STRATEGIES FOR THE

ENTERPRISE TO ADDRESS
TODAY’S TOP SECURITY
VULNERABILITIES

WHITE PAPER
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

What might have been a state of rock-solid cyber security last year may be a
flawed security approach chock-full of gaps today. This is a reality facing many
87% executives
and board members
organizations. To keep pace with the onslaught of cyber threats, organizations lack confidence in their
must have a proactive security strategy in place. But most senior executives organization’s cyber
and board members doubt their organizations are prepared. A recent survey by security posture.1
global consulting group EY found that 87 percent of them lack confidence in their
organization’s cyber security posture.5
A second factor that is transforming the face of security programs is the evolution of
27% of enterprises
regulatory compliance. Enterprises must continually reevaluate their security posture with experienced a
the introduction of new regulations such as the EU’s General Data Protection Regulation ransomware incident
(GDPR) and the National Institute of Standards and Technology (NIST) framework, as well last year.2
as changes to existing ones such as the Payment Card Industry Data Security Standard v3
(PCI DSS).
A final driver of change is the evolving and expanding corporate infrastructure. Many An average of 10.7
technologies such as mobile devices and cloud capabilities did not exist a decade ago. And unique application exploits
the emergence of cloud services and Internet of Things (IoT), including Industrial Control are present per enterprise
Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, make organization.3
protection of the corporate infrastructure an even more daunting undertaking.
These issues present a number of top cyber security concerns that security leaders must
address today. Ransomware is on track to
become a $1 billion
per year industry in 2017.4

2
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

USING AUTOMATION TO IMPROVE SECURITY POSTURE

To address the changing security dynamics, organizations need to continue maturing the Nearly half of organizations
triad of technology, people, and processes. Gone are the days when organizations simply are concerned about
selected and deployed the right technical controls and went away feeling confident in their knowing all of their assets,
security and compliance postures. Organizations need to configure their “security triad” for with 43% indicating
continuous incident monitoring and preparedness for quick and effective responses. It is a they have doubts about keeping them
foregone conclusion that no cyber security program can remain static; a security posture bug free and patching vulnerabilities fast
must be dynamic and accommodate ongoing technology distruption, new and changing enough.8
regulations, and a constantly changing threat landscape.
Automated security controls and processes are one way enterprises are addressing this
new cyber security environment, enabling them to improve their security posture while
Only 22% of
organizations have fully
increasing the efficiencies and reach of their security teams. An area where automation can considered security
make a big difference is threat intelligence. Organizations that move to a proactive threat risk implications to their
posture can anticipate attacks faster and employ more advanced techniques that block organizations.9
them better.
Automation also extends to preparation for the inevitable. With three-quarters of
organizations reporting some form of cyber event this past year, the odds that an 1/3 of
organization will be hacked this year are extremely high. This explains why business cyber security
professionals
continuity management, along with disaster recovery resilience ranking alongside data
indicate they
loss prevention, is listed as the top priority by organizations in a recent EY survey (57
have no time for traning or
percent).6 But most organizations have a long distance to go in preparing for the inevitable. professional development due
As they look to streamline their preparedness, they should look at ways to automate to their workloads.10
communications in the event of an attack, remediation and containment of an intrusion, and
then restoration of data, applications, and business operations.
In addition to bolstering security and improving organizational efficiencies, automation
also can help enterprises to address the shortage of security skills. The problem is real. A
recent study shows a current deficit of one million cyber security workers, a number that is
predicted to grow to 1.5 million by 2020.7 The inability to fill these roles directly impacts the
cyber security maturity of an organization; 40 percent of organizations say they have been
impacted by the skills shortage.

