OK, I got a catchy headline, now what? 🙂 This is another philosophical post about the fate of our beloved domain of cyber.
Specifically, we all remember Dan Geer’s classic quote “Internet security is quite possibly the most intellectually challenging profession on the planet” and most of us doing security read it optimistically (as in “oh yeah, we are pretty damn smart!”)
However, many IT leaders and more senior managers read the same line pessimistically, it seems. They read it as “oh no, security is too hard for us to do” and “security products are too hard for us to use”, which are one step away from the hopeless “we’ll get hacked anyway, whether we do anything or not.”
So, if you recall my post about SIEM futures, I alluded that “SIEM is too hard for many organizations” and they see the answer in either outsourcing (->MDR) or automating (->UEBA). Succeeded with either involves copious amounts of luck, to be sure….
But what if I told you that we are starting to see the same trend for many other security product categories!? For example, we see many EDR deployment fail, and then eventually saved by the managed EDR (a type of MDR) services. One EDR provider (selling tools) essentially became a near-exclusively managed EDR (a sub-type of MDR) provider (selling services with their tools).
This may mean that we are approaching “peak security product” as there are a/ not enough people to use the products and, worse, b/ there are not enough skilled people to use the products that require skilled people. In light of this, I take a VERY (and I mean … VERY!) dim view of many recent security startups. Guys, rethink software/SaaS/appliance selling! There is nobody to use your stuff out there in the real world….
To finalize, I think a revolution is coming. The revolution that will sweep away many security products and replace them with “product-service fusions” where you pay one amount for using the tools together with ongoing help with their operation. Today, the best examples of this trend are various MDRs (including managed EDRs), co-managed SIEM shops and other product vendors that offer tools-with-services.
Notably, this revolution may or may not mean that MSSP are out to make a killing. Many MSSPs are hopelessly stuck in the past, addressing the late 1990s demands like firewall rule changes and super-basic-bordering-on-fake event monitoring (“today only! deep insight from IDS logs! no other data required!”). I think MDRs and smart product vendors will win this one….
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
9 Comments
Web security (CDN’s with integrated security) and email security (cloud hosting w/ anti-spam) have definitely already gone that route.
I could see the CASB (cloud access) folks going the route of straight ‘access security brokers’ soon enough. “We’re handling your cloud access. How about handing us ownership of your LDAP environment?”
Thanks for the comments. Indeed, even something as “simple” as CASB seem to be going that way.
>security skills scarcity will continue
Indeed, but it will also spread to other domains where today MDR is less common. SaaS sec product with some help/service from the vendor seem to be in vogue
I think that security skills scarcity will continue because we entered in a spiral some years ago. Attacks are more and more complex, then new solutions are regularly proposed on the market with features not so easy to deal with. Even if the world is providing more and more security brains each year, there is less and less capability to deploy and manage all this required security into organizations.
=> MDR is a solution for customers to optimize skills and cloud-based-product-MDR is a solution for vendors to ensure their solution is used correctly.
Interesting perspective, Anton, though I respectfully disagree. The industry is going through a revolution – no doubt. But are managed services really the essence of this revolution, or is it just a symptom? I believe the true revolution is actually driven by the variety and complexity of the new threat landscape that has changed dramatically in just the last 3 years. Security technologies have changed to cope with this new threat landscape. As these technologies are quite different, it will take some time for security professionals to acquire the necessary knowledge and skills – but they will eventually. Managed services will need to provide concrete security added value other than just manpower to stay relevant, when products and baseline skill set will improve.
>but they will eventually
For sure, my answer is NO. Not a chance of that. I see people today who don’t have time to learn something as simple as log mgt (NOT even SIEM)…
If Log Management is indeed a challenge, shouldn’t we have had this conversation 20 years ago rather than a few weeks ago? What happened specifically in 2018? People aren’t suddenly getting dumber – they just don’t have a full grasp on threat hunting and AI yet, and how to configure all these new technologies, how to mitigate FPs, and how to analyze and respond to APT attacks without using signatures. Asking other people to do this is OK, but over time – with automation, simplification, and training – products will ultimately win.
“If Log Management is indeed a challenge, shouldn’t we have had this conversation 20 years ago rather than a few weeks ago? ” <- this is wise statement, a wise one, but also a wrong one 🙂 Yes, for sure, basic LM just as basic patching belong in the 1990s but we see orgs challenged with them today 🙁
"People aren’t suddenly getting dumber" <- indeed, so my explanation is that "IT stuff" grows much faster than IT people, so people maybe 10% smarter and 10% more numerous, but there is 10X more stuff to manage…. or neglect as the case may be…
Well, as math is an exact science, it should be relatively easy to make the calculation. Approximately 1,500 new security companies were established in the past 5 years (according to Crunchbase). How many of them are really introducing a completely new approach that requires new skill set? Significant number of them are a rip and replace of an older technology, rather than adding new stuff. Overall, not only do I doubt the “10X more stuff”, I’d even venture to say that with the overlap in new products/approaches, the rip & replace and the consolidation trend, the amount of “IT security stuff” actually DOES NOT change at all.
>Overall, not only do I doubt the “10X more stuff”
10x of stuff was OF IT, not of sec gear
1995 – secure Windows, block “bad” ports, done.
2018: secure cloud (many types), mobile, virtual, IoT, Windows, etc, etc NOT DONE.