TAG-Cyber-2018-Annual-Volume-1-Outlook-For-Fifty-Cyber-Security-Controls.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
Design – TAG Cyber LLC Finance – M&T Bank Research – TAG Cyber LLC Lead Author – Dr. Edward G. Amoroso Researchers – Liam Baglivo, Matt Amoroso, Miles McDonald Facilities – WeWork, NYC TAG Cyber LLC P.O. Box 260, Sparta, New Jersey 07871 Copyright © 2018 TAG Cyber LLC. All rights reserved. This publication may be freely reproduced, freely quoted, freely distributed, or freely transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system without need to request permission from the publisher, so long as the content is neither changed nor attributed to a different source. Security experts and practitioners must recognize that best practices, technologies, and information about the cyber security industry and its participants will always be changing. Such experts and practitioners must therefore rely on their experience, expertise, and knowledge with respect to interpretation and application of the opinions, information, advice, and recommendations contained and described herein. Neither the author of this document nor TAG Cyber LLC assume any liability for any injury and/or damage to persons or organizations as a matter of products liability, negligence or otherwise, or from any use or operation of any products, vendors, methods, instructions, recommendations, or ideas contained in any aspect of the 2018 TAG Cyber Security Annual volumes. The opinions, information, advice, and recommendations expressed in this publication are not representations of fact, and are subject to change without notice. TAG Cyber LLC reserves the right to change its policies or explanations of its policies at any time without notice. September 7, 2017 To the Reader: This 2018 TAG Cyber Security Annual – Volume 1: Outlook for Fifty Cyber Security Controls is a companion guide to the report of similar name issued last year. I will admit that it was tempting to take last year’s report and tweak a few words, add some new descriptions, and maybe draw a couple of fresh diagrams – and call the result a new report. Luckily, that lazy option passed, and instead, I spent an hour of each day for the past six months writing a new book. So, if you thought you’d get off easy, then forget it: You have some reading to do. This new volume complements two other new volumes issued as part of the TAG Cyber Security Annual series and available to you as free PDF downloads at https://www.tag-cyber.com/. I suppose one could debate whether our TAG Cyber material is useful, but there is full consensus that our material is voluminous. As always, we offer our reports at a whopping price of free, but I suspect that if we ever decide to sell these massive volumes, we will set pricing based on dollars-per-pound. The process used to create this volume had much in common with last year’s approach. The most obvious similarity is that I once again received a lot of help. Like last year, I carefully selected and reached out to a select group of cyber security technology vendors – most of them new this year – and asked that they invest the time, energy, and resources to help me learn their specialty. These wonderful Distinguished Vendors are listed on the next page – and I hope you’ll reach out and learn from them as well. Your time will be well spent. Also, like last year, I spent hours and hours and hours (and more hours) with enterprise security professionals and Chief Information Security Officers (CISOs) from every sector in business and government. I invited them to dinners, I cajoled them into weekly discussion sessions, and I cornered them at every conference. I think some now head the other way when they see me approaching. But this is necessary, because cyber security only comes into focus with many different perspectives. Even within the same company, I often hear different answers to the same question. So, there are no shortcuts. An awesome new input this year was the group of paying customers (yes, that’s right) for which my growing TAG Cyber team – Liam Baglivo, Matt Amoroso, and Miles McDonald – provided cyber security consulting. To respect their privacy, I won’t name the companies here, but they provided amazing insights into current views on best practices in cyber defense. These clients included two banks, a software company, a government support team, a tech company, a non-profit, and a medical device company. Assisting on their projects was enormously helpful in the creation of this volume. My annual caveat on bias must start with AT&T, where I served for thirty-one incredible years. I continue to believe that the expert team there is doing groundbreaking work in software defined networking under John Donovan, and it is ridiculous for me to try to appear unbiased. My comments on managed security services offer a glowing vision of self-provisioned, virtualized security via cloud and SDN, and if that appears to align with AT&T’s approach – well, then I admit the alignment. I spent years helping to design that work, so I cannot untangle myself. I have, however, carefully removed myself this year from all major boards. I loved my year with M&T Bank as an Independent Director on their Corporate Board, but the relationship has been redesigned as senior consultative. That is one fine group of people up in Buffalo, and I hope you use their banking services. I also stepped down from the NSA Advisory Board so that I could write openly, publish more freely, and devote the proper amount of time required for this research. That government board included an awesome group of amazing volunteers and civil servants – and I wish each of them well. My academic affiliations remain intact, albeit perhaps more intense. I continue to teach two courses per year in a massive lecture hall to about two-hundred graduate students at the Stevens Institute of Technology annually. I’ve also accepted a position as a Research Professor at NYU, where I focus on cooperative learning, government-funded research, and cyber awareness events for executives. Finally, I continue to serve as a Senior Advisor to the Applied Physics Lab at Johns Hopkins University, where I support a group of ridiculously smart technologists. Anyway, enough about me: It’s time that you dive into this 2018 TAG Cyber Security Annual: Volume 1 – Outlook for Fifty Cyber Security Controls. As you read the book, my advice is to use the Feynman self-summarization technique to absorb the material using a sharpened Ticonderoga, a fresh lined pad, and an open mind. I hope this book is useful to you. Dr. Edward G. Amoroso Chief Executive Officer, TAG Cyber LLC Fulton Street Station on Broadway 2018 TAG Cyber Distinguished Vendors Each of the vendors listed below invested their valuable time, resources, and money in the development of the volume you have in your hands. They were carefully hand-selected based on the uniqueness, importance, and relevance of their offering to Chief Information Security Officer (CISO) teams from the nearly 1500 vendors we cover each year. I would list them all as co- authors if that was feasible – but of course, it is not. Instead, they are listed below alphabetically, with a brief note of thanks for their unique insight, friendship, and support of the global cyber security industry. It goes without saying that any unexpected errors in this volume, or recommendations that might ultimately prove incorrect, are entirely my fault – not theirs. Here is the list, with a word or two about their fine leaders: 4iQ – I loved working with the 4iQ team this year, including Monica Pal and Julio Casal. The digital risk monitoring and identity threat intelligence services they provide represent one of the most important contributions in our cyber security industry. Agari – It was a delight working again with Pat Peterson and the new Agari CEO Ravi Khatod. The Agari team helped me understand email security perhaps better than any other group – and I am so appreciative of their assistance. AlienVault – Roger Thornton is such a wonderful technologist, always available to expertly help explain some aspect of advanced cyber security. My thanks go to Roger and the entire AlienVault team for their partnership with TAG Cyber. Appthority – Domingo Guerra was generous with his time helping to explain how app risk can be extended to holistic mobility management. Paul Stich, as always, continues to be such a wonderful contributor to our cyber security industry. Arbor Networks – Brian McCann and his team continue to do such a great job reducing DDOS risk and helping to assure business communications. The Arbor team is first class and always great hosts for visits to Boston. Ataata – It was a delight getting to know Michael Madon, CEO of Ataata, and to immerse in his original and amazing content. His fine subscription-based content offering provides an accurate glimpse into the future of security awareness. AT&T – The security community at my former employer has been so incredibly helpful to the TAG Cyber team in areas such as MSS, SDN, NFV, and evolving threat. The Government Solutions team has also been a delight to work with this year! Attivo Networks – Tushar Kothari and his capable team at Attivo continue to improve and advance the state of the art in modern cyber deception for the enterprise. The support and friendship of the entire Attivo team are so appreciated. Bayshore Networks – Francis Cianfrocca is one of my favorite industry partners. His enthusiasm, knowledge, and good humor are such wonderful assets to the IoT/OT/ICS industry. Thank you – Francis, for our many detailed discussions! Blackridge Technology – When John Hayes and Mike Miracle explained first packet authentication to me, I was totally blown away by the concept.