3
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

IMPROVING YOUR CONTROL OF THE EXPANDING THREAT

SURFACE (AND IoT) IoT connected
One of the reasons organizations must prepare for the inevitable—namely, a malicious devices are growing
at an annual rate of
attack or security event—is the need to protect a constantly expanding attack surface.11
Whether we are talking about networks, software, or humans, the attack surface is broader 50% and will hit
30.7 billion by 2020.
and deeper than ever before. This makes it easier for cyber criminals to gain access through
a growing list of vulnerabilities.
IoT devices are one of the reasons for the exponential expansion of the network attack
surface and thus increased security concerns. Many organizational segments are seeing
the number of connected IoT devices grow at 50 percent annually—tallying 30.7 billion 25% of cyber
by 2020.12 And because most of these devices are “headless,” meaning that traditional attacks in the future
will target IoT.
security software used to block malicious viruses cannot be installed on them, organizations
must rethink how they manage and protect them. They also exhibit weak authorization and
authentication protocols, not being designed with security in mind. It is no wonder that 25
percent of attacks on enterprises in the future will be targeted at IoT.13
Improving control of your expanding attack surface, including IoT, enables organizations 71% of cyber security
to improve their security maturity. One step is to develop a comprehensive inventory of all leaders do not monitor
devices and applications, including IoT, so that you can assess your risks and ensure that IoT in real time.14
your entire attack surface is covered with a cyber security strategy. This includes the ability
to categorize them by trust and to segment them to control access. This strategy would
both identify IoT devices that have important data or access important data or functions, as
well as guide critical functions that must be protected.
51% of organizations with
A second step is the use of real-time threat monitoring and management. As IoT devices SCADA/ICS experienced
are favored targets for cyber criminals due to their lack of security and proliferation, real-time a breach in the past year,
IoT monitoring is a must. with 55% of those reporting
incidents that impacted the
A third step is to conduct regular penetration testing of firewalls as well as all hosts security of employees.15
(including IoT). This enables them to pinpoint security issues across the threat surface and
to remediate them before they occur.

4
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

ENABLE FLEXIBILITY AS YOU EXTEND INTO THE CLOUD

Cloud services are growing in leaps and bounds, and adoption is following at a concurrent Cloud services still
pace. But the massive opportunity for the cloud is still ahead of us: cloud services still comprise less than
comprise less than 15 percent of total IT spend. This also means that the cyber security 15% of IT spend.
risks presented by the cloud will also grow in scope and velocity. As cloud services
are outside of the traditional defined network security perimeter and natural sightlines,
stewardship and responsibilities of the cloud remain unclear for many organizations.
The security threats associated with the cloud are real. The Cloud Security Alliance
93% of enterprises
includes 12 different cyber security risks that cloud users need to heed. These include data utilize cloud services in
breaches, compromised credentials and broken authentication, hacked interfaces, and some form.20
application protocol interfaces (APIs).16 These risks are slowing cloud adoption: 49 percent
of enterprises indicate their adoption of cloud services has been slowed due to the lack of
cyber security skills.17
So, what can organizations do to protect their cloud investments while giving their
organizations the flexibility they need to expand their cloud investments? The first step
is to extend the traditional network perimeter to follow cloud services—private, public,
79% of workloads
run in the cloud today.21
and hybrid. This encompasses not only enterprise firewalls but also security policies and
practices. Security management also needs to extend horizontally, segmenting data as
different users, transactions, and applications move across the network. Additionally, cloud
services—as well as IoT—must be visible through the same single pane of glass used to
monitor and manage fixed onsite assets.
A second step involves the fact that multiple organizations may share the same public
cloud infrastructure. To prevent potential cyber risks, organizations need to implement a
microsegmentation approach that inspects traffic at the level of communications between
two or more hosts residing on the same domain. Enterprises should also vet cloud solution
providers based on their cyber security certifications, such as ISO 27001, SSAE 16, COBIT,
and the Cloud Security Alliance Cloud Controls Matrix,18 as well as those that deliver 24x7
monitoring and multilayered security measures.
A final step many organizations need to address is shadow IT. The average enterprise has
36 different cloud applications in use.19 Organizations must get a handle on this vast, out-of-
control universe dubbed “shadow IT” or face significant cyber security risks.

5
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

CONSOLIDATING THE SECURITY LANDSCAPE

To address the evolving security landscape, introduction of disruptive technologies, and
both new and existing regulations, cyber security organizations have turned to a growing
number of point products. The number of point-security products managed by some
Organizations have
enterprises has grown to as many as 50.22 The intent is to make it more difficult for bad
actors to succeed. But the opposite effect often occurs, with added complexity often
up to as many as 50
security point products.
obstructing security professionals from detecting and preventing attacks, not to mention
additional cost and staff resources to manage the solutions.
One problem with point products is that they prevent security teams from having visibility
Point products have
across the enterprise. Each point product operates in its own silo and does not interact added complexity,
with other point products in the same environment. Universal policy management becomes which often obstructs
impossible, preventing consistent enforcement of policies across each of the point security professionals
products and creating gaps. A second problem is that point products do not share data from detecting and
or commands, requiring humans (and generally multiple ones) to bridge this gap. Knowing preventing attacks.
what action to take in each product, in addition to actually coordinating those actions
across multiple operators, slows response and introduces the possibility of error.
Instead, organizations need to look to an integrated security fabric that enables them to
plug and play different security capabilities without sacrificing requirements such as universal
policy management, transparent visibility across each security component, and automated
intelligence exchange and actions.
What does this look like? The first step is to ensure that you have an enterprise firewall for
the entire network. Deploying multiple network security solutions creates complexity and
introduces security gaps that can be exploited. Organizations need to look for one security
firewall to protect the entire network. This network security solution must extend beyond the
borders of the traditional IT infrastructure to protect the expanding attack surface—including
IoT and the cloud.
A second step is the need for an integrated coverage model when it comes to your
applications and endpoints. Managing those in silos creates security gaps and vulnerabilities
that can be exploited.
A third step is the need for a security infrastructure that operates as an integrated whole,
typically facilitated via multiple open application programming interfaces (APIs). This starts
with the policies used to manage data and communications across network, endpoint,
application, data center, cloud, and access.
A fourth step of the security fabric is the need for 360 degrees of threat intelligence.
Employing the same universal policies across the entire IT infrastructure and sharing
information between each of the different security components produces 360 degrees
of threat intelligence. This is particularly important in a day where zero-day attacks are a
common occurrence.
A final step to the security fabric involves integrated communications in real time between
each security component enables rapid response to threats. This also enables automatic
identification and isolation of impacted devices, partitioning of network segments, updating
of rules, enactment of new policies, and removal of malware.

6
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

MANAGING RISK EXPOSURE
We live in a day of perpetual digital change.
The opportunities for technology disruption
often supplant the cyber risk. But in most
instances, organizations lack the ability to
measure risk—both current and projected—
and thereby an understanding of what their
risk tolerance looks like even if they wanted
to do so.23 This makes it immensely difficult
to assess the risk of existing technology
deployments, let alone the anticipated risks
of new solutions.
A key driver in the push for organizations to
quantify cyber risks and return on investment
(ROI) is fueled in part by previous efforts in
the financial services industry to quantify
financial risks.24 With cyber security spending
growing at an annual rate of 15 percent,25
organizations are demanding that their
security teams demonstrate ROI on these
investments.
One realization that companies increasingly
reach is that the cyber security team does
not belong underneath the IT organization
but rather tightly embedded in the business.
This enables cyber security leaders to gain
a much broader and deeper picture of the
business and to prioritize vulnerabilities and
measure the impact of incidents from the
vista of the business. The following are some
of the questions cyber security leaders need
to ask:
1. What Matters? Certain data assets and
systems are more important than others.
These are based on corporate objectives,
key performance indicators (KPIs), and
other business-related issues.
2. What Is at Risk? This enables an
organization to determine what is at
highest risk—data, cloud services,
devices, or users, among others.
3. What Is the Potential Business
Impact? The financial, operational,
and brand impact associated with each
risk varies. Organizations need to think
in terms of the cost to manage a risk
(technology, staff, outside resources,
etc.) versus the potential financial,
operational, and/or brand risk impact to
the organization.
4. How Best to Fill Those Gaps? Once
risks have been identified and ranked,
organizations can align solutions to
mitigate each of them. The solutions
consist of technology, people, and
processes, all of which have a cost tied
to them.
5. What Is the Probability/Likelihood?
In addition to potential business impact,
organizations need to look at the
probability (or likelihood) that a risk will
occur without any mitigation as well
as with mitigation. For example, in an
instance where mitigation reduces the
probability from 50 percent to 40 percent,
the ROI is much diminished as compared
to a scenario where mitigation takes the
probability from 80 percent to 10 percent.
The above data points are reflected in Table
1 below, where each of the elements is
used to prioritize cyber security initiatives
based on their ROI. With the emergence of
artificial intelligence (AI) and machine learning
(ML) capabilities that tap external data and
historical trending, cyber security leaders
now have the ability to create predictive,
data-driven security risk models.26 These
can be employed to develop risk tolerance
curves used to develop security strategies
and identify which investments will generate
the highest ROI.

