by Sridhar Jayanthi, Senior Vice President Endpoint at EclecticIQ
Monday, December 21st, 2020
If you are a CIO, CISO, a compliance administrator or IT manager, you may be
wondering about the next stages in the cybersecurity evolution and whether they will
make companies much safer from cyberthreats. Coming from the security
technology creator side, I surely understand the average enterprise customer who is
cynical about every security product and vendor out there. Although great strides
have been made in security technology, the claims are always overdone, as is the
marketing. Walking through the RSA security conference, a thought struck me: is
there a vendor in the conference who does not claim to stop every attack or keep
every customer 100% safe? Is there a threat that any vendor does not address or an
architecture that is not open or a technology that does not have high scalability and
performance?
The confusion in the market is because making tall claims has become table stakes
to sell in this market. That has also made it hard for customers to sort out genuine
new innovations from “we also do that”. The result is not just bad for customers, but
also for startups trying to build better “mousetraps”.
A different kind of “herd immunity”
Despite the unrealistic claims made by many security vendors, I remain an optimist: I
see the industry moving from “each organization for itself” anxiety, to a direction that
is likely to start protecting more organizations than ever in the industry’s history. As
the threats have started proliferating across all segments of business, including
causing damage to even small businesses, a few realities have emerged over the
last three or four years that cannot be denied:
- The best of security technologies cannot prevent most of the attacks without
experts watching over them - In recent years small businesses, who cannot afford their own security team,
are also significantly impacted and have borne the brunt of thousands of
attacks, which could be fatal to some businesses (ref: Verizon DBIR 2018-
2020 Reports) - There is a serious shortage in security talent and only the large companies
can afford to build a team to retain this talent - Moving from prevention-type technology (like anti-malware, which is no longer
very effective) to the modern approach of detection, investigation and
response requires more sophisticated technical talent than before - There is a very definite movement towards outsourcing security monitoring
and response due to the listed reasons. This revolution will transfer the
security challenges of thousands of businesses to a smaller focused group of
security professionals at hundreds of managed security service providers
(MSSPs or MDRs) worldwide, solving the talent shortage problem in a more
economically viable way - These security service providers can apply lessons learned from one
customer to others within their “herd” making it more efficient for protection to
track and move with the threat landscape
The MSSP Decade
This reality has changed the market dynamics of the security technology vendors. In
contrast to pre-2017, today almost all security product makers are addressing this
changing market ecosystem by either redesigning (or remarketing) their products to
the MSSP market or starting to offer MSSP services themselves. Strangely enough,
MSSPs are buying technology from vendors who are themselves offering competing
services. This is the state of the market already today – so where is it headed?
The next major trend in cyber security technology and operations may almost be
easy to predict. With the clear trend in security outsourcing taking shape, supported
by heavy mergers, acquisitions and investment activity, the challenge for the many is
being shepherded into a challenge for the few, selected, focused, talented
individuals tending the security operations center (SOC).
If you are a security technology vendor, your top design goal should be to satisfy the
SOC analyst. Having experienced the last two decades in security, extrapolating the
threat landscape and talent crunch, I expect that in the next decade, more than 50%
of the worlds small, medium and many large enterprises worldwide will be looking to
a partner SOC to fully or partially manage their security. This trend will not stop until
we are at 90% of the businesses using managed security, which is an enormous
change to the market dynamic. The sooner the industry gets there the sooner
companies will be able to apply their full focus on their core businesses. We are just
getting started.
This change to outsource security will impact technology vendors in a big way.
Vendors will no longer be able to put together a suite of products and lock their
customers (the SOCs, MSSPs) into multi-year contracts. Products that are not really
open, regardless of marketing claims, will not be welcome in a SOC, which needs to
integrate disparate products that may not have mutual technology partnerships.
More open standards will have to be adopted. There will be a preference to
technologies that have enabled a community-driven approach to content and
enhancements. The old “sticky strategy” of vendors is likely to backfire since no
MSSP will want to be locked-in to any product.
MSSP: Hunters & Gatherers
There is an even more profound change that will affect how products are built and
sold. Historically, managed security providers are reactive in nature, gathering and
sorting through endless events and alerts, ploughing through large volumes of data
to draw conclusions about a threat. Enterprises were quite satisfied with this reactive
role from MSSPs. However, the lure of prevention will always drive the security
industry. The threat hunting side of the market is poised to gain prominence for all
product designers. The concept of Intelligence-led threat hunting features in both
automated and manual forms, along with sophisticated runbooks could potentially
create its own marketplace.
There is still the big elephant in the room – the proliferation of technology resulting in
dozens of tracks of logs, events, alerts, and analytics. It is a tall order for even an
expert to move through multiple sets of data, possibly through different screens and
dashboards, to make decisions on security events. The new market, dubbed XDR by
industry analysts, has taken on the noble goal of making the SOC analyst’s life
easier, or at least their job more effective and efficient. XDR or Extended Detection
and Response essentially extends the EDR story to encompass telemetry from all
vectors including endpoints, network devices, and over time IOT and mobile devices
to put together a more accurate picture of the threat situation for a customer. The
promise is the ability to do this with less effort and seamlessly across technologies.
Even vendors with multiple technologies have had difficulty integrating them.
Bringing the whole security stack together for threat detection and hunting will be a
lot harder than the integration brought about by security orchestration tech.
Although the definition of this market is very nascent, it would be disappointing if it
doesn’t include automated or manual hunting and orchestration as part of its
mandate. The proactive threat hunting takes on an even stronger appeal when a
SOC automates routine threat management and goes into prevention mode. While I
plan to cover the XDR and threat hunting in more detail in a future blog, I want to
make one comment about it here: while XDR sounds like a single vendor technology,
it is more likely a few different products integrated to form a SOC solution. The
lesson to be learned for security product makers is to ensure that the integration is
not limited to previously aligned partners but based on open standards. MSSPs
should not be made to take a loyalty test of a particular brand, but rather always
have the option to deploy the best product or component of the stack that suits their
environment without having to change the whole stack. The MSSPs will reward
those who play well with others.
Contact us at https://www.eclecticiq.com/contact
0 Comments