W H I T E P A P E R A T r u s t e d S e c u r i t y P a r t n e r : A M u s t - H a v e i n T o d a y ' s T h r e a t L a n d s c a p e

Transcription

1 Global Headquarters: 5 Speen Street Framingham, MA USA P F W H I T E P A P E R A T r u s t e d S e c u r i t y P a r t n e r : A M u s t - H a v e i n T o d a y ' s T h r e a t L a n d s c a p e Sponsored by: AT&T Christina Richmond Curtis Price August 2013 Christian A. Christiansen I D C O P I N I O N Given today's ever-evolving threat landscape of increasingly sophisticated and difficult-to-detect advanced persistent threats (APTs), denial of service (DoS), and distributed denial of service (DDoS) attacks, the enterprise faces a severe challenge in defending the entire environment, from the perimeter to the endpoint, completely alone. At the same time, IT organizations are pressured by board-level oversight to improve the administrative efficacy of security. This antagonistic situation represents a seemingly insolvable conundrum because it seems impossible to reconcile these opposing forces. Threat actors with their actions often have the ability to be more successful than the enterprise with its protection and defense. They continue to come up with increasingly imaginative strategies for their profit, which might be intellectual property, customer identities, or monetary gain. It is becoming harder and harder for IT to keep up with this dynamic landscape, especially when it is imperative for the enterprise whether small, large, or multinational to have a comprehensive and holistic security posture that covers all infrastructure and data, from the network to the application layer and beyond. Security is changing, and enterprises must adapt policies and procedures to stay ahead of threats. IDC believes that for the enterprise to effectively build its security posture, it must partner with a company that can provide the requisite professional security services (PSS) to assess security vulnerabilities, build a suitable strategy, and deploy plans that cover every aspect of the company's security needs. Moreover, IDC finds that managed security services (MSS) can offer advantages in reducing these vulnerabilities, predicting attacks, suggesting remediation, responding to incidents, and analyzing forensics to reduce the possibility of future events. I N T H I S W H I T E P A P E R In this white paper, IDC discusses the need for the enterprise to engage with a broad spectrum end-to-end security provider a "trusted security partner" to facilitate an overarching security plan for today's rapidly changing threat landscape. This white paper also takes a look at the services offered by AT&T that make it one of a handful of vendors that can claim to be a trusted security partner.

2 S I T U A T I O N O V E R V I E W B r o a d S e c u r i t y C o n c e r n s o f t h e E n t e r p r i s e Businesses feel the budget squeeze of doing more with less while also feeling the impact either directly or vicariously through the media of APTs, DoS, and DDoS attacks. A company's chief information security officer (CISO) knows that it is only a matter of time before the company ends up in the same position as its competitors. Additionally, the board desires more transparency into what has always been somewhat of a mystery: the "crying wolf" spend on security products to protect something that has never, to their knowledge, been breached. This is a key point: "to their knowledge" their organization may not have lost data through a breach. But the CISO knows that it is entirely possible that the company has in fact already lost critical intellectual, financial, or customer data without any awareness of the event. It is true many chief executive officers (CEOs) understand the need for security, but it is also true they face a daily battle to convince the lines of business to spend money to help protect an infrastructure that may or may not be necessary, that may or may not need defending, and that will almost assuredly continue to require increased budget. The board demands predictability in the budget and reduction of capital spending (capex) such as security hardware and software, and it pressures IT to reduce software and system integration costs. Concurrently, the security organization is faced with maintaining an effective department, responding to increasing worldwide compliance and privacy regulations, attempting to help fend off incidents, and leading a coordinated incident response if incidents do occur. All the while, media continues to highlight a growing concern about intellectual property protection. All this translates into a need for a seasoned security services provider that offers in-depth and mature assessment, design, integration, and operational expertise and, preferably, can also provision the enterprise with the necessary point products as needed. T h e E v o l v i n g L a n d s c a p e When it comes to security, there are as many ways to look at the organization's security protection as there are ways to compromise it. Key points to consider include: Publicly available reports from private and government sources agree that: Threats to online security have grown and evolved considerably in recent years. Malware authors have created a collaborative business network for bad, and their creations show constant innovation. Traditional threats are expanding into new forums. Social media and mobile devices are coming under increasing attack. Bring your own device (BYOD) is a growing trend and is expected to continue to rise, which will drive increased security concerns for the enterprise. 2 # IDC

