As 2019 winds down, security analysts like me tend to compile a list of industry predictions. I’m still working on a comprehensive list, but I’m extremely confident that we are about to see some unprecedented changes in enterprise security technology. These changes are already happening behind the scenes, but they will become much more visible in 2020 and beyond.
So, what’s happening? Cybersecurity has become a business-critical, extremely dynamic, massively scalable, and highly specialized discipline, but we still approach it with disconnected point tools, with manual processes, short-staffed, and with limited skills. As they say down south, "that dog don’t hunt."
Over the next few years, these legacy tactics will become obsolete. Instead, large organizations will rely on cybersecurity technology infrastructure based upon:
- Tightly coupled cybersecurity technology platforms. CISOs will abandon their historical preference for best-of-breed point tools in favor of cybersecurity platforms featuring five tightly coupled components: 1) endpoint/cloud workload security, 2) network security, 3) file detonation sandboxes, 4) threat intelligence, and 5) advanced analytics to bring everything together. While standards will emerge to make it possible to glue together disparate tools, many large organizations will opt for a single vendor platform for the whole enchilada. The benefits of tight integration, vendor partnerships, and streamlined operations will outweigh any incremental differences between individual point tools.
- Cloud-based central management with distributed enforcement. The concept of a cybersecurity technology platform will also greatly expand as different security “services” come together under a cloud-based management plane. ESG’s elastic cloud gateway (ECG) is one example of this burgeoning technology trend. The management plane will oversee activities like configuration management, policy management, monitoring, etc. Actual security controls will be distributed on premises, at the network edge, in the public cloud, etc., and be capable of extremely granular policy enforcement rules customized to individual applications, servers, users, etc. As this happens, the “brains” behind security technology will move to the cloud while actual hardware- and software-based security controls morph into high-performance security switches.
- Massive SOAPA engines. Behind the scenes, SIEM and other security analytics tools will also come together as a massively scalable security operations and analytics platform architecture (SOAPA). Beyond architecture however, we’ll see exponential changes in the scope and uses of SOCs. Machine data collection and processing will explode. Threat and vulnerability data correlation will vastly improve, making it easier to drive security decisions based upon exploitable vulnerabilities and tested weaknesses. Risk management data will also become much more visible and accessible, finally linking business and cyber-risk. Of course, machine learning algorithms will vastly improve and be strung together to form nested algorithms that complement each other for improved accuracy. Finally, SOC tools will start to benefit from years of research into visual analytics. User interfaces will be customized for different skill sets using displays like VR, large plasma screens, and various mobile devices.
- Automation and services baked into products. Much of the typical day-to-day security operations grunt work will be automated, freeing the security team to work on protecting business assets/processes and focusing on high-priority events. This will include policy automation based upon users, locations, network flows, or the business value of assets. Once users and devices gain access through strong multi-factor authentication, least privilege privilege/zero-trust relationships will be suggested and/or enforced from end to end, greatly decreasing the attack surface. To address security complexity, technologies will be instrumented with highly intelligent “helper apps,” while actual human beings are always available to look over the cybersecurity staff’s shoulders to suggest best practices, call out an issue, or lend a hand.
This future architecture isn’t exactly a secret. I’ve been tracking it as an evolution of SOAPA while my colleague Dave Gruber calls in XDR. Slight differences in development and piece parts but the same overall endgame. The integrated adaptive cyber defense (IACD) out of DoD/DHS and John’s Hopkins presents a similar vision.
This won’t happen overnight but as it does, big cybersecurity vendors like Check Point, Cisco, FireEye, Forcepoint, Fortinet, IBM, McAfee, Microsoft, Palo Alto Networks, Rapid7, Symantec, or Trend Micro will have a distinct advantage. One or a few of these will out execute the others to become $5 billion cybersecurity vendors by 2022. Cloud vendors like Amazon and Google could elbow their way into the pool as well as a few visionary smaller firms like CrowdStrike, Cybereason, Zscaler, etc.
As this happens, it will greatly centralize the center of power for cybersecurity technology. Startups will have a finite window to prove their worth, partner with the big guys, and then get bought or die.
These changes will take a while to come together but the pace of technology and market changes will be much faster than in the past. Meanwhile, new types of threats and massive data breaches and critical infrastructure interruptions will encourage CISOs to think outside the box and accelerate big architectural transitions.
Change is coming, and it will be bigger and sooner than most people think. Next year, and the next decade, should be very interesting.