• No results found

60 by 5: Mapping Six Years of Innovation Sandbox Leaders Against the NIST Cybersecurity Framework s Five Functions

N/A
N/A
Protected

Academic year: 2021

Share "60 by 5: Mapping Six Years of Innovation Sandbox Leaders Against the NIST Cybersecurity Framework s Five Functions"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

60 by 5: Mapping Six Years of

Innovation Sandbox Leaders Against

the NIST Cybersecurity Framework’s

Five Functions

Innovation has shifted from protection to detection and, to a lesser extent,

response, though many companies still lag behind with protection- and

perimeter-focused strategies.

Innovation in recovery and in securing Industrial Control Systems (ICS) is

sorely needed.

(2)

1. Executive Summary

Each year, the Innovation Sandbox at RSA Conference highlights ten of the most innovative companies.

Every day, Good Harbor advises CEOs, CISOs, and other executives to consider their company’s distinct cyber security risks, to develop a strategy focused on mitigating their most critical and consequential risks, and to make sure they are actually aligning resources with that strategy.

One of the tools to observe how a company is focusing its resources is the NIST Cybersecurity Framework and its five Functions: Identify, Detect, Protect, Respond, and Recover. How a company focuses its cyber security resources and activities, as observed through the Framework, reflects (or at least should reflect) the cyber security strategy of that company.

This year, Good Harbor decided to map the past six years of Innovation Sandbox contenders, 60 companies in all, against the NIST Cybersecurity Framework’s five Functions to see what could be observed about innovation trends in the market. Is the perimeter really dead? Has technology-enabled response finally arrived? The resulting chart is on page 3. Here is what we found:

-   Innovation has expanded from an almost exclusive focus on protection

to address detection and, to a lesser extent, response. Automated

response is an especially nascent but growing sector of the market, promising to assist under-staffed security operations teams.

-   Nonetheless, protection is not dead: many corporations have failed to move

their strategies and spending away from protection- and perimeter-focused strategies, resulting in continued incentives for start-ups to innovate in protection.

-   Technological innovation in recovery has not yet reached the Innovation

Sandbox and is sorely needed, particularly as wiper malware, ransomware, and other disruptive attacks become more common.

-   The market must rise to the challenge of securing Industrial Control

Systems (ICS) that run our power, water, manufacturing, transportation, and more. Though not directly related to the five Functions, one observation that jumped out of the analysis was the absence of companies focused on ICS, with the exception of one company, NexDefense. Threat actors are turning their attention to ICS, and technology innovators need to do the same, soon.

(3)

2. The NIST Cybersecurity Framework

The 2014 NIST Cybersecurity Framework has become a popular tool companies use to manage their cyber security risk management programs and identify priorities and targets for improvement. The Framework uses five Functions to address the range of activities that make up a mature, holistic cyber security program: namely, Identify, Protect, Detect, Respond, and Recover. Within the five Functions, the Categories, Subcategories, and Informative References provide specific policies, practices, and controls to support the Functions.

A key strength of the Framework is that it is designed to be flexible for each company. The Framework recognizes that every company has distinct cyber security risks and should determine its own risk tolerance and risk management priorities.

One way to understand how a company is prioritizing its cyber security resources and activities is to map them against the Functions of the Framework. How a company focuses its cyber security resources and activities, as observed through the Framework, reflects (or at least should reflect) the cyber security strategy of that company. A company that invests in policies and technologies focused on protection displays a different risk management strategy and priorities than one focusing on detection and response. Prioritizing activities under different Functions reflects a strategy based on the company’s particular risks and risk management objectives. Some companies lack a targeted strategy and consequently try to commit equal resources or achieve equal maturity across all five functions; this is usually a mistake.

3. Innovation and the Innovation Sandbox

Of course, companies are not operating in a static cyber security environment. As the threat landscape evolves, so to do the security needs and strategies of companies and the technologies that spring up to support them. As major, headline-grabbing breaches have continued unabated, and as attacks have shifted from theft alone to include disruption and destruction, the security demands of enterprises have shifted the focus of products offered by security technology companies.

Each year at the RSA Conference in San Francisco, the much acclaimed Innovation Sandbox offers a look into the evolution and future of the technology market: the Innovation Sandbox brings together young cyber security companies, highlighting ten innovative companies each year and ultimately naming the “most innovative” cyber security startup of the year. Past winners have gone on to become major players in the cyber security market, for example SourceFire and Imperva. Others have been acquired by large strategic buyers to add new, innovative products to their offerings.

(4)

4. Mapping Six Years of Innovation Sandbox Contenders Against the NIST Cybersecurity Framework

Heading into RSA 2016, Good Harbor wondered whether the Functions addressed by the top ten contenders for “most innovative company” would line up with reported trends in the industry, with companies focusing less on protection and more on detection, response, and recovery. Even more interesting, publicly available sources provided the lists of top ten contenders not only for 2016 but for the previous five years, presenting the opportunity to map the top ten Innovation Sandbox contenders of the past six years against the five Functions of the NIST Cybersecurity Framework, revealing trends over time and testing the the hypothesis that innovation should be evolving away from protection to detection, response, and recovery. In mapping the companies, Good Harbor determined which Function best suited each technology’s primary functions based on publicly available information and assigned each company to only one Function. While some companies provide multiple functions, assigning multiple solutions to multiple Functions would obscure trends, and the primary Function of each solution best reflects the company’s focus and therefore, collectively, trends in innovation.