Risk Probability Business Mitigation Cost Mitigation Mitigation ROI Recommendation

(Likelihood) Impact of Risk* Effectiveness
(Probability)
$1.75M to
Risk 1 75% $2M to $4M $750,000 95% Proceed
$3.25M
Risk 2 15% $10M $3M 70% $7M Track
Risk 3 50% $500,000 $275,000 98% $225,000 Track
Risk 4 90% $3M $1M 98% $2M Proceed

TABLE 1. MODEL FOR MANAGING RISK EXPOSURE

*Business Impact = Financial Cost, Operational Interruptions, Brand Damage

BUILDING AND PROTECTING YOUR CYBER SECURITY POSTURE

Cyber security is not an easy undertaking. The evolving threat landscape and the top concerns of security leaders ensure that it is only going to
become more difficult. Enterprises that are able to tackle these security challenges not only protect their businesses, partners, and customers
but they also establish a framework from which they can assess and measure the impact of their cyber security initiatives. And it is not a one-
size-fits-all approach; risk tolerance for enterprises varies based on the nature of the business and the potential threat exposure that exists.

7
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES

1
“Path to Cyber Resilience: Sense, Resist, React,” EY’s 19th Global Information Security Survey 2016-17, 2016.
2
Jon Oltsik, “Through the Eyes of Cyber Security Professionals: An Annual Research Report,” a Cooperative Research Project by ESG and ISSA,
December 2016.
3
“Threat Landscape Report: Q4 2016,” Fortinet, January 2017.
4
Kyle Torpey, “2016 Big Year for Ransomware—70% Pays in This $1 Billion Industry,” Bitcoin, December 29, 2016.
5
“Path to Cyber Resilience: Sense, Resist, React,” EY’s 19th Global Information Security Survey 2016-17, 2016.
6
“Path to Cyber Resilience.”
7
Michael Suby, et al., “The 2015 (ISC)2 Global Information Security Workforce Study,” Frost & Sullivan, 2015.
8
“Path to Cyber Resilience.”
9
“Cyber Threat Intelligence—How to Get Ahead of Cybercrime.”
10
Jon Oltsik, “Through the Eyes of Cyber Security Professionals: An Annual Research Report,” a Cooperative Research Project by ESG and ISSA,
December 2016.
11
Lily Hay Newman, “Hacker Lexicon: What Is An Attack Surface?” Wired, March 12, 2017.
12
Louis Columbus, “Roundup of Internet of Things Forecasts and Market Estimates, 2016,” Forbes.com, November 27, 2016.
13
Ibid.
14
“IoT Security: The Majority of IoT Devices Is Not Monitored in Real Time,” i-SCOOP, accessed April 10, 2017.
15
“2016 Industrial Control System Security Trends: Challenges and Strategies for Securing Critical Infrastructure,” Fortinet and Forrester, September 14, 2016.
16
Fahmida Y. Rashid, “The Dirty Dozen: 12 Cloud Security Threats,” InfoWorld, March 11, 2016.
17
“Building Trust in a Cloudy Sky.”
18
“Cloud Security Standards: What to Expect & What to Negotiate: Version 2.0,” Cloud Standards Customer Council, August 2016.
19
“Threat Landscape Report: Q4 2016.”
20
“Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,” McAfee, January 2017.
21
Ibid.
22
Patrick Moorhead, “With a Few Surprises: Cisco Releases 2017 Annual Cybersecurity Report,” Forbes, February 14, 2017.
23
Natalia Nelson, “How Companies Achieve Balance Between Technology Enabled Innovation and Cyber-Security,” MBA Thesis, Massachusetts Institute
of Technology, June 2016.
24
J.R. Reagan, et al., “Quantifying Risk: What Can Cyber Risk Management Learn from the Financial Services Industry?” Deloitte University Press,
July 25, 2016.
25
“Cybersecurity Market Report,” Cybersecurity Ventures, Q1 2017.
26
Douglas W. Hubbard and Richard Seiersen, How to Measure Anything in Cybersecurity Risk (New York: John Wiley & Sons, 2016).

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales

Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,
except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in
such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. 76764-A-0-EN May 15, 2017