As part of our recent APT research, ESG asked security professionals working at U.S.-based enterprise organizations (i.e. more than 1,000 employees) if APTs had caused their organizations to purchase and deploy new information security technologies. About 40% are doing so.
What's interesting is the types of investments they are making in order to protect sensitive data. For example:
* 54% of organizations that purchased new tools as a result of APTs are investing in data encryption technologies
* 43% of organizations that purchased new tools as a result of APTs are investing in database security technologies
* 35% of organizations that purchased new tools as a result of APTs are investing in DLP
* 31% of organizations that purchased new tools as a result of APTs are investing in new types of user authentication or access controls
Since the ultimate goal of APT attacks is data exfiltration, bolstering data security controls makes sense. A few other observations here:
1. I've been anticipating a steep increase in data encryption for a while and I think this is finally happening. Henceforth, data will increasingly be encrypted at the network, storage, file system, database, and application layer. Managing all of this encryption and associated certificate and key management is the next challenge.
2. Database security is often ignored but it seems like APTs have become a wake-up call. IBM tells me that its database security services and products (aka Guardium) are selling well. McAfee bought Sentrigo to take advantage of this trend. With continued growth in this area, Application Security, Inc. should be the next vendor to be gobbled up by a big guy like Check Point, HP, or Symantec.
3. Both McAfee and Symantec tell me that their DLP business is also red hot. RSA just made an announcement in this area as well. Likely that APTs along with the rise of mobile computing will continue to keep DLP sales momentum going.
4. While its good to see that 31% of organizations are investing in Identity and Access Management (IAM) this is a complex and often-ignored area. Security and business executives need to understand who has access to sensitive data, why these people need access, how often they access sensitive data, and what they do with the data once they access it. This is a very difficult thing to do but it starts with strong authentication, the principle of least privileges, and constant monitoring.
Finally, data security controls aren't worth much if there are multiple copies of sensitive data spread throughout the network that CISOs don't even know about. Unfortunately, this is one of our biggest security challenges and the bad guys know this. Organizations that aren't addressing this problem remain extremely vulnerable to attacks and costly data breaches.