3 Advanced persistent threats and DoS/DDoS are widely discussed in the media and are increasingly dangerous diversionary and extortion tactics to extract intellectual property and monetary assets. The cloud is here to stay, and while there are many benefits to migrating to a private, hybrid, or public cloud environment, there are equally as many security policy questions to be answered. A security detection and mitigation strategy is no longer enough; greater prediction of threats and correlation of these insights drive the requirement to have a threat intelligence solution broader than just a deployed security information and event management (SIEM) product. New Concerns for Security As today's CISOs understand, just because appliances are in place to protect the network, it may not be impenetrable to intrusion. Threats are more versatile and diverse and threat actors are more patient, mature, and creative than in the past. These new security concerns demand greater knowledge, coordination, and attention than previous and more "basic" threats to the network. They demand either a scaleup of both security products and resources or an engagement with a security partner that can assess, advise, design strategy for, and even where desired assume some or all of this for the organization. W h a t I s a C I S O t o D o? Secure the Network? Network security products are a necessary staple in any IT department, but now more than ever, an overarching and holistic security strategy is critical. It is no longer enough to throw more point products at the problem hoping they will fill all the holes. Web and attacks continue to evolve, and security systems must be managed to ensure that they identify and mitigate these challenges. To do this, they must be updated to stay relevant in this ever-changing landscape. In addition, access management needs to be comprehensive but not so restrictive that employees revolt. The incoming younger generation of workers desire access to the network from any device, any time, but IT still wants full control over who goes where and when. Load Up on Heavy Artillery? It is not enough to deploy SIEM to capture and log security events. In addition to SIEM, the department must have round-the-clock analysts to analyze logs to assist in predicting future threats. The amount of data captured and correlated can be astounding and the effort massive. These efforts fold in with an overarching breach management posture that most companies have not fully thought through, stopping at mitigation but not considering how to manage a possible public relations and brand reputation nightmare. Comply with Regulatory Standards? Regulatory compliance is like an octopus that extends its limbs into all areas of the business. Simply ticking off a checklist of compliance actions opens up additional 2013 IDC #

4 security concerns and questions for IT. Now more than ever, as regulatory standards cycle through changes at a faster and faster pace, companies are hiring an army of compliance and security consulting experts to assist in this rapidly evolving arena. Consider a Security Services Advisor? To navigate the challenges in today's threat landscape, IT managers know that at a minimum in addition to a security operation center (SOC) they must have enhanced analytics, data consolidation, and global threat intelligence knowledge of APTs and other adaptive, complex, and dynamic threats. 24 x 7 in-house security solutions are expensive, and expertise is scarce. In addition, they know that they must have the correlation capability to keep the information of these threats flowing to critical areas of the organization. Given the budgetary pressures CISOs face, this conversation can become a "build versus buy" discussion. First and foremost, the CISO looks for a trusted advisor to walk his or her department through a series of assessments to better understand gaps and opportunities for improvement. Next, this advisor will help to design a security policy and implementation strategy for the future. And finally, the CISO may look to engage a managed security services provider (MSSP) that can enable an organization to transfer the cost of ownership from capex to an operational expense (opex), thereby making security more of a predictable expense with a regular cadence in the budget cycle. Professional S e c u r i ty S ervices Engaging with a reputable professional security services partner can help the CISO enhance security capabilities while also creating a corporate culture that understands security and risk management. Such an engagement looks to increase cost efficiency in spite of mounting threats and regulatory burdens. Professional security consultants work to develop a comprehensive information security framework that addresses requirements for information protection, incident prevention, and detection and response, consistent with industry best practices. They look to establish a plan that addresses risk monitoring and mitigation requirements that encompass emerging technologies such as mobile and cloud computing. The outcome of a security consulting engagement will provide a detailed roadmap for effective implementation of the security strategies proposed. M a n aged Security Services An MSSP will have an enhanced security environment, with scalable and flexible security platforms capable of handling future expansion. MSSPs often have research labs that study and monitor threat trends on a global basis, and the findings from these organizations are critical to helping enterprises deal with the latest threats. In addition, many MSSPs offer compliance solutions to help clients adhere to mandates and prepare for audits. Leveraging the scale and expertise of a service provider can be beneficial to companies with many geographically dispersed sites. The large number of customers an MSSP supports gives them visibility into a large variety of threats on a global basis. An MSS engagement is not a one-size-fits-all proposition: no matter the size of the company and the current maturity of its security infrastructure, the organization can approach such an engagement gradually or entirely, depending on its needs. 4 # IDC

