The Cybersecurity Industry

Market Landscape

With the influx of cyber attacks and the growing adoption of cloud and IOT, the opportunity in the cybersecurity market is booming. Venture dollars invested in cybersecurity startups reached $5.4 billion in 2018, doubled from 2016. The global cybersecurity market is currently valued at $120 billion and is expected to grow at a 12% CAGR to $300 billion USD by 2024. This market consists of a plethora of sub-markets of products and services — products account for about 40%, while services 60% of this market. Organizations typically have to leverage multiple products or services to form a holistic cybersecurity program. Generally, this is how the industry can be segmented.

Products

Security Information and Event Management (SIEM) tools are at the center of an organization’s security program. A SIEM main purpose is to collect and correlate log data to detect anomalous activity and potential threats for investigation. This includes log data on security-related events such as a string of failed logins, possible malware activity, or multiple firewall event alerts. The value of the SIEM is being able to pull this information from multiple sources (firewall, network infrastructure, antivirus filters, etc) and normalizing this information into something useful. An organization can then create correlation rules on when exactly they want an alert to trigger — ex. raise an alert if the same source IP has 3 failed login attempts to the same machine within 5 minutes.

Database security tools help protect databases and critical data from compromises, cyber attacks, and illegitimate use. These tools help an organization discover and classify their data assets, find any vulnerabilities in those databases, and monitor any activity to them. Real time analytics and anomalous activity can be sent to a SIEM tool. Another key use case of database security tools is to ensure privacy compliance as required by HIPAA, GDPR, etc. This includes a various of functionality such as enforcing separation of duties, role based access, and auditing and reporting capabilities.

Application security tools help make web applications more secure by finding security vulnerabilities during the development lifecycle. This includes static scan testing — code scans at fixed points in app development — that can surface security vulnerabilities such as SQL injections and Cross Site Scripting. Dynamic scanning is a scan on a live running application that provide visibility into more complex attack patterns that static scanning won’t be able to catch. Some tools also provide a holistic view into all your applications so that you can manage your application risks and prioritize the vulnerabilities your team needs to fix.