Gartner Blog Network


Security Market Madness

by Augusto Barros  |  January 20, 2016  |  3 Comments

There has been a common feeling of confusion these days during vendor briefings related to “what the product is about”. It’s crazy, but we’ve been spending a lot of time just trying to match the products to existing definitions. It could be just a case of outdated definitions and the need to create new ones (Noooooooooo), but it’s deeper than that: We are seeing many different capabilities being packaged in completely different ways. So, you talk to a vendor known as an “Endpoint Detection and Response” vendor, who could also be seen as a regular (or NG) Antivirus or, wait for it, a behavior analytics tool vendor!

 That’s not only confusion for us analysts; it also makes it harder for clients to assess and select products. We know that it is happening when we talk to clients and vendors and see that tools presumably from different “categories” are competing against each other in the same initiatives. There are organizations out there comparing a UBA tool with EDR, or NFT with SIEM, etc. Why is this happening?

 I can see two possible explanations:

  • No one has a clue about what they need to buy or even what they need: This is the cynic in me speaking. Organizations working on a crazy reactive mode to the pressure of “doing something”, converting that to “buying something” without necessarily knowing what is necessary and what should be bought. Of course, this is a very common and well known path to failure.
  • Organizations are approaching the same problems in vastly different ways: There is that old saying of “many ways to skin a cat”. There are many ways of “doing security” too. Security organizations can be split in different roles and groups, using a different set of tools and building on top of different architectures. Of course, much of it will be very similar, but there’s room for different approaches. The diversity in product packages could be explained by organizations approaching the vendors with the same requirements grouped in different sets according to how they chose to operate.

I believe the truth is in the middle of those two. Is there anything else I’m missing here? Maybe the incentives to vendors to get VC funding are modeling how they present their offerings too? What do you think is behind this craziness?

Anyway, I believe the RSA Conference next month will give us a good opportunity to try to answer that. Let’s see how the Expo floor will look like and what people will be saying there.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Tags: products  rsa  vendors  

Augusto Barros
Research VP
3 years at Gartner
21 years IT Industry

Augusto Barros is Research VP in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on Security Market Madness


  1. Andre Gironda says:

    As well as trumpeting the horn of frameworks again, I’ll attempt to clarify it a bit in this response.

    We need models, frameworks (that fit the model), and platforms (that fit the models and the frameworks). The platforms support the frameworks much like technology supports a business process.

    The NIST CSF is the best outcomes-based framework we have today. However, I believe it can use some simplification and trending towards in-business reality. What are organizations actually doing? How do we extract the current-running, working model of cyber from the paper framework into a reality framework?

    EDR, UBA, NGAV, NGFW, NFT, and SIEM all fit cleanly into two buckets: Cyber Investigations (i.e., DFIR, Hunting, NFR), and Cyber Defense (UBA, SIEM, NGAV, NGFW). EDR is a technology, much like Deception Systems, that can be used across Cyber Investigations and Defense. Deception Systems can be used along with Red-Teaming Analysis, Cyber Intelligence (including Threat Intelligence), and Vulnerability Management in a Cyber Operations program. In my view of the model, Cyber Operations is the decision maker over Cyber Investigations and Cyber Defense, but this is partially off-topic.

    EDR for Cyber Investigations works differently than for Cyber Defense. In Cyber Investigations, the goal is to keep the agents and the collection of artifacts away from adversaries (e.g., https://github.com/google/grr/blob/master/docs/DONT_EDIT_admin.adoc#obfuscation). In Cyber Defense, EDR is meant to close the loop (to tie in with UBA, NGAV through app whitelisting, NGFW through blocking shims, sandbox-exploding technology, et al), e.g., https://www.sans.org/reading-room/whitepapers/forensics/investigative-forensic-workflow-based-case-study-vectra-cyphort-36522 — or — https://github.com/Netflix/Fido

    We are lacking a cohesive framework that explains the platform integrations cleanly enough — especially for a clear big-picture technology fit. OWASP has OpenSAMM for appsec. I believe it can be reused for these purposes, but it’s not completely straightforward, especially with competing competencies in Cyber Investigations, Defense, and Operations.

  2. […] here at Gartner have to overcome the same challenges as end users – we are seeing the same thing – but of course it is our task to shed some light on these and help end users navigate this […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.