Water water everywhere, but not a drop to drink
How should we feel about the milestone of 10,000+ cybersecurity products?
Tracking and keeping up with all of the vendors and products in the cybersecurity market is a remarkable achievement, and I applaud Richard’s efforts here. It’s a very valuable thing that he’s built. It’s a good opportunity to dig into this milestone and what I think it means for the industry.
I love tracking cybersecurity market trends and talking to founders about what they’re building on the bleeding edge. I spend a lot of time on the Enterprise Security Weekly podcast and here on The Cyber Why discussing security startups. I talk and write about startups from the moment they come out of stealth through every funding round and finally exit to larger vendors and become part of a larger platform or suite of products.
It’s rare, however, that I see something that really moves the needle, so I try to highlight it when it happens.
Drowning in Solutions to Our Problems
While the constant flow of new startups and funds through the cybersecurity market provides me with a never-ending source of news to write and podcast about, I think it provides less value to practitioners. Ten thousand products. Most practitioners have never heard of these vendors or products, and never will. It’s a mark of the age we live in, where defenders got all the funds they asked for, products they asked for, and people they asked for, but still get breached.
We’re positively drowning in resources but still struggling to get the job done.
I’ve devoted a large chunk of my career trying to understand this dilemma, and this research goes back to an epiphany I had in 2011, shortly before becoming an industry analyst. I was working for a mid-sized enterprise, building their security program. While going through their current tooling, I found that their vulnerability management product had identified 250,000 critical vulnerabilities.
How was this possible? How could a company with 2,000 employees and less than 3,000 assets have a quarter million critical vulnerabilities? The vulnerability management tool couldn’t answer this question, so I went in search of a tool that could. I discovered a company named Risk I/O (later rebranded as Kenna Security and acquired by Cisco), whose whole value proposition was to make sense of the mess that vulnerability management products produced.
It was already concerning that the state of patch management was so bad that we needed a tool to tell us when patches were missing (I know vuln mgmt is a lot more than just updating software, but that was the bulk of it in this scenario). It was much more concerning that we now needed a third tier of products to clean up the mess that the lower tier had produced. A few years later, we’d see “next-gen” anti-virus offerings create a similar dynamic, where most organizations resigned themselves to running two AV solutions on every endpoint, until the new technology caught up enough to replace the old.
Everything Fatigue
The term “fatigue” is now commonly used to describe the situation cybersecurity products have created. Early in my career, I was tasked with implementing my company’s first SIEM. We were one of the world’s largest payment processors, and the upcoming PCI 1.0 deadline made this an important project. My first instinct was a common one: shove as many events from as many possible sources into the SIEM. I wanted every bit of enterprise visibility I could get.
One month in, I had over 1700 devices pumping 100 million events into our SIEM daily. It was an absolute nightmare. Every day, sources would stop sending us events and we’d have to investigate. Managing storage was a daily struggle, as PCI had retention requirements we had to meet. I had built this SIEM from the perspective of “what COULD this SIEM do for us”, when the goal I should have set should have sounded more like, “what SHOULD this SIEM do for us”. We could barely keep the thing running - trying to do anything useful with it was challenging.
Once IT realized that we had built this massive system of record, the security team was tasked with determining root-cause analysis after every IT outage. Due to the SIEM’s architecture, database technology, and the amount of data we were constantly pumping into it, even the most basic queries could take hours to complete. Getting any cybersecurity value out of our SIEM seemed an impossible task, even with nearly 5 FTEs largely devoted to managing and using it.
Function, Not Innovation
My SIEM story is 20 years old, and my vulnerability management story is 13 years old, but the cybersecurity industry is still struggling with similar problems today. Security teams are fatigued by the very products proposed to solve their problems. So we sell more products to solve the problems created by other security products. Meanwhile, breaches are at a record high, and most ransomware attacks resemble mediocre penetration tests.
Throughout my career, I’ve consistently encountered buggy, poorly designed security products that don’t come close to achieving their claims. I’ve encountered a shocking number of products that simply don’t work at all and only provide the appearance of function and value. Enough to fool practitioners juggling too many products, but not those with the time to evaluate a product properly. On the inaugural episode of The Cyber Why podcast, I mention that Palo Alto doesn’t need best-of-breed products to win with their platform approach - they just need products that work, and they’ll beat most of the competition by making purchasing painless.
So, that’s my take on the current state of a cybersecurity market peddling over 10,000 products. So many products, we need a tool like Richard’s to help alleviate shopping fatigue.
Less Noise, More Boring
With the exception of perhaps nation-states, most threat actors aren’t innovating, because they don’t really need to. In fact, the data we have suggests that cybercriminals have more easy targets than they have time or resources to take advantage of. Initial access brokers aren’t running out of product to sell. After every breach post-mortem I work through, the lessons are the same: staff wasn’t trained, security products weren’t configured correctly, and security processes were either missing, untested, ineffective or all of the above.
There are a lot of parallels between the health & fitness industry and cybersecurity. Both industries generate a constant barrage of “innovations” and things that sound like shortcuts. Some folks will buy anything to avoid the old, tired, reliable advice: diet and exercise. Yeah, you got that Whoop 4.0 strapped to your wrist, but it didn’t stop you from eating 2,000 calories of Cool Ranch Doritos during the Oscars last night, did it?
The path forward is clear:
Focus on nailing the fundamentals, not chasing the latest “innovation” in security. The constant process of chasing, trying new products, and ripping/replacing is disruptive and will contribute to security failures (particularly if the products, processes, and people you already have aren’t effective!)
Constantly test the efficacy of your products, people, and processes. One pen test a year isn’t often enough. Practice like a sports team.
Talk to the folks who don’t seem to have their hair on fire all the time - you’ll get good advice and product recommendations. There are some products out there that are real gems. When these folks move to a new company, there’s a short list of “evergreen” products they’ll put in place every time. Buy and implement those, and ignore most of the rest of the noise in the market.
Make sure your product overhead to headcount ratio makes sense so you can get the most out of the products you already have. What’s the right number? I don’t know, but five products per FTE is probably too much. Some products need more attention than others, so it’s hard to nail down a number for every org and scenario.
There isn’t a finish line, but you’ll know when you’ve arrived at security enlightenment. You’ll still have the same boring routines, but incidents won’t rattle the team or burn out employees. You’ll return to normal from incidents more quickly. You’ll sweat less in management/board meetings when presenting metrics and updates. Changes to the security program and its processes will be smaller and more iterative.
Before cybersecurity enlightenment: chop wood, carry water.
After cybersecurity enlightenment: chop wood, carry water.
Excellent piece, Adrian!
Great post, and such a spot-on relevant topic. Another couple ways I've seen organizations fail in this area are: Not even knowing all the tools they have in place and buying a new tools to provide a solution addressed by two existing tools, and almost never planning for time (for internal resources and professional services hours from vendors) for initial fine tuning of tools.