Gartner Blog Network


Is Security Just Too Damn Hard? Is Product+Service The Future?

by Anton Chuvakin  |  June 21, 2018  |  10 Comments

OK, I got a catchy headline, now what? :-) This is another philosophical post about the fate of our beloved domain of cyber.

Specifically, we all remember Dan Geer’s classic quote “Internet security is quite possibly the most intellectually challenging profession on the planet” and most of us doing security read it optimistically (as in “oh yeah, we are pretty damn smart!”)

However, many IT leaders and more senior managers read the same line pessimistically, it seems. They read it as “oh no, security is too hard for us to do” and “security products are too hard for us to use”, which are one step away from the hopeless “we’ll get hacked anyway, whether we do anything or not.”

So, if you recall my post about SIEM futures, I alluded that “SIEM is too hard for many organizations” and they see the answer in either outsourcing (->MDR) or automating (->UEBA). Succeeded with either involves copious amounts of luck, to be sure….

But what if I told you that we are starting to see the same trend for many other security product categories!? For example, we see many EDR deployment fail, and then eventually saved by the managed EDR (a type of MDR) services. One EDR provider (selling tools) essentially became a near-exclusively managed EDR (a sub-type of MDR) provider (selling services with their tools).

This may mean that we are approaching “peak security product” as there are a/ not enough people to use the products and, worse, b/ there are not enough skilled people to use the products that require skilled people. In light of this, I take a VERY (and I mean … VERY!) dim view of many recent security startups. Guys, rethink software/SaaS/appliance selling! There is nobody to use your stuff out there in the real world….

To finalize, I think a revolution is coming. The revolution that will sweep away many security products and replace them with “product-service fusions” where you pay one amount for using the tools together with ongoing help with their operation. Today, the best examples of this trend are various MDRs (including managed EDRs), co-managed SIEM shops and other product vendors that offer tools-with-services.

Notably, this revolution may or may not mean that MSSP are out to make a killing. Many MSSPs are hopelessly stuck in the past, addressing the late 1990s demands like firewall rule changes and super-basic-bordering-on-fake event monitoring (“today only! deep insight from IDS logs! no other data required!”). I think MDRs and smart product vendors will win this one….

 


Category: monitoring  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Is Security Just Too Damn Hard? Is Product+Service The Future?


  1. Andrew Johnson says:

    Web security (CDN’s with integrated security) and email security (cloud hosting w/ anti-spam) have definitely already gone that route.

    I could see the CASB (cloud access) folks going the route of straight ‘access security brokers’ soon enough. “We’re handling your cloud access. How about handing us ownership of your LDAP environment?”

    • Thanks for the comments. Indeed, even something as “simple” as CASB seem to be going that way.

      >security skills scarcity will continue

      Indeed, but it will also spread to other domains where today MDR is less common. SaaS sec product with some help/service from the vendor seem to be in vogue

  2. David Bizeul says:

    I think that security skills scarcity will continue because we entered in a spiral some years ago. Attacks are more and more complex, then new solutions are regularly proposed on the market with features not so easy to deal with. Even if the world is providing more and more security brains each year, there is less and less capability to deploy and manage all this required security into organizations.
    => MDR is a solution for customers to optimize skills and cloud-based-product-MDR is a solution for vendors to ensure their solution is used correctly.

  3. Nir Gaist says:

    Interesting perspective, Anton, though I respectfully disagree. The industry is going through a revolution – no doubt. But are managed services really the essence of this revolution, or is it just a symptom? I believe the true revolution is actually driven by the variety and complexity of the new threat landscape that has changed dramatically in just the last 3 years. Security technologies have changed to cope with this new threat landscape. As these technologies are quite different, it will take some time for security professionals to acquire the necessary knowledge and skills – but they will eventually. Managed services will need to provide concrete security added value other than just manpower to stay relevant, when products and baseline skill set will improve.

    • >but they will eventually

      For sure, my answer is NO. Not a chance of that. I see people today who don’t have time to learn something as simple as log mgt (NOT even SIEM)…

      • Nir Gaist says:

        If Log Management is indeed a challenge, shouldn’t we have had this conversation 20 years ago rather than a few weeks ago? What happened specifically in 2018? People aren’t suddenly getting dumber – they just don’t have a full grasp on threat hunting and AI yet, and how to configure all these new technologies, how to mitigate FPs, and how to analyze and respond to APT attacks without using signatures. Asking other people to do this is OK, but over time – with automation, simplification, and training – products will ultimately win.

        • “If Log Management is indeed a challenge, shouldn’t we have had this conversation 20 years ago rather than a few weeks ago? ” <- this is wise statement, a wise one, but also a wrong one :) Yes, for sure, basic LM just as basic patching belong in the 1990s but we see orgs challenged with them today :-(

          "People aren’t suddenly getting dumber" <- indeed, so my explanation is that "IT stuff" grows much faster than IT people, so people maybe 10% smarter and 10% more numerous, but there is 10X more stuff to manage…. or neglect as the case may be…

          • Nir Gaist says:

            Well, as math is an exact science, it should be relatively easy to make the calculation. Approximately 1,500 new security companies were established in the past 5 years (according to Crunchbase). How many of them are really introducing a completely new approach that requires new skill set? Significant number of them are a rip and replace of an older technology, rather than adding new stuff. Overall, not only do I doubt the “10X more stuff”, I’d even venture to say that with the overlap in new products/approaches, the rip & replace and the consolidation trend, the amount of “IT security stuff” actually DOES NOT change at all.

        • >Overall, not only do I doubt the “10X more stuff”

          10x of stuff was OF IT, not of sec gear

          1995 – secure Windows, block “bad” ports, done.
          2018: secure cloud (many types), mobile, virtual, IoT, Windows, etc, etc NOT DONE.

  4. […] Is Security Just Too Damn Hard? Is Product+Service The Future? (philosophical) […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.