be some misunderstanding of the term defense in depth. Some practitioners may propose that this is a simple architecture that translates into a specific finite set of products and architectures. In a note I wrote last year (which is currently being updated) I used the term to bolster the support that our clients (for example a security manager, engineer or architect) may need to be able to increase their security capabilities (see Best Practices for Mitigating Advanced Persistent Threats). When some practitioners hear this term (especially those that are senior) they cringe and sometimes have the reaction or believe that  its “old school” philosophy.  I disagree.  I’m saddened when I hear that some security practitioners seem to have abandoned this concept, in fact I feel it may need to be expanded.

  • Defense In Depth – Implement preventative controls as much as possible/affordable.

Should we expand the terms used to be (DDR):

  • Defend In Depth – Implement preventative controls as much as possible/affordable.
  • Detect In Depth – Implement detective controls as a final “last straw” approach.
  • Respond in Depth – Respond as quickly as possible to avoid the negative effects of security control failures.

Should practitioners expand their thinking and this new strategic approach to their security programs?

What are your own thoughts?

1 Comment »

Category: Security     Tags:

Advanced Persistent Threat Actor Levels and Goals

by Lawrence Pingree  |  July 18, 2013  |  1 Comment

Carrying forward an idea to categorize advanced targeted attackers proposed by Eric Ahlm here at Gartner, I am proposing the following profiles and “levels” of attacker. Feel free to comment or propose other ways to portray this information. If you are interested in defending against or detecting advanced targeted attacks, see my research titled “Best Practices for Mitigating Advanced Persistent Threats”.

Level 1

Attacker Profile: Organized Crime

Motivation: In it for the easy money targets

Level 2

Attacker Profile: Industrial Espionage

Motivation: They want your intellectual property, trade secrets, customer data, business strategies etc.

Level 3

Attacker Profile: Activist or terrorist groups

Motivation: They want to make a statement, cause harm

Level 4

Attacker Profile: Nation States

Motivation: Economic, Political or Militarily

1 Comment »

Category: Security     Tags:

Threats come from everywhere, so you must deal with it as such.

by Lawrence Pingree  |  March 22, 2013  |  Comments Off

How great a threat does Gartner perceive state sponsored cyber espionage?

Since Gartner does not track individual threats or actors it is difficult to say for certain which attacks are state sponsored or not. The recent mandiant report highlighted China as the threat actor. Gartner does not believe that the country of origin is as important as the protection mechanisms that must be in place.


What are are the biggest threats, and from where do they originate?

Threats originate globally, and in the hacker underground the most sophisticated hackers most often originate from Russia. In general, a nation state actor (if targeting you) will likely be successful since they often are given time and resources in order to breach the security of your organization with many different capabilities beyond just cyber assets.  Attribution of attacks is extremely difficult since counter intelligence can be used on the internet such as spoofing source IP’s, using proxy servers, using botnets to deliver attacks out of other locations, developers using keyboard maps of different languages, for example a Chinese American or European that understands Chinese but develops their exploits for their country of origin will result in problematic or impossible attribution.


In the recent report published by the company Mandiant titled “APT1″ hackers appear to originate in China. These threat actors were utilizing common forms of zero day exploitation, botnets and other tools readily available in the underground hacking community. Given they are using the same tools and capabilities of the underground hackers, it is most important to focus on generic security controls that protect against all of these attack capabilities. An organization should take a general approach to combat threats from any location and not focus on the country of origin. In a report published by Gartner last year titled “Network Security Monitoring Tools for ‘Lean Forward’ Security Programs” to call out technologies that can assist in advanced targeted attack detection at the network layer.


What responses are organizations making?

I have written a report titled “Best Practices for Mitigating Advanced Persistent Threats” as a guide for raising the bar for prevention and detection of advanced forms of malware and targeted attacks and these technologies and security techniques are what organizations today are focusing on refining/deploying. The two primary attack vectors of choice for today’s  threat actors is malware to gather unstructured data and web-based attacks such as SQL injection to grab database stored structured data types. The malware can be handled by a number of technologies  at the network layer and  at the windows endpoint. Web attacks can be addressed with a combination of Intrusion Prevention System and Web application firewalls. See report titled “Best Practices for Mitigating Advanced Persistent Threats” and “Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012“ for advanced Malware threats and “Competitive Landscape: Web Application Firewall Market, Worldwide, 2012” for web application firewalls.


