One week of Gartner Security & Risk Summit 2022 in 10 minutes

My good friend and colleague Sanjay Chaudhary and I were among the team representing Exabeam at the Gartner Security & Risk Summit 2022 in National Harbor, MD. We realize that not everyone had an opportunity to participate, so we thought we would share our notes with those who missed the event. Unlike RSAC, which seems to have been dominated by cybersecurity vendors’ marketing and product demos, the Gartner Summit was an opportunity for Gartner analysts to share their insights gathered across thousands of customer and vendor interactions, and countless surveys and interviews. Oh, and of course, there was also an expo floor with many security vendors.

This article will cover all the buzzwords-du-jour, such as secure access service edge (SASE), extended detection and response (XDR), zero trust (ZT), cybersecurity mesh architecture (CMA), identity threat detection and response (ITDR), and more.

The key themes developed by Gartner this year and discussed in this article are:

1. Security risk management as a discipline

2. The evolution of SIEM, XDR, and TDIR

3. Emerging trends in SASE

4. Recommendations for implementing zero trust

5. The expanding cloud security lexicon

6. The cybersecurity mesh architecture (CMA) model is shifting

7. The role of credentials and identities in support of ITDR

1. Security risk management as a discipline

With approximately 10 sessions, risk management had the broadest coverage at the Summit — rightly so, as this is a key challenge of every CISO we meet. Gartner VP Analyst Jay Heiser did a great job in his session around the top trends in this space, and Gartner Distinguished VP Analyst Paul Proctor had several sessions on metrics for the C-suite and the Board.

Key takeaways

• Security is now more than ever a challenge due to the perfect storm of skills gap, expanding attack surface, cloud adoption, hybrid work, and persistent attacks like ransomware, identity, and digital supply chain.
• Insider risk — either malicious or unintentional — should not be ignored. Risk management can’t just focus on outbound risks. It should be noted that insider risk is different from insider threat. Analyst Paul Furtado delivered a presentation that explained the difference well.
• 88% of Boards believe cybersecurity is a business risk. Gartner released a new Cyber and IT Risk Management Framework based on NIST 800–39 and ISO27005, presented by Gartner VP Analyst Jie Zhang.
• By 2025, 60% of organizations will use cybersecurity risk as a primary determinant to doing business with third parties.

2. The evolution of SIEM, XDR, and TDIR

From a demand side, XDR is a symptom of increasing market demand for simpler security operations (SecOps) tooling. From a supply side, XDR provides vendors of point solutions, e.g., endpoint detection and response (EDR), network detection and response (NDR), cloud access security broker (CASB), and identity and access management (IAM), an escape route into the broader, lucrative SecOps space. Gartner indicates that XDR will mainly succeed in the lower end of the market, as larger and more mature enterprises still need a powerful and flexible tool such as a security information and event management (SIEM) solution. In fact, as Gartner Sr. Director Analyst Charlie Winckless points out, “XDR may not displace SIEM.” The answer to the SIEM versus XDR debate got another angle in a session from Gartner Sr. Principal Analyst Mitchell Schneider, where he pointed toward the “TDIR platform”. Is the TDIR platform the forward-leaning approach for SecOps? Only time will tell!

Key takeaways

• By 2025, 75% of SIEM vendors will offer a comprehensive TDIR platform with telemetry coming from EDR, NDR, CASB, etc.
• There is a growing interest in the consolidation of XDR and SASE products, but the sample size in the Gartner survey is small, so we can’t take it as a market trend.
• TDIR might consume the XDR message/market and deliver all the things (content, telemetry, collectors, response, etc.). It is recommended to move to a TDIR platform approach for security operations center (SOC) staff.
• XDR may not displace SIEM, but interest in XDR continues due to market demand for simplicity in security operations (based on a Gartner survey that explores why organizations adopt an XDR strategy), as well as an escape route for point solution vendors who have saturated their market(s).
• A word of caution: Confusion still remains about what XDR is and what the reference architecture looks like; vendors aren’t the only ones to blame for this.

3. Emerging trends in SASE

As users and applications are moving everywhere, a data center-based model no longer works for security, because the security perimeter is no longer defined at the physical data center edge. The two trends that are emerging in SASE are:

1. Location-centric — software-defined wide area network (SD-WAN) and firewall as a service (FWaaS)
2. People-centric — secure web gateway (SWG), CASB, and zero trust network access (ZTNA)

There was a lot of discussion on single-vendor SASE for mid-size enterprises versus two-vendor SASE solutions for large enterprises. Gartner Sr. Director Analyst Nat Smith had a strong session targeted for SASE vendors. So did Gartner Distinguished VP Analyst Neil MacDonald on SASE adoption strategy, while Gartner VP Analyst Dionisio Zumerle offered an interesting perspective on the consolidation of SASE and XDR.

Key takeaways

• 70% of organizations plan to have SASE by 2023.
• 80% of organizations will unify web and cloud services from a single SASE platform by 2025.
• 46% of organizations plan to use two vendors for SASE after consolidating.
• The big reason for SASE vendor consolidation is to simplify network security and policy management, and to improve security posture.
• There is a growing interest in the unification of network and security teams (approximately 40% of organizations, based on Gartner’s survey)
• Since there is also growing interest in XDR among NDR buyers, SASE and XDR will be key buzzwords in the networking industry. It will be interesting to see how interworking between SASE and XDR shapes up.
• SASE is becoming more than SWG+CASB+ZTNA. Visibility, user and entity behavior analytics (UEBA), data security, threat protection, and adaptive access controls are additional features on the list.

