Demystifying the Cybersecurity Solution Landscape
My first security conference was Black Hat 2014. This was around the time when all the major US defense contractors were getting into the business of building commercial security products. I happened to be working for one of them, managing one of their flagship “defense-grade” security products. Finding your perfect cybersecurity tech stack isn’t easy, but is necessary to avoid enterprise security threats.
The Evolution of Cybersecurity: From Defense Grade to Mainstream Solutions
You might think that a defense contractor focussing on protecting national security would be able to build and market some amazing security products. And you would be right… and also wrong. “Defense grade” security products come with a “defense-grade” price tag and a “defense-grade” footprint that wasn’t particularly palatable to most not on the Fortune 50 (yes, “50” without the extra “0” – a pretty narrow TAM, though one with deep pockets).
In 2014, security vendors were milking the 2013 Target data breach for all it was worth, but most people weren’t quite panicked enough yet to shell out 6, 7, or 8 figures for cybersecurity, and certainly not that much every year.
Enter: 2015. By Black Hat 2015, we got the gifts that were the Anthem breach (Feb 2015) and then the illustrious US OPM breach (June 2015). Suddenly, cybersecurity was becoming a “thing” for everyone and not just us paranoid weirdos screaming that the sky was falling. It was at this point that panic began to set in, and companies and organizations big and small were scurrying to protect their data. If you’re familiar with Crossing the Chasm by Geoffrey A. Moore, this was the catalyst for the late majority to start scrambling on board the cybersecurity train, and then regulations like GDPR brought on most of the laggards.
Suddenly the potential losses incurred by a major data breach or security incident far outweighed the high costs associated with focusing on cybersecurity throughout an organization.
The Flood of New Players in the Cybersecurity Market
As expected, this new demand triggered a flood of new players in the security solution market flush with new VC. Successful new players got acquired, got big, merged with other players, or some combination of all three. Unsuccessful new players faded into obscurity. Legacy security solutions also went through acquisitions and mergers, and sell-offs. Business halls at major security conferences got bigger. Marketing teams started making up terms and acronyms that sounded innovative and important. Everyone had some amazing new way to protect your data and your enterprise. Solutions in markets that had become commoditized, like encryption and firewalls, and AV, tried to reinvent themselves by expanding their capabilities and claiming to be “next-gen.” It might sound like I’m talking about a long, multi-decade saga, but we’re talking about all of this occurring in 5-10 years.
The Impact of Data Breaches on the Cybersecurity Market – One Platform to Rule Them All… Or Not
The Rise of Cybersecurity Awareness After the Anthem and US OPM Breaches
The kicker to this new security renaissance is that even after the flood of cash and innovation and even after the big players gobbled up little ones, there’s still no one security solution, platform, or vendor that can meet all enterprise security needs (even if we leave off stuff like DevSecOps and code security).
There are a few large vendors out there who may have most of the pieces, but nobody has been all that successful at putting them together into a cohesive platform. Many of these same vendors will argue with me over this, but I stand by this claim.
Everything I’ve seen has been smoke and mirrors, mostly by updating UX look and feel to make something look like an integrated platform, but…nope. Talk to any large security vendor and ask them if “single pane of glass” was on their roadmap 5 years ago (probably yes). Then ask if it’s still on their roadmap (also probably yes). Believe me. I was one of those vendors. Ask these questions again in 5 years, and I’d bet cash money that you’d get the same answers.
The problem is that start-ups, even with huge buckets of cash, are still going to focus on point solutions, and rightly so. Nobody can boil the ocean. Conversely, large enterprise tech companies are usually too large and bureaucratic to be innovative, so they rely on M&A to “buy” innovation, but then everything in security changes so fast that they don’t have the time to really integrate those new solutions into their portfolio well.
To add insult to injury, M&A teams that vet security solutions and negotiate their acquisition may not always be all that good at the vetting part, so often, that cool, innovative startup ends up becoming an albatross that requires a lot of work before it can be brought into the fold.
The result is a large company with a bunch of point solutions that may or may not look similar that don’t talk to each other well, if at all. If you can get SSO between their products, consider this a bonus. Each product also probably has a different sales and marketing team and a different product team that may or may not talk to other teams, assuming they’ve even met.
Categorizing ALL THE (Cybersecurity) THINGS!
Navigating the Crowded Security Solutions Market
Regardless, the cybersecurity market landscape is vast, sprawling, and confusing. Solution categories differ depending on who you ask, and sometimes even when multiple sources have a few similar categories, the solutions in them are not the same. And then you end up wondering why one source doesn’t put IoT, mobile, and cloud security together or why DLP and insider threat aren’t together and with the SOC solutions. But the truth is that it’s really hard to categorize security solutions, and it’s hard to determine where one solution category ends, and another begins because often there is a whole lotta overlap.
Why is it so hard to categorize security solutions? My theory is it’s because nothing internet-related was initially designed with security in mind, so all security had to be shoehorned in after the fact. Email, websites, databases, applications, wifi protocols, cellular protocols… virtually everything internet-related created or invented before about 2004 (and lots of stuff created after) is inherently insecure. HTTPS, while introduced around 1994, didn’t become the de facto protocol for internet traffic until 2018, so even though certain security measures were developed early(ish), the adoption timeline was abysmal. “If it ain’t broke, don’t fix it” seems to be our mantra, and it’s likely the main contributor to all of our problems.
These days, even the savviest security professionals who have a good understanding of their organization’s attack surface, and what vulnerabilities they need addressed, find it difficult to identify all the solutions they need, let alone from which specific vendors, especially as new solutions with new, made-up solution types come to market, seemingly daily, proclaiming to be new and different and better. And don’t get confused between solution types and solution categories. A solution category would be something like “data security,” whereas a solution type within that category would be DLP, and that’s an easy one to define.
Security Vendor Fatigue
To be helpful, security vendors are eager to reach out all day, every day with unsolicited advice on why you need their solution and man, oh man they are a tenacious bunch. Now that I’m on the buying side of security solutions rather than the selling side, I believe I have the advantage of seeing both sides with more clarity. On the buying side, I am knee-deep in security vendor fatigue right now. I recently got called every day for 2 weeks by a particular, very established and respected vendor, so it’s not just startups. Every time I show the slightest bit of interest in a security solution, I’m engulfed in a whirlwind of emails, phone calls, and LinkedIn requests.
I get the eagerness of security vendors. I really do. I know most of them truly believe they can solve all of my security problems. I believed the same thing about my products and I was pretty darn convincing. Never underestimate the power of an earnest product manager. But you must resist. Don’t fall for it. Sitting on the buyer side, I realize now that until I understand my specific security needs, there’s no way to know who can meet them and certainly no one else can claim they have what I need if I don’t know what it is yet.
Cybersecurity Market Analysts – Who Really Benefits?
Behind the ‘Magic’ Curtain
Many security and IT leaders rely on market analysts like Gartner and ESG, but those same analysts are paid by vendors. In the case of ESG, their focus is identifying customer needs and customer buying trends for vendors, and as a vendor who had a relationship with ESG, I can vouch for their insight and services. But while their information can be valuable to buyers, their focus is really on providing value to vendors. Note here that they do provide consulting services that include vendor assessments for buyers, but they don’t make these vendor assessments public because one vendor may be awesome for someone else, but not for you. Keep this thought in mind as you read on to the next paragraph.
While Gartner does provide market analysis for buyers with their Magic Quadrant™ and other services. The greater value is also mainly for the vendor. Being in the Magic Quadrant™ is great marketing for a company and they will freely and gleefully hand out copies of Gartner’s report and generate press releases and plaster it all over their website and spam anyone and everyone who will listen.
I will also add here as a side note that ESG’s analysis is much more focussed on helping vendors with product roadmap and strategy, whereas Gartner’s analysis is much more focussed on helping vendors with product positioning and marketing. While vendors absolutely benefit from both of these things, this is a subtle, but important difference. (Note that both do both things, but each focuses more on one than the other.)
But regarding that magical square (rectangle?) of awesomeness coming from the vendor side, I’ll let you in on a little secret: getting into that elusive quadrant has a lot to do with how much time and money you are willing to spend on having an analyst come and evaluate your solution and after several years of having said analyst come and peruse your wares, you learn quickly how to position your solution to put it in the best possible light. You’ll also learn how to subtly Jedi mind trick the analyst to skew their market definition to fit your solution. It’s possible that I have first-hand experience in working for a company that had a product that was less than stellar (not mine; obviously all my products have been spectacular) that made it to the top right bit of that chart, so maybe it really is magic. . Unfortunately, magic can’t create the perfect Cybersecurity Tech Stack.
Making Sense of Cybersecurity Market Messaging
Even industry leaders have a difficult time figuring out the security solution puzzle. At Black Hat 2022 last year (almost a decade since my first 😱) I was wandering around the business hall with a friend who also happens to be a branch chief at CISA and she was musing that it seemed like everyone’s messaging was the same and it was incredibly hard to figure out what anyone actually did anymore.
“Zero Trust” Cybersecurity
“Zero trust” was the buzz-phrase last year. Literally every single solution, regardless of which security category they fit in, claimed they could help facilitate zero trust within your organization. But what is zero trust? (This is where I throw in the disclaimer that my last security product gig was at a company knee-deep in doling out the zero-trust Kool Flavor-Aid. To be fair, they are a pretty awesome data protection company and can probably stake one of the biggest claims on the zero trust “market.” I just think the term itself is stupid.) “Zero trust” really means “least privilege” meaning you provide everyone who has access to your organization the least amount of privilege that they need to do their job. Great concept. Stupid term.
Regardless, zero trust isn’t a solution space. It’s a framework requiring a major overhaul to an organization’s data access controls. NIST has a great guide about why moving from role-based access controls (RBAC) to attribute-based access controls (ABAC) can set the foundation for building out your zero-trust framework. It’s a super informative document with helpful little diagrams like this one:
However, while it is great at explaining what you need to do and why, it’s not so great at telling you how, and really the impetus for this document was originally for super secret squirrel air gapped networks where only people who need to know know and those who don’t don’t. Regardless, if you have the time and money to overhaul your entire access control system, then it’s legitimately something to consider putting in place. I’m a firm believer in encrypting everything you can and providing access only on a need to know basis. It would solve a lot of security problems today (potentially almost all of them, but don’t quote me on that and don’t flame me with hate mail).
But why would, say… a SIEM solution advertise that they help you with zero trust? I mean, every security solution can probably claim it helps but if you don’t have the framework in place, then it probably doesn’t.
The point is that researching security solutions and miring through all their market messaging fluff and jargon to determine your security needs is kind of backwards, when you think about it. You need to identify your security needs and then find solutions that can meet them. Seems easy enough, right? Well, it does until you realize that all vendors will tell you they do the same thing: secure your enterprise! But their solution is the bestest! They do it in the most super-est, awesomest way! They will not just secure your enterprise. They’ll super SUPER secure it! Yayyyyyyyyy!
The Enterprise Security Elephant in the Room: Nothing is Unhackable
OK, now that I’ve gotten that out of my system, we need to pivot here and address the elephant in the room:
There is no such thing as “more” secure.
When you secure something, you are making it immovable or impenetrable or… unhackable. You can’t make something more immovable or more impenetrable or more unhackable. Something is only secure until it isn’t and then it’s not. And to be quite frank, even when nobody is attempting to gain unauthorized access to your organization, your organization isn’t really secure. There are still ways to get in. I know I’m being pedantic, but the security solution industry knows this. They wouldn’t have moved focus from “protection” to “detection and response” if they didn’t know this. They wouldn’t be tracking dwell time as one of their most important metrics unless they expected intrusions. The term “security gap” is an oxymoron when you really think about it. If your front door is locked, but you have a window 2 feet away that is cracked open you don’t say your house has a security gap. It’s either secure or it isn’t. Your front door might be secure, but your house is not.
Security solutions aren’t really securing your organization. They’re just mitigating threats and minimizing risk, but saying “we’ll mitigate threats to your network” or “we’ll minimize your risk of a data breach” doesn’t sound as sexy as “we’ll secure your enterprise.” Keeping on the house analogy, your house will never be secure. A determined criminal could probably break into any house, but if you had an alarm system or a very large dog, then those things could mitigate threats and minimize the risk of property loss. Almost all vendors have shifted overall focus to fast detection and mitigation through swift response and remediation and that’s why we’ve moved beyond firewall, IDS/IPS, and secure gateways to incident detection and response, network segmentation, granular access controls, and easier, faster encryption.
Sourcing a Security Solution Stack to Minimize Risk
So really, what every organization should be looking for is a “security” solution stack that can minimize the risk of a data/network/application breach by x% and mitigate the damage of threat intrusions by y%. Almost all security solutions today were developed to contribute to these two things, but which ones will work best for you? And which combination of solutions will give you the biggest bang for your buck? More is definitely not always better when it comes to security solutions. The more solutions you have, the more alerts you have to manage. This seems like a good thing, but more alerts means more false positives and more false positives means a greater likelihood of missing real threats. So where is the sweet spot for you?
If you start with looking at solutions before identifying your needs, your mind starts to fill up with more questions than answers. Do you need SIEM, SOAR, and/or XDR? Is XDR really EDR 2.0 or is it a gimmick? How about UEBA? What’s the difference between SSE and SASE? How about CASB? Do you need endpoint agents or can you rely on network (or virtual network) security? How about IDS/IPS, firewall, and WAF? Can the same tools secure traditional networks and cloud? Can you get DLP, insider threat protection, and data discovery/classification with one solution? What solutions can actually help implement a zero trust framework across your organization? Do you need separate encryption tools? Is there a way to manage all your encryption keys in one place? What are the best malware detection and protection tools? Do you need separate tools for email, file stores, and endpoints?
Use Olive to Source your Security Tech Stack
Stop Focussing on Solutions and Vendors; Start Focussing on Your Needs
All of this is why you need to take a step back from the noise. Don’t focus on what vendors tell you their solutions do and why you need them and don’t focus on what vendors say their solutions can and cannot do (they’ll probably hedge on the latter anyway). Start with the basics.
1. Identify and Gather Security Requirements (needs) and Invite Vendors to Respond
Identify all your security needs independent of any solutions or any solution markets. Do you have a defined network? If you don’t, do you need one? How much sensitive data does your organization have and where does it reside? Do you even know? What are your biggest risks? What’s your organization’s risk tolerance? What kind of controls and protections do you already have in place? Are they adequate? Where can they be improved? Can your organization support manual remediation and response, and if so, what is your bandwidth? What’s your appetite for implementation time and effort? What’s your budget? Would MSSP/MDR be a more cost-effective solution? (Even if it is, you still need to identify your needs.)
2. Allow Your Needs to Identify the Solutions
Once you’ve identified your needs, you’ve identified your high level requirements. At this point, this is where a tool like Olive can shine.
Your security tech stack will probably require multiple solutions from multiple vendors that ultimately need to work together, so why should you have to engage each vendor separately and independent of one another? Why should you have to divy up your requirements for each separate solution type, especially since there’s so much overlap and you need a secret decoder ring to decipher the true differences between some solution types?
With Olive you can enter all your security requirements and invite multiple vendors across multiple solution spaces to see if and how their solutions can meet your requirements. Do you already have some security solutions in place? Throw those vendors in the mix. Maybe they can expand to meet new requirements or maybe you can find other solutions that are better and do more. This is where you need to engage vendors and this is where their input becomes valuable. Rather than them telling you what they can do, you’re asking them how they can meet your needs. As vendors respond to your requirements and provide more insight into how they can meet your needs, you can refine your requirements, add requirements that may be missing, and iterate with multiple vendors at the same time.
In this way, you are letting your needs identify the solutions, rather than letting the solutions identify your needs. For example, rather than having to determine up front whether you need SIEM, SOAR, XDR or some combination of the 3, the answer will become readily apparent with this process. SIEM is easily identifiable, but SOAR and XDR are a bit more fuzzy and you’ll probably find that definitions of what these things are will vary from vendor to vendor. So really what you’ll find is that it’s not SOAR or XDR that you need per se. It’s whatever a particular vendor is calling SOAR or XDR. Or maybe you don’t need either one. Or maybe you need both.
3. Invite Other Stakeholders for Better Insight
You can also invite other stakeholders. Perhaps you have a SOC manager or SOC analysts that can provide better insight into how they need solutions to help them do their jobs. Maybe you have stakeholders in other departments like HR (to contribute to insider threat requirements), IT (for remediation if IT is a separate department from security), etc.
4. Integration and Implementation Requirements
Once you’ve narrowed down your vendor solution list, you can start really discussing integration and implementation requirements. Even if you’ve been able to narrow your choices down to single “platform” vendors, don’t assume all of their solutions integrate with each other. Large vendors with multiple solutions across multiple security spaces have generally obtained some of those solutions via acquisitions and certain integrations might be half-baked or nonexistent.
5. Get Numbers and Data from Vendors
On top of all that, ask them for actual numbers and data regarding how well their solutions have proven to minimize risk and mitigate damage and then hold them to that if you can. Ask them for dwell time metrics and if they claim to automate your incident detection and response process negotiate a maximum dwell time.
Continuously Improve your Security Posture Via Monitoring and Assessment
Throughout this entire process, you and your stakeholders can rank vendor responses and identify your most critical requirements. Olive will use this information to generate scores for each vendor solution. The solutions that best meet your needs will bubble to the top. You can also quickly identify any requirements that no solution adequately addresses, which allows you to reassess how important those requirements are and if you determine that you’re missing a critical need, you can seek out and invite additional vendors to respond.
Once you’ve identified your perfect security tech stack, you can continue to engage stakeholders to provide input on how well implementation is going and whether requirements are being met during acceptance testing, and once everything is live, you can still engage stakeholders to assess solution performance and monitor for arising needs that your current solutions may not address. As bad actors evolve, your security posture needs to evolve with them.
Perhaps the security industry as a whole will never be ahead of the game, as criminals will always have the advantage, but the process that Olive helps facilitate could help you keep up.