Cybercriminals may be more aggressive than ever, but security vendors are responding with new technologies – and enterprises are investing in them.
Those were some of the recurring themes at this week's Gartner Security Summit in National Harbor, Maryland, where more than 3,400 IT executives gathered to hear the latest in cybersecurity trends and technologies.
State of the security market
Gartner analyst Dale Gardner provided an update on the security market and spending trends. The overall security market is expected to grow by 8.5% this year to $96.6 billion, with most of the growth and sales coming in enterprise technologies. The relatively small $4.75 billion consumer market remains flat.
Services is the largest enterprise security market at $57.72 billion, as buyers have expressed a preference for service delivery, followed by infrastructure at $17.54 billion, network security at $11.92 billion, and identity and access management at $4.72 billion.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Perhaps not surprisingly, the EU's General Data Protection Regulation (GDPR) is driving a great deal of growth in security spending, with business in the EU setting aside an average of $1.4 million for compliance, and affected U.S. businesses spending $1 million – and in some cases up to $10 million – to comply with the new data privacy and security law.
Gardner and fellow analyst Deborah Kish found in a survey of 480 global security buyers that cloud access and security broker (CASB) products top the list of planned spending for the next two years, followed by privileged access management, user and entity behavior analytics (UEBA)/employee monitoring, application security testing, encryption/tokenization, security information and event management (SIEM), endpoint detection and response (EDR), security awareness and training, data loss prevention, and secure email/web gateways (see chart below).
Finding the best fit for the buyer's current challenges and environment is the top driving force in selecting a vendor, followed by value and ease of deployment, they found.
Vulnerabilities drive security products and spending
One common theme at the conference is just how vulnerable enterprises are. A number of vendors trotted out statistics showing how many vulnerabilities a typical enterprise has – and how their products can discover and plug those security holes.
Darktrace CEO Nicole Eagan said 95% of her company's trial deployments detect vulnerabilities, and that 80% of the Fortune 500 has been infiltrated. In a real-time demo for eSecurity Planet, XM Cyber sales engineer Uri Eden found that 98% of one company's assets were vulnerable to attack because of easy fixes like missing patches, RDP vulnerabilities and lack of admin restrictions. ReliaQuest has found that the average enterprise has visibility into only 28% of its network – a figure ReliaQuest CEO Brian Murphy said the company can boost by 38% with its managed SIEM and detection and response services.
In an interview with eSecurity Planet, McAfee Chief Scientist Raj Samani discussed the company's massive threat research operations and his efforts with law enforcement and governments to fight issues like ransomware and cyber warfare – research he says winds up in the company's products.
"Every single thing we do goes directly into the products," he said.
Vulnerabilities and credentials are available on the dark web for cheap, he noted, and cyber criminals can turn publicized vulnerabilities into major exploits in a short amount of time. Attackers are "evolving and innovating at a pace we've never seen before," he said.
"The bad guys read the research," he said.
And with security issues extending to critical infrastructure, cars, planes and point-of-sale (POS) and medical devices, the stakes are only getting higher.
"We're not looking for absolute security," Samani said. "We're just looking to make it slightly more difficult" so the bad guys get frustrated and move on to an easier target.
He expressed frustration that the work of security researchers often doesn't get through to end users. "When social media has been used to manipulate your vote, why are people still using it?" he asked. "If people care about what we are doing, why is it not sinking in?"
Jon Green, chief technologist for security at HPE Aruba, discussed the growing variety of connected devices – an issue he said calls into question the "Zero Trust" security model, which, in short, means that everything must be verified before being allowed to gain access to systems.
In the era of IoT, Green said, "you have no idea what's in" some of the new devices connecting to the network. Detection and response remains a strong need, he said, and technologies like UEBA and network access control need to work together to protect networks and data.
Gartner analysts discuss analytics, threat simulation products
Not surprisingly, security products were front and center at the event, from presentations to the 200+ vendors filling the exhibit hall.
Gartner analysts Anton Chuvakin and Augusto Barros discussed new "breach and attack simulation" (BAS) tools, which can find vulnerabilities, similar to pentesting except the new threat simulation tools are continuous and consistent.
They listed nine BAS vendors for companies to consider: the aforementioned XM Cyber, SafeBreach, AttackIQ, Verodin, Cymulate, Picus, Threatcare, Circumventive and Pcysys.
Gartner analysts Jeremy D'Hoinne and Toby Bussa listed security analytics tools in order of maturity (see slide below), with SIEM tools at the foundation of a security operations center and UEBA and security orchestration, automation and response (SOAR) tools at the top, or "forward leaning" in their words. In the middle are threat intelligence, sandboxing, network traffic analysis and EDR. They recommended combining solutions that offer near real-time detection with those that provide incident response and forensic analysis.
Solution to security skills shortage: Start your own training
Much has been made of the shortage of cybersecurity professionals needed to fight all the threats – and just as much on the unwillingness of companies to invest in training to bridge the cybersecurity skills gap.
Joe Partlow, CISO of managed security service provider ReliaQuest, came up with his own solution: He built a training simulator that can train a security analyst in four weeks, about two years less than it currently takes. The end result has been a steady stream of new employees and greater than 90% employee retention.
ReliaQuest also offers the training to customers for free, with the only requirement that the trainee bring a business case to work on. The company trains about 1,000 security professionals a year, "bigger than most training companies," said CEO Brian Murphy.
ReliaQuest is also working on a partnership with a university to give the trainees basic networking skills and other prerequisites they often lack.
Paul Shread is editor of eSecurity Planet and an editorial director of QuinStreet B2B Technology.