4. Recommendations for implementing zero trust

The term “zero trust” is heavily abused by vendors. Zero trust is not a product, but rather a methodology which expands across users, endpoints, applications, networks, data, monitoring, and automation. Gartner VP Thomas Lintemuth did a great job of presenting five steps to starting the zero-trust journey. However, both SASE and zero trust require significant integration across diverse security tools which, today, are not that easy to integrate.

Key takeaways

• 60% of organizations will embrace zero trust by 2025; unfortunately, more than half will fail to realize the benefits.
• Beware of zero trust vendor hype; the market reality is different. Tie zero trust to business outcomes like cost reduction and revenue generation.
• You can’t implement zero trust without a solid identity foundation.
• Zero trust networking means your underlying network is not trusted — either internally or externally.
• Gartner recommends an approach that starts with knowing your users, endpoints and applications; then adding monitoring and automation. Don’t ignore networking and data security. Exabeam would add UEBA to this list to accurately determine whether the identity or device you authenticate is an adversary.

5. The expanding cloud security lexicon

Cybersecurity can be a confusing alphabet soup, with a veritable universe full of acronyms that sometimes overlap. Cloud security is an evolving market segment, especially since cloud providers are starting to offer security solutions, shifting the security focus from infrastructure to workloads, and buying decisions toward development. Visibility, infrastructure, application security, data security, network security, identity, and access are all evolving to adjust to the new cloud reality. “Security as code” is a new buzz phrase, and zero trust is bringing access and segmentation to clouds. Gartner Sr. Director Analyst Charlie Winckless had some great insight in this area.

Key takeaways

• Most breaches in the cloud are self-inflicted configuration errors involving very complex identities and services. Cloud/SaaS is often making simple things complex.
• Where is my data in the cloud? CASB, ZTNA, encryption, and backup all are becoming critical to resolve data risk.
• Cloud security will evolve to cover all security segments including infrastructure and applications, data security, network security, identity and access, visibility, SecOps, and DevSecOps.
• Cloud security needs to provide a common monitoring and identity fabric, and common security tooling across all things cloud.
• Multicloud & microservices are making decisions on providers versus third parties difficult. There is “shift left” momentum with cloud workload protection platforms (CWPP), cloud-native application protection platforms (CNAPP), and cloud security posture management (CSPM).

6. The cybersecurity mesh architecture (CMA) model is shifting

Gartner has been pushing the concept of CMA as a long-term vision for linking all technologies in an organization. The intent is to move from a legacy hub-and-spoke model that links all of an organization’s technologies via a central SIEM, to a fully meshed model with security analytics and intelligence at the heart. Local decisions are encouraged and negotiated within the bigger picture via that central intelligence. At the Summit, Gartner VP Analyst and Summit Chair Patrick Hevesi presented an update to this architecture.

Key takeaways

• SecOps needs a place to normalize and integrate all the different security tools often already deployed in organizations (e.g., EDR, NDR, CASB, secure email gateway (SEG), web application firewall (WAF), data loss prevention (DLP), ZTNA). This is often a long list; we spoke with end users at the conference who shared that they have more than 40 security tools.
• The integrations via this mesh architecture seek to deliver actionable security intelligence across products.
• “Better together” is a great way to improve an organization’s security posture without having to buy more tools. Better integrate your current stack and reap the benefits of a heterogenous stack behaving as one cohesive solution.
• The cybersecurity mesh will require two enablers that still don’t exist today:
  1. A common information model (CIM) that allows all security vendors to essentially speak the same language.
  2. An agreed-upon standard or pseudo-standard for the set of APIs that all these tools will use to communicate and collaborate bidirectionally.

Note: Exabeam is a founding member of the XDR Alliance, an association of thought-leading cybersecurity vendors working together to define and release a CIM and set of APIs to the industry as an open-source initiative.

7. The role of credentials and identities in support of ITDR

In a great session about emerging trends on threat actors, Gartner VP Analyst Chris Silva (who covers endpoint and workspace security) discussed the rising use of legitimate credentials — (stolen, compromised, or purchased) — by threat actors, not only for the initial penetration of an organization, but also to establish persistence. He discussed how understanding user behavior was key in detecting attacks and incidents because organizations need to “assume breach”. Chasing indicators of compromise (IoCs) and attack signatures does not scale, whereas flagging strange, anomalous, or impossible user or asset behaviors gives high confidence of an incident/ Gartner Managing Vice President Tricia Philipps pointed out that “people are our greatest asset, but also our greatest vulnerability,” and offered an identity trust framework for an identity-first security approach. This reminded me that we’ve been saying “Identity is the new perimeter” for a few years already.

In a parallel initiative, Gartner has introduced ITDR; however ITDR is not about using identities for threat detection and response. At this point ITDR describes “the collection of tools and best practices to defend identity systems.”

Key takeaways

• Legitimate credentials have been a powerful weapon for attackers to penetrate into, as well as persist inside of organizations. It’s about time the defenders leverage credentials and credentials’ behaviors in order to detect attacks and incidents.
• User behavior and an understanding of the normal behavior of an organization are great leverage points for threat detection and investigation.
• ITDR is not about using identities for threat detection, but about securing identity systems.

As you can see, it was a week packed with substantial sessions from Gartner, with presentations of latest trends, industry innovations, and methodologies for improving organizations’ security postures. Thank you, Gartner, and see you next time!