Are organizations in a regulated environment facing a greater threat?

Nation states do not often target structured data types such as financial data, however disruption of a banking system or critical infrastructure can be akin to a nuclear attack if an entire banking system, power or water delivery system is properly disrupted. Government regulations target sensitive areas of the economy. Most attackers are financially motivated and thus regulated environments such as Financial organizations often face the largest threat from these actor groups. A nation state would likely consider disruption of critical infrastructure as an end goal during a time of war vs. data acquisition. Prior to wartime, a nation state would likely be focused on distributing “capability” for disruption as a preparatory measure for evocation at a later date. Although we don’t have direct research in this area, we do have many supporting research notes. Please see the list below as a very comprehensive way to deal with both threat actor groups.



-          Best Practices for Mitigating Advanced Persistent Threats

-          Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012

-          Malware, APTs, and the Challenges of Defense

-          Decision Point for Anti-malware

-          Competitive Landscape: Web Application Firewall Market, Worldwide, 2012

Comments Off

Category: Security     Tags:

Where do the most hackers come from?

by Lawrence Pingree  |  March 8, 2013  |  8 Comments

Recently, there have been a lot of stories surrounding the Chinese and hackers originating from their intelligence agency.  Although I do not want to diminish the findings of a particular technology company that disclosed some of their own investigations, I do believe it is necessary to draw some attention towards  locations of the globe where  many of the attacks actually originate to be fair.  It is fairly well known  by most security professionals that the best hackers on the planet often originate from Russia,  however it is  more newsworthy to talk about  a country such as China whom we trust with many of our manufacturing facilities and research and development activities and have greater resources at their disposal if they intended to inflict harm.

There certainly political motivations for talking about China  and I think it’s fair to say  they are certainly many participants in the global stage of cyber security and intelligence gathering.  In fact, the United Stateshas a long history with its intelligence agencies for performing signals intelligence (SIGINT).  I would like to point out  that as far as sophistication goes, the United States is unmatched with its intelligence gathering capabilities and extends this capability across the globe with an extensive  array of spy satellites and listening stations with strong support of several other countries.  It does not strike me as odd  or newsworthy that governments across the planet attempt to track each other’s  military capabilities and monitor situations through signal intelligence and other intelligence gathering capabilities.  These activities are a necessary function to enable transparency across borders between governments and be ready if another country is planning some sort of attack.  I do think however it is important to mention that I believe that all countries should uphold  strong intellectual property rules in order to maintain fair competition  which creates a dynamic that encourages new developments and technologies and enables fair competition across the globe.

Now lets turn to some of the data often known  “behind the scenes”  that many security practitioners know and consistently defend against. Deutsche Telecom publishes a real-time dashboard of hacking attacks detected by its global network of attack sensors known as a “honey net”. As many practitioners know, a “honey net” the reference to honey is an analogy to how one might attract a bear in the woods, the bear being the hacker in the case of a “honey net”. For some fun, I used some statistics from the Deutsche Telecom dashboard located at to provide data points for some basic analysis. At the time of this writing, the total number of attacks detected over the last month globally were 30,144,538 when tallying the “Top 5 of Attack Types (Last month)” table. They also publish a table called “Top 15 of Source Countries (Last month)” with detected attack values which I found interesting but I wanted to extract percentages so I used those values and threw them into excel to calculate percentage values by top 15 countries and the following is my output.

Attacks by percentage of total global attack detections.

Russian Federation 2,402,722 7.97%
Taiwan, Province of China 907,102 3.01%
Germany 780,425 2.59%
Ukraine 566,531 1.88%
Hungary 367,966 1.22%
United States 355,341 1.18%
Romania 350,948 1.16%
Brazil 337,977 1.12%
Italy 288,607 0.96%
Australia 255,777 0.85%
Argentina 185,720 0.62%
China 168,146 0.56%
Poland 162,235 0.54%
Israel 143,943 0.48%
Japan 133,908 0.48%
7,407,348 24.61%


As you can see with this quick analysis, roughly 24.61% of total detected attacks were from the top 15 attacking countries and roughly 8% of all attacks came from the Russian Federation and only half a percent came from China. So the question is, who will you pay most attention to?


Category: Security     Tags: