Magic Quadrants, Security Products, & You

I’m not known for being a big fan of products aimed at enterprise buyers in the information security space. One of my most oft-used mantras is, “People, Process, Technology — In that order!”.

However, I would like to think that I (and my consultancy) are known for giving pragmatic advice regarding the most effective actions security leaders like you can take to improve the effectiveness of their security programs.

Your future increased spend on security products may be ineffective (and actually put your organization at increased overall risk) for various reasons. Let’s summarize why we may fail to reduce risk through implementation of New Shiny Things™.

Exhibit A. Excessive Tooling

• Advanced adversaries are progressing rapidly in their ability to compromise organizations and remain undetected for lengthy periods of time. While cybercrime remains a pressing issue for most commercial enterprises, the most innovative market solutions do not solve larger gaps, which are typically tied to the business’ foundational requirements and particular threat model. While investing in a solution marketed to detect nation-state or “Advanced Persistent Threats” may make a board feel more confident in the correct allocation of security investment, advanced solutions fail to solve underlying structural issues in your security program.
• Purchasing new tools (read: thousands of lines of potentially buggy code) for your security stack widens your attack surface. Security products often require high privilege to your critical services and infrastructure in order to be effective. The risk of a threat actor taking control of such an asset is often left unevaluated.
• You may reach a point of diminishing returns at which too many tools increase complexity such that resources available to your security organization are reduced in the areas which matter most. Training security teams on new tools takes time and money, often from the vendor itself.
• Security folks can experience tool fatigue and often face difficulty integrating the right tooling into their processes, especially where similar capabilities overlap and justification for the initial spend is retrospectively unclear.
• Unfortunately, security products are failing to reduce the current asymmetry between attackers and defenders. As such, adding tooling which potentially increases a defender’s workload without addressing a proven business need should be carefully considered.
• Vendor selection criteria often includes ensuring the product works as advertised, will integrate with the infrastructure, and won’t present an unacceptable level of additional risk to the enterprise when deployed. However, some of the smartest moves security leaders can make are in the “analyzing requirements” phase of the vendor selection process. This critical inflection point is an opportunity to ensure requirements are fully vetted, consensus is reached, and the true needs of the business are reflected throughout the selection process.

Exhibit B. Excessive Reliance on Analyst Recommendations

• While we know cybersecurity is an N-dimensional problem, we continue to attempt to two-dimensionalize it through the use of Magic Quadrants and the like.
• Updated analyst reporting several times a year may drive “tool addiction” versus the smarter strategy of seeking to more fully operationalize existing assets.
• We are in a cybersecurity bull market at the moment, which has led to intense analyst focus in some areas only to the detriment of any potential customers of those vendors in the less-studied (read: less sexy) categories.
• Allowing these firms to define categories instead of using a common language that describes what the products do is clearly not in your favor as the buyer. Symptomatic of the complex vendor landscape and the lack of a common language is this excellent presentation (PDF) by Sounil Yu on his new “Cyber Defense Matrix” classification model. Highly recommended.
• Innovative solutions often cannot “make it in” to a category recognized by a large analyst firm. I have personally observed that vendors will make product roadmap and feature decisions based on these types of public perception/categorization problems vs. prioritizing actual customer pain (your needs).
• Too little objective, real-world data! The proprietary rating methodologies used by these firms are typically opaque and lack independent or technical scrutiny.
• While well-meaning, analysts aren’t living in your world. These folks are not operational (and may never have been previously), typically have no hands on with the products or services they’re reviewing and know little to nothing about your enterprise and your specific needs.

If we can agree to stop buying into the never-ending “layered defense” strategy by continually procuring more and “better” products, how shall we begin to respond to the long-term cybersecurity problem more rationally?

• Let’s learn to “live off the land” and fully operationalize our existing tool stacks. What can (and can’t) your existing solutions do for you? Make sure you understand what your capabilities are (and aren’t). Investigate software upgrades, configuration and deployment reviews, training employees on advanced usage, working with the vendor to extend capabilities/functionality, and helping to drive the product roadmap as a customer.
• Breaches bypass solutions: if we fail to plan for the inevitable, we should not blame vendors for not being the best in their category. No vendor can provide a 100% security guarantee. Given this reality, we should become really, really good at cybersecurity basics (hygiene) by developing and consistently executing a strong process-focused prevention strategy.
• Before considering a product, perform a comprehensive evaluation to determine whether the desired functionality already exists within your organization. I recommend sharing with the IT department wherever possible. They likely have mutual requirements and existing tooling, and vice versa.
• Seek to shift responsibility of administering solutions to dedicated tool administrators, who should integrate with the SOC to assure tight alignment of the deployment with ongoing business needs.
• Security investment should be validated by true requirements from a documented vendor selection process and measured by risk reduced per dollar spent.

While cybersecurity is a complex problem set, a rising tide lifts all boats. We will all be better off if we can succeed in shifting the market’s focus beyond vendors and investors towards our needs as buyers.

Until then, #ThinkBeyond.