Here is how the 60 most innovative cyber security companies of the past six years line up against the NIST Cybersecurity Framework’s five Functions:

2011 2012 2013 2014 2015 2016

Identify Appthority ThreatStream Bugcrowd

Trustinsoft SafeBreach Protect CipherCloud Entersect Gazzang Hytrust Incapsula Invincea Pawaa Quaresso Symplified CloudPassage Content Raven Dome9 Impermium IonGrid MokaFive Bromium Light Point Nok Nok PrivateCore Remotium Silent Circle Skyhigh Spotflux Victrio Wickr BlueBox Cylance Defense.net SentinelOne Ticto Waratek Menlo Security Prevoty SkyPort S. Vera Versa N.

Detect SilverTail PinDrop

Sonatype Sumo Logic Cyphort Light Cyber RedOwl Skycure WhiteOps CyberReason Fortscale Nexdefense SentinelOne Vectra N. Waratek Bastille N. Illusive N. ProtectWise

Respond Co3 (now

Resilient S.)

SecurityDo Phantom

ProtectWise Recover

(5)

5. Conclusions

The mapping of the leading technology offerings of the recent Innovation Sandbox contenders against the Framework reflects a change in the focus of the technology industry that aligns with Good Harbor’s experiences with companies that have mature enterprise security programs: innovation in the market has expanded from technologies almost exclusively focused on protection to include more products that offer the ability to detect threats within the network and, to a lesser extent, to respond to them quickly.

Despite the emergence of innovation focused on identification and response, many companies are still innovating in protection, too. This reflects Good Harbor’s observations across companies of every sector and size: despite the conventional wisdom in the security community that “perimeter defense” and a “patch and pray” approach are dead, many corporations have nonetheless failed to move their strategies and spending away from protection-focused strategies, resulting in continued incentives for start-ups to innovative in protection.

Traditionally, companies have underinvested in detection and response, leaving them vulnerable once a breach has taken place. Companies take months to identify breaches and frequently suffer significant consequences because of inadequate response capabilities. The increase in available technological capabilities for detection and response will help enterprises target more repeatable controls and processes in these functions, creating a strategy that accepts that network penetration may be inevitable and that is responsive to incidents. The increase in detection and response-focused technologies has been driven both by the needs of companies and by the maturation of technologies that enable detection and response, particularly advanced analytics through machine learning.

While innovation in detection has been significant, innovation in response has been more modest. Automated response is an especially nascent but growing sector of the market, promising to assist under-staffed security operations teams in managing the deluge of forensic, investigative, and response tasks that are required after an incident.

Technological innovation in recovery has not yet reached the Innovation Sandbox and is sorely needed, particularly as wiper malware, ransomware, and other disruptive attacks become more common.

Of course, protection is not completely dead. Companies still must address critical categories and subcategories in the function in order to raise the bar for attackers. In the authentication and endpoint categories, protection is still a central part of most technology offerings. Multifactor authentication is considered more important than ever, and companies are looking for easier-to-deploy ways to protect privileges and

(6)

credentials. Managing access rights to sensitive data, systems, and encryption keys remains critical. In the endpoint category, next-generation offerings increasingly look to cover multiple functions, providing the ability to protect against, detect, and respond to attacks. Of course, increasing adoption of Cloud (there, we said it) has been reflected in the Innovation Sandbox in recent years and will no doubt continue to be a priority for buyers and start-ups.

A final trend to keep an eye on is the evolution of threats against, and defenses for, Industrial Control Systems (ICS), particularly as the Internet of Things (there, we said that too) grows at exponential rates. In 2015, Nexdefense became the first Innovation Sandbox contender focused on protecting Supervisory Control and Data Acquisition (SCADA) systems; expect more companies focused on identifying, protecting against, and responding to threats in ICS/SCADA systems to follow. While there is work still to do before solutions are available to support companies in a truly holistic strategy, trends in innovation holds promise.

About Good Harbor Security Risk Management

Good Harbor is a boutique cyber security advisory firm that helps CEOs, Boards, senior executives, investment professionals, and government leaders to assess and manage cyber security risk in the face of advanced cyber threats. The firm is led by Chairman Richard A. Clarke, a former, senior White House advisor on cybersecurity, counterterrorism, and national security, and the author of Cyber War: The Next Threat to National Security and What To Do About It. To learn more about Good Harbor or download an electronic copy of this publication, visit http://www.goodharbor.net. Good Harbor Security Risk Management

Washington, D.C.

[email protected] www.goodharbor.net Follow us @ghsrm

References

Related documents