Latest Posts:
TheTechAgents
Tag

push

Browsing
Internet

IT security professionals push for consolidated standards, vendor products [Report] By Techagents

Cyber ​​security professionals want the computer industry to emphasize vendor consolidation and open standards.

This major change in the security networks of IT professionals is long overdue, according to new research from the Information Systems Security Association (ISSA) International and the independent industry analyst firm Enterprise Strategy Group (ESG), a division of TechTarget.

Seller consolidation and the push toward open standards is driven by buyers themselves, who are challenged by increasing complexity, cost, and the promotion of best-of-breed technology “equipment sprawl”.

Nearly half (46%) organizations consolidate or plan to consolidate the number of vendors they do business with. Concerned by the growing complexities of security operations, 77% of InfoSec professionals would like to see greater industry collaboration and support for open standards that promote interoperability.

Thousands of cyber security technology vendors compete against each other in multiple security product categories. Organizations want to optimize all the security technologies in their stack at once.

According to the research report, vendors supporting open standards for technology integration will be best positioned to meet this shift in the industry.

“Given that nearly three-quarters (73%) of cybersecurity professionals feel that vendors are engaging in promotions on substance, vendors who demonstrate a genuine commitment to supporting open standards are more likely to engage industry-wide. would be in the best position to avoid consolidation,” he said. Candy Alexander, Board President, ISSA International.

He said CISO vendors have become so burdened with noise and security “equipment dispersion” that for many, the wave of vendor consolidation is like a breath of fresh air.

Shift to security platform

ESG studied 280 cyber security professionals, most of whom are ISSA members. The results, released last month, focused on security processes and technologies, and show that 83% of security professionals believe the technology interoperability of the future depends on setting industry standards.

The report’s details demonstrate a cybersecurity landscape that looks favorably toward a security product suite (or platform) as it moves away from a defense-intensive strategy based on deploying best-of-breed cybersecurity products. This approach is based on historical precedent that has consistently increased organizational complexity and contributed to substantial operations.

“The report shows that massive changes are taking place within the industry in what many believe is a long time to come,” said John Oltsik, Senior Principal Analyst and ESG Fellow.

“The fact that 36% of organizations may be willing to purchase most security technologies from a single vendor speaks volumes for a change in buying behavior as CISOs are openly considering security platforms in lieu of best-of-breed point of view devices. are,” he said.

Why Jump from Best-of-Breed

The number of competing security suites has skyrocketed with many organizations managing 25 or more independent security tools. It follows that security professionals are now stressing the need to juggle so many independent security products to do their job.

Managing an assortment of security products from different vendors has increased training requirements, makes it difficult to get an overall picture of safety, and requires manual intervention to fill in the gaps between products. As a result, 21% of organizations are consolidating the number of cybersecurity vendors they do business with, and another 25% are considering consolidating.

“In general, buying, implementing, configuring and operating too many different tools has become very difficult, let alone ongoing support relationships with vendors. Consolidation management/operations makes sense,” says Oltsik told TechNewsWorld.

This ongoing complication is prompting 53% of cybersecurity professionals to purchase security technology platforms instead of best-of-breed products. The study showed that 84% of respondents believe a product’s integration capabilities are important, and 86% consider it important or important that integration with other products create best-of-breed products.

According to 60% of IT teams, strict integration between already separate security controls is a primary requirement rather than a best buy. Improved threat detection efficiency such as accurate high-fidelity alerts and improved cyber-threat detection were on the wish list for 51%.

generalized government mandate

Cybersecurity products cover the basics, noted Oltsik. This includes antivirus software, firewalls, some sort of identity management system, and a range of products for endpoint encryption.

“In many cases, these technologies are mandated by government and industry regulations,” he said. “The biggest influencer in cybersecurity protections is the US federal government which can and does mandate certain standards.

For example, the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community considerations. The In-Process Cyber ​​Security Maturity Model Certification (CMMC) standard mandates certain security certifications for DoD vendors.

“We have also seen standards from industry, such as the activity of the Organization for the Advancement of Structured Information Standards (OASIS) and other OASIS standards. This week, we introduced the Open Cyber ​​Security Framework (OCSF), a standard data schema for security data. Saw the beginning. There are also many identity management standards,” he said.

Finding a shared security base

After reviewing this data, ESG and ISSA recommend that organizations encourage their security vendors to adopt open industry standards, possibly in collaboration with the Industry Information Sharing and Analysis Center (ISAC). In addition, there are some established security standards available from MITER, OASIS and Open Cyber ​​Security Alliance (OCA).

Many vendors speak in favor of open standards, but most do not actively participate or contribute to them. However, this lukewarm behavior can change quickly.

For this to happen, cybersecurity professionals – especially large organizations big enough to send signals to the market – establish best practices for vendor qualification.

In addition, they need to emphasize process requirements that include adoption and development of open standards for technology integration as part of a broader process for all security technology procurement, according to the report.

expected result

Cyber ​​security standards and vendor integration will strengthen the cyber security landscape against the continuing increase in cyber threats by easing product development and integration. Oltsik explained that this will allow industry and security teams to focus more on innovation and security fundamentals and less on building connectors for interoperability.

He sees an opportunity within the industry to support these efforts.

“It seems that some industry leaders are collaborating. I point to OCSF where 18 vendors agreed to support it,” he said.

This group includes a number of leaders – AWS, CrowdStrike, IBM, Okta and Splunk, for starters. He said another potential driver would be the support of large security technology customers.

Oltsik concluded, “If Goldman Sachs, GM, Walmart and the US federal government said they would only buy from vendors that support OCSF, it would really hit the industry.”

The full ESG-ISSA report titled “Technology Perspectives from Cyber ​​Security Professionals” is available here. No form filling is required.

Read More
By
Information Technology

Open source leaders push WH for security action By Techagents

The first plan of its kind to comprehensively address open source and software supply chain security is awaiting White House support.

The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) on Thursday brought together more than 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE and OMB to reach a consensus on key actions. Improving the flexibility and security of open-source software.

A subset of the participating organizations have collectively pledged an initial tranche of funds for the implementation of the scheme. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, with more than $30 million in pledges. As the plan progresses, more funds will be identified and work will begin as agreed upon individual streams.

The Open Source Software Security Summit II, led by the National Security Council of the White House, is a follow-up to the first summit held in January. That meeting, convened by the Linux Foundation and OpenSSF, came on the one-year anniversary of President Biden’s executive order on improving the nation’s cyber security.

As part of this second White House Open Source Security Summit, open source leaders called on the software industry to standardize on SigStore developer tools and upgrade the collective cyber security resilience of open source and improve trust in software. called upon to support the plan. Dan Lorenc, CEO and co-founder of Chainguard, co-creator of Sigstore.

“On the one-year anniversary of President Biden’s executive order, we’re here today to respond with a plan that’s actionable, because open source is a critical component of our national security, and it’s driving billions of dollars in software innovation. is fundamental to investing today,” Jim Zemlin, executive director of the Linux Foundation, announced Thursday during his organization’s press conference.

push the support envelope

Most major software packages contain elements of open source software, including code and critical infrastructure used by the national security community. Open-source software supports billions of dollars in innovation, but with it comes the unique challenges of managing cybersecurity across its software supply chains.

“This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership,” said Zemlin. “This is the first time I’ve seen a plan and the industry will promote a plan that will work.”

The Summit II plan outlines funding of approximately $150 million over two years to rapidly advance well-tested solutions to the 10 key problems identified by the plan. The 10 streams of investment include concrete action steps to build a strong foundation for more immediate improvements and a more secure future.

“What we are doing together here is converting a bunch of ideas and principles that are broken there and what we can do to fix it. What we have planned is the basis to get started. As represented by 10 flags in the ground, we look forward to receiving further input and commitments that lead us from plan to action,” said Brian Behldorf, executive director of the Open Source Security Foundation.

Open Source Software Security Summit II in Washington DC, May 12, 2022.

Open Source Software Security Summit II in Washington DC, May 12, 2022. [L/R] Sarah Novotny, Open Source Lead at Microsoft; Jamie Thomas, enterprise security executive at IBM; Brian Behldorf, executive director of the Open Source Security Foundation; Jim Zemlin, executive director of The Linux Foundation.

highlight the plan

The proposed plan is based on three primary goals:

  • Securing open source security production
  • Improve vulnerability discovery and treatment
  • shortened ecosystem patching response time

The whole plan includes elements to achieve those goals. These include security education which provides a baseline for software development education and certification. Another element is the establishment of a public, vendor-neutral objective-matrix-based risk assessment dashboard for the top 10,000 (or more) OSS components.

The plan proposes the adoption of digital signatures on software releases and the establishment of the OpenSSF Open Source Security Incident Response Team to assist open source projects during critical times.

Another plan detail focuses on improved code scanning to accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.

Code audits conducted by third-party code reviews and any necessary remedial work will detect up to 200 of the most critical OSS components once per year.

Coordinated data sharing will improve industry-wide research that helps determine the most important OSS components. Providing Software Bill of Materials (SBOM) everywhere will improve tooling and training to drive adoption and provide build systems, package managers and distribution systems with better supply chain security tools and best practices.

stock factor

Chainguard, who co-created the Sigstore repository, is committed to financial resources for the public infrastructure and network offered by OpenSSF and to ensure that SigStore’s impact is felt in every corner of the software supply chain and Will collaborate with industry peers to deepen work on interoperability. software ecosystem. This commitment includes at least $1 million per year in support of Sigstore and a pledge to run it on its own node.

Designed and built with maintainers for maintainers, it has already been widely adopted by millions of developers around the world. Lorenc said now is the time to formalize its role as the de facto standard for digital signatures in software development.

“We know the importance of interoperability in the adoption of these critical tools because of our work on the SLSA framework and SBOM. Interoperability is the linchpin in securing software across the supply chain,” he said.

Related Support

Google announced Thursday that it is creating an “open-source maintenance crew” tasked with improving the security of critical open-source projects.

Google also unveiled the Google Cloud Dataset and open-source Insights projects to help developers better understand the structure and security of the software they use.

According to Google, “This dataset provides access to critical software supply chain information for developers, maintainers, and consumers of open-source software.”

“Security risks will continue to plague all software companies and open-source projects and only an industry-wide commitment that includes a global community of developers, governments and businesses can make real progress. Basic in Google Cloud and Google Fellows at Security Summit “Google will continue to play our part to make an impact,” said Eric Brewer, vice president of infrastructure.

Read More
By