5 H a n d f u l o f V e n d o r s C a n F u l f i l l t h e " T r u s t e d S e c u r i t y P a r t n e r " R o l e In an ideal world, the security partner selected by an enterprise will have a broad array of professional services that work with the company's security and IT organizations to assess the current security posture, identify existing gaps, develop practices and procedures, design architectures, perform penetration and vulnerability tests, provide incident investigation and forensic data compilation, and perform compliance audits. If the enterprise is looking for predictable opex and desires to move to a managed security engagement, the security partner selected should be able to provide a wide range of managed security solutions, including network-based security services, from firewalls to monitoring and management services and emergency response services, all in a partnership that recognizes shared risk and responsibility. Only a handful of vendors can be the end-to-end partner that can seamlessly move from assessing the enterprise security posture to recommending and fulfilling hardware and software security deployments, implementing the products and, where needed, manage and monitor the environment. Add to that the need in many different size organizations for a partner to perform assessments and pre-audits on regulatory and compliance issues and even in some cases to manage the overall risk posture of the company. IDC believes that AT&T is one such partner. There are many other providers in the telecommunication industry that offer a broad lineup of security services, from professional consulting and integration to managed security services such as Verizon and CenturyLink. IT vendors such as HP, IBM, and Dell SecureWorks and security vendors such as Symantec and McAfee also offer security services comparable to AT&T's. It is a diverse and fragmented market and value can be found in many different forms along the continuum. Increased merger and acquisition (M&A) activity has brought consolidation, especially in the MSS space, leading IDC to believe that this will become a telco-versus-integrator battle. AT&T is extremely well positioned both in its network capabilities and in the very broad portfolio it has fashioned in security services. AT&T offers a complete Security Services portfolio where enterprises have a choice of network-based or premises-based security solutions that provide them with the level of support and the cost structure that best meet the needs of the business. The AT&T Security Services portfolio includes the services discussed in the sections that follow (see Figure 1) IDC #

6 F I G U R E 1 A T & T S e c u r i t y S e r v i c e s : A L a y e r e d " T h r e a t P r o t e c t i o n " S u i t e Source: AT&T, 2013 Consulting AT&T Security Consulting provides a portfolio of compliance and related security services. AT&T Security teams are focused in six areas: Security Strategy; PCI Solutions; Governance, Risk, and Compliance (GRC) Solutions; Secure Infrastructure Solutions; Threat and Vulnerability Management; and Application Security. These services help clients develop security strategies and roadmaps; assess gaps in and meet governance, risk, and compliance requirements; create payment card industry (PCI) solutions; install and assist with infrastructure; and manage threats and vulnerabilities. Specific features include the following: AT&T's Security Strategy and Roadmap service offers an advisory service to assist with the development of comprehensive and informative security strategies. An information security framework is developed for information protection, incident prevention, and detection and response, consistent with industry best practices. The plan addresses risk monitoring and mitigation requirements as well as emerging technologies such as mobile and cloud computing. A customized roadmap is developed with detailed project plans, identified owners, timelines, and resource allocation for the implementation of the security strategies. AT&T Governance, Risk, and Compliance provides consulting and advisory services for information security, governance, risk management, compliance, and implementation to develop, update, and/or validate security. 6 # IDC

7 AT&T Consulting is a PCI Qualified Security Assessor (QSA), a Payment Application Qualified Security Assessor (PA-QSA), and a Qualified Incident Response Assessor (QIRA). The PCI Consulting offer assesses the client business model and the critical supporting components and systems. The offer also performs assessments as well as strategic and tactical advice in the event that a PCI objective or control is not met or there is a data breach. AT&T's Secure Infrastructure Services assesses the security infrastructure, making recommendations on network consolidation and the analysis of data and packet flow with the goal of fine-tuning security devices to improve performance and minimize impact. Data leakage, data loss prevention, and security event management devices are assessed to develop an integrated and adaptive security architecture. AT&T's Vulnerability and Threat Management offer provides an independent baseline and validation of the organization's security posture through vulnerability assessment and penetration testing services. AT&T Consulting simulates realworld attacks to identify vulnerabilities in the network, evaluate risks, and develop remediation plans. AT&T Application Security Services offers four categories of application security services: Application Security Assessment provides automated and manual testing designed to circumvent the logic of the application in order to gain elevated access to systems or information. Application Security Program Management provides an application inventory, identification, and assignment of risk classification, development of testing plans, and management and execution of the program. Security Code Review examines all codes to identify potential weaknesses and vulnerabilities that could put the application and sensitive data at risk of disclosure or loss. PCI PA-QSA Application Security Assessment offers an assessment of certifications of payment applications in accordance with the PCI Payment Applications Best Practices program. AT&T's Security Event and Threat Analysis Service is a virtual security operation center that provides security analysis and operations to correlate information from multiple devices and device types, on premises and embedded in the AT&T network. Based on information gathered, AT&T provides notification of prioritized events based on risk and the ability to mitigate them. AT&T Security Device Management provides monitoring and management of security hardware and software located on premise or the implementation of complex and customer security solutions. Clients utilize the AT&T Security Network Operations Center (S/NOC) to monitor and manage security hardware and security infrastructure or to migrate to a custom security architecture designed to meet specific requirements IDC #

8 Managed Security Services At the operations level, AT&T provides customers with security solutions, including network-based security services, from firewalls to monitoring and management services, rapid response services, and security options on individual network services. Managed security services features include: AT&T Internet Protect provides security alerting and mitigation of attacks, including viruses, worms, and DDoS attacks that are in the early formulation stages. AT&T Private Intranet Protect analyzes traffic on the client's virtual private network (VPN), looking for known threats that originate both internal and external to the network. AT&T Mobile Security extends security controls beyond the mobile device into the AT&T network including the use of application controls and antivirus/antimalware scans. It provides access to an organization's VPN, the Internet, or cloud-based services as well as additional traffic filtering and scanning and is mobile-carrier agnostic. AT&T Network-Based Firewall Services provides enforcement of policy in the cloud or on the premises with a network-based firewall; premises-based firewall and Web application firewall services; day-to-day management, maintenance, support; and proactive 24 x 7 x 365 security monitoring. AT&T Web Security Service offers a managed network solution for content filtering and Web control. AT&T Intrusion Detection/Prevention Service helps detect and respond to malicious activities by sending the client alerts specific to the network and provides tools to assist the client with implementing internal network defense. AT&T Secure Gateway Services is a security-as-a-service solution that offers protection against inbound -borne threats, such as malicious Web links and attachments, and targeted phishing in addition to blocking traditional spam and viruses. AT&T Endpoint Security Service is a fully managed solution that helps protect both end users' and companies' internal systems from external hazards posed by doing business on the Internet. The service is designed to enforce compliance with customer-defined policies for firewall, antivirus, and software compliance at remote endpoints. AT&T Threat Management scans traffic and helps AT&T Security managers identify emerging problems, as well as see the sources of the problems, and take preventative action. This is both a standalone offering and an offering that integrates with the managed security services offering. 8 # IDC

9 AT&T DDoS Defense consists of detection and mitigation service components that examine net flow data, sending an alarm to an AT&T operations center and to the client with notification of the detected attack. AT&T Secure Network Gateway bundles AT&T Network-Based Firewall Services, AT&T Secure Gateway Service, and AT&T Web Security Service. AT&T also provides encryption services for and data encryption as well as token authentication services to help organizations know who is gaining access to network applications using two-factor authentication. F U T U R E O U T L O O K I D C F o r e c a s t s S t r o n g G r o w t h i n S e c u r i t y S e r v i c e s The increased complexity of security threats along with the need to evaluate various consumption models (on-premise, managed, hosted, and cloud) will require enterprises to seek consulting and strategy engagements from third-party providers to help align technology requirements with business objectives. IDC predicts that the total worldwide professional security services market is expected to reach $17.4 billion in 2013 and will grow to $22 billion by 2017, with a five-year compound annual growth rate (CAGR) of 5.9%. As discussed, MSS can provide reduction of capex and offer predictable opex and is therefore often a perfect solution to the security/boardroom conundrum discussed previously. IDC expects double-digit growth in the MSS market. C H A L L E N G E S / O P P O R T U N I T I E S Keeping pace with threats and staying on the cutting edge of mitigation at all layers of the network is a challenge that most security organizations cannot meet without some assistance. Given the nature of the constantly evolving threat landscape we've discussed and the budgetary pressures and board-level oversight to improve the administrative efficacy of security, it is critical to select a security services partner that provides the following at a minimum: A comprehensive security services offerings portfolio, from consulting and implementation through managed security services offerings Threat intelligence that creates actionable data that feeds into a managed service A broad array of security products and partnerships with vendors 2013 IDC #

10 C O N C L U S I O N IDC believes that to stay ahead of threats in this ever-increasingly complex landscape, it is important to work with a partner that supports a broad spectrum of security needs. As this paper discusses, some providers bring pieces of the solution, while AT&T does it all, from the perimeter to the endpoint. In addition, AT&T offers a menu of security services offerings that allows the customer flexibility and scale of solutions. C o p y r i g h t N o t i c e External Publication of IDC Information and Data Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2013 IDC. Reproduction without written permission is completely forbidden. 10 # IDC