The 2018 Threat Landscape

CONFIDENTIAL AND PROPRIETARY
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain
information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Greg Young
Research Vice President
@orangeklaxon
The 2018 Threat Landscape
Gartner

1 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
… So What?
There Are About 4 Billion Google
Searches Each Day
There Are About 20 Billion Threat
Blocks a Day

If You Came Here to Get Stats to Scare
Your Bosses With, I'm Sorry
They're Already Scared
They're Bored With Scary Stats

3 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.3 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner has, for decades, resisted
providing threat statistics.
How many raindrops are falling
doesn't matter.
So Stop Counting Attacks

Instead, Start
Thinking
About
Raincoats

And Umbrellas and Roofs … and What Am I Doing?

Threat Analysis Isn't About Threats
It's About You

0 10 20 30 40 50 60 70 80
Plans to deploy by year-end 2017
Plans to deploy by year-end 2015
Currently uses cloud services
Percentage of Respondents
Asia/Pacific (n = 269) Western Europe (n = 257) Latin America (n = 184) North America (n = 327)
A Lot of Your Stuff Isn't Where It Used to Be
Cloud Deployment Plans Across Regions and Timelines, May 2016

It's Not All Easily Found
Cloud delivery and stand-alone functionality enables shadow
IT applications
15x
Companies are using up to
15 times more cloud
services to store critical
company data than
CIOs were aware of, or
had authorized.
(Cisco study, August 2015)
77%
Nearly eight in ten (77%)
(business) decision makers
admit to using a third-party
cloud application without the
approval or knowledge of
their IT department.
(NTT, April 2016)
45%
Percentage of IT
professionals that believe
all IT spending should
be controlled by the
IT organization.
(Gartner, April 2016)

By 2020, a third of successful attacks experienced by enterprises will be
on their shadow IT resources.
Strategic Planning Assumption (SPA)

Your IT Is Heading in Remarkable New Directions
Top 10 Strategic Technology Trends for 2016
Conversational Systems
Digital Technology Platforms
Artificial Intelligence and
Advanced Machine Learning
Intelligent Apps
Intelligent Things
Mesh App and Service Architecture
Adaptive Security Architecture
Intelligent Digital
Virtual Reality and Augmented Reality
Digital Twins
Blockchains and Distributed Ledgers
Mesh

Your IT Is More Complex, but More Connected
Complexity and Heterogeneity Are the Enemies of Security
A Shifting Set
of Endpoints
Work
Car
With
Customer
Away
At the Game
Home
Retail
Restaurant
Desk Person Environment
The Device Mesh

Insiders
Partners
All Your Stuff Is Not Under One Roof
Customers
Information
Systems
Platform
Customer
Experience
Platform
Ecosystems Platform
Things
Mobile
Cloud
Data and
Analytics
Platform
B2B
On-Premises
Edge
Cloud
On-Premises
Mobile
Mobile
IoT Platform
As if the challenge were not great enough within the enterprise

There's Not a Lot of You
Total IT Security Support FTEs as a Percent of Total IT FTEs, 2012-2016
4,1%
5,2%
7,7%
5,6%
6,8%
0%
1%
2%
3%
4%
5%
6%
7%
8%
2012 2013 2014 2015 2016

IoT Are Sprinklers
Endpoints of the Internet of Things will grow at a 32.9% CAGR from 2015 through
2020, reaching an installed base of 20.4 billion units.
In 2020, 6.5 billion "things" will ship, with 64% of them being consumer applications.
Total spending on endpoints and services will reach $3.4 trillion in 2020.
SIEM
Staff
Vulnerability Assessment
IoT

You Have Many Things … and Are Faced With So
Many Things
Source: Gartner 2016
Human-Centric Devices
Generating Data
IoT Devices
Generating Data
Yes — That Is 20+ Billion
PC, Notebook, Ultramobile and Mobile Phones IoT
Human Compute Versus IoT
(Millions of Units)
0
5,000
10,000
15,000
20,000
25,000
2015 2016 2017 2018 2019 2020

Your Roofs Are Leaky, and Getting Leakier
0
1 000
2 000
3 000
4 000
5 000
6 000
7 000
8 000
9 000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Vulnerabilities by Year
Source: Gartner-Generated via CVE Database
We're Not Even Looking at All the Roofs

Some Roofers Are Better Than Others:
2016 Vulnerability Trends
Source: Gartner-Generated via CVE Database
0
100
200
300
400
500
600
700
800
900
2016 Top 20 Distinct Vulnerabilities by Vendor

One of These Years You Should Fix That Leak
Source: Symantec
4 Out of 5 Websites …

Through 2021, the single most impactful enterprise activity to improve
security will be patching.
Through 2021, the second most impactful enterprise activity to improve
security will be removing web server vulnerabilities.
Strategic Planning Assumptions (SPAs)

Weather
Patterns:
What About
the Threats?

The Economy of Vulnerability
Research and Zero Days
Zero-Day
Discovery
Focus
State-
Sponsored
Attack
Capability
Threat and
Attack
Monetization
Bug Bounty
Programs
Threat
Research
Market

Economy of
Vulnerability
Research and
Zero Days
3x
2x

The Perfect Storm: How Many Zero Days?
2013 23 00.4%
2014 24 00.3%
2015 53 00.8%

Through 2020, 99% of vulnerabilities exploited will continue to be the
ones known by security and IT professionals for at least one year.
Strategic Planning Assumption (SPA)

The Force Multiplier of New Exploit Families
Ransomware
Customized Variants
Exploit Kits
Wipers
ExploitVulnerability

Encryption Remains Under Pressure
MD5 Proven Theoretically
Pre-Stuxnet Flame Used MD5 Collide
SHA-1 Collision Attack Proved
Clock Is Ticking
1 + 2 = X; 3 + 4 = X
Encrypt to Protect
Decrypt to Inspect
Encrypt More! Stop the Bad Guys!
Decrypt More! Stop the Bad Guys!

Machine Learning Won't Be the Answer
Encryption to protect data
Encryption to evade detection
Virtual machines as sandboxes
Detect virtual machines
Machine learning
Machine learning malware
Advancement
Time

 A lot of hype
 Use quality metrics to evaluate the outcome, not the technique:
– Anomaly detection: detection and false positive rate
– Security analytics: use SOC analyst productivity metrics
 Using new techniques does not necessarily equal better detection:
– Anomaly detection can be achieved with allegedly more basic techniques:
 Reputation and fingerprinting: if the attacker is known
 Pattern matching and heuristics: if the attack technique is known
 Whitelisting: if the expected behavior is known (and consistent)
Machine Learning Is a Technique, Not the Objective

Ransomware

The Ransomware Weather Map
Source: Microsoft: Ransomware by Region 2Q16

Ransomware Growth Is Not Hype
Source: Trend Micro

You Can Prevent Ransomware
System
Patching
EPP
Update/
Configuration
EPP
Extensions
EDR
Solutions
Network
Perimeter/
Segmentation
Admin./
System
Protection
Backups

The State-Sponsored
Threat

State-Sponsored Cloud Seeding
Most enterprises will not be the direct subject of a state-sponsored attack.
Most enterprises will be affected by the indirect actions of states as they involve
themselves in offensive cyberops.

The State-Sponsored Threat
 Almost all enterprises should treat state threats as part of usual
advanced threats.
 Certain verticals and industries do need to take more focused actions.
 State-sponsored attack teams in many countries "free-lance" after
hours. Techniques will be the same, but the targeting and level of
stealthiness will differ.
 Don't hack back. Unless you are the state. And maybe not even then.
 Don't neglect best-practice level safeguards to focus on more
advanced attacks.

Last Year Saw Noteworthy State-Sponsored Attacks
The New York Times

Attribution ... Doesn't Matter
 92% of organizations surveyed found it very important or
extremely important to know the origin of an attack.
(Source: Cisco Talos Annual Security Report)
 Attribution with enough confidence to be actionable is
exceptionally difficult, and getting harder.
 More attacks are evasive, and now including false fingerprinting.
 Attribution matters if you are a nation state, or for insider attacks.
 Can be useful for SOC or alert followup, but attribution
confidence for advanced attacks is continually dropping.
 Does your response change based on source, if you could be
sure of it?
 So the concern is upside-down from the reality: Attribution likely
doesn't matter in more than 92% of attacks.

You Can Go Out in Bad Weather
 Rearchitecting — Enclaves, Segmenting, Remote Browser
 Finally Fix Those Things You Know Need Fixing
 Detect + Prevent in Equal Measure
 Ransomware Programs
 Do Small Scale POCs: Focus on Critical Areas
 Outsource
 Crack That Encrypted Traffic

Stop Counting Threats
Stop Scaring Scared People
Use Your Humans Wisely
Patch Your Things, Do Your Best
Watch the Weather: Keep Detecting
Plan for Future Trends Now
Fix That Leaky Roof
And Carry an Umbrella

Recommended Gartner Research
 How to Respond to the 2017 Threat Landscape
Greg Young (G00314549)
 Predicts 2017: Threat and Vulnerability Management
Oliver Rochford, Greg Young and Craig Lawson (G00316869)
 It's Time to Isolate Your Services From the Internet Cesspool
Steve Riley, Neil MacDonald and Greg Young (G00315586)
For more information, stop by Gartner Research Zone.

The 2018 Threat Landscape

More Related Content

What's hot

Similar to The 2018 Threat Landscape

More from ColloqueRISQ

Recently uploaded

The 2018 Threat Landscape