If you are a CIO, CISO, a compliance administrator or IT manager, you may be wondering about the next stages in the cybersecurity evolution and whether they will make companies much safer from cyberthreats. Coming from the security technology creator side, I surely understand the average enterprise customer who is cynical about every security product and vendor out there. Although great strides have been made in security technology, the claims are always overdone, as is the marketing. Walking through the RSA security conference, a thought struck me: is there a vendor in the conference who does not claim to stop every attack or keep every customer 100% safe? Is there a threat that any vendor does not address or an architecture that is not open or a technology that does not have high scalability and performance?
The confusion in the market is because making tall claims has become table stakes to sell in this market. That has also made it hard for customers to sort out genuine new innovations from “we also do that”. The result is not just bad for customers, but also for startups trying to build better “mousetraps”.
A different kind of “herd immunity”
Despite the unrealistic claims made by many security vendors, I remain an optimist: I see the industry moving from “each organization for itself” anxiety, to a direction that is likely to start protecting more organizations than ever in the industry’s history. As the threats have started proliferating across all segments of business, including causing damage to even small businesses, a few realities have emerged over the last three or four years that cannot be denied:
The best of security technologies cannot prevent most of the attacks without experts watching over them
In recent years small businesses, who cannot afford their own security team, are also significantly impacted and have borne the brunt of thousands of attacks, which could be fatal to some businesses (ref: Verizon DBIR 2018-2020 Reports)
There is a serious shortage in security talent and only the large companies can afford to build a team to retain this talent
Moving from prevention-type technology (like anti-malware, which is no longer very effective) to the modern approach of detection, investigation and response requires more sophisticated technical talent than before
There is a very definite movement towards outsourcing security monitoring and response due to the listed reasons. This revolution will transfer the security challenges of thousands of businesses to a smaller focused group of security professionals at hundreds of managed security service providers (MSSPs or MDRs) worldwide, solving the talent shortage problem in a more economically viable way
These security service providers can apply lessons learned from one customer to others within their “herd” making it more efficient for protection to track and move with the threat landscape
The MSSP Decade
This reality has changed the market dynamics of the security technology vendors. In contrast to pre-2017, today almost all security product makers are addressing this changing market ecosystem by either redesigning (or remarketing) their products to the MSSP market or starting to offer MSSP services themselves. Strangely enough, MSSPs are buying technology from vendors who are themselves offering competing services. This is the state of the market already today – so where is it headed?
The next major trend in cyber security technology and operations may almost be easy to predict. With the clear trend in security outsourcing taking shape, supported by heavy mergers, acquisitions and investment activity, the challenge for the many is being shepherded into a challenge for the few, selected, focused, talented individuals tending the security operations center (SOC).
If you are a security technology vendor, your top design goal should be to satisfy the SOC analyst. Having experienced the last two decades in security, extrapolating the threat landscape and talent crunch, I expect that in the next decade, more than 50% of the worlds small, medium and many large enterprises worldwide will be looking to a partner SOC to fully or partially manage their security. This trend will not stop until we are at 90% of the businesses using managed security, which is an enormous change to the market dynamic. The sooner the industry gets there the sooner companies will be able to apply their full focus on their core businesses. We are just getting started.
This change to outsource security will impact technology vendors in a big way. Vendors will no longer be able to put together a suite of products and lock their customers (the SOCs, MSSPs) into multi-year contracts. Products that are not really open, regardless of marketing claims, will not be welcome in a SOC, which needs to integrate disparate products that may not have mutual technology partnerships. More open standards will have to be adopted. There will be a preference to technologies that have enabled a community-driven approach to content and enhancements. The old “sticky strategy” of vendors is likely to backfire since no MSSP will want to be locked-in to any product.
MSSP: Hunters & Gatherers
There is an even more profound change that will affect how products are built and sold. Historically, managed security providers are reactive in nature, gathering and sorting through endless events and alerts, ploughing through large volumes of data to draw conclusions about a threat. Enterprises were quite satisfied with this reactive role from MSSPs. However, the lure of prevention will always drive the security industry. The threat hunting side of the market is poised to gain prominence for all product designers. The concept of Intelligence-led threat hunting features in both automated and manual forms, along with sophisticated runbooks could potentially create its own marketplace.
There is still the big elephant in the room – the proliferation of technology resulting in dozens of tracks of logs, events, alerts, and analytics. It is a tall order for even an expert to move through multiple sets of data, possibly through different screens and dashboards, to make decisions on security events. The new market, dubbed XDR by industry analysts, has taken on the noble goal of making the SOC analyst’s life easier, or at least their job more effective and efficient. XDR or Extended Detection and Response essentially extends the EDR story to encompass telemetry from all vectors including endpoints, network devices, and over time IOT and mobile devices to put together a more accurate picture of the threat situation for a customer. The promise is the ability to do this with less effort and seamlessly across technologies. Even vendors with multiple technologies have had difficulty integrating them. Bringing the whole security stack together for threat detection and hunting will be a lot harder than the integration brought about by security orchestration tech.
Although the definition of this market is very nascent, it would be disappointing if it doesn’t include automated or manual hunting and orchestration as part of its mandate. The proactive threat hunting takes on an even stronger appeal when a SOC automates routine threat management and goes into prevention mode. While I plan to cover the XDR and threat hunting in more detail in a future blog, I want to make one comment about it here: while XDR sounds like a single vendor technology, it is more likely a few different products integrated to form a SOC solution. The lesson to be learned for security product makers is to ensure that the integration is not limited to previously aligned partners but based on open standards. MSSPs should not be made to take a loyalty test of a particular brand, but rather always have the option to deploy the best product or component of the stack that suits their environment without having to change the whole stack. The MSSPs will reward those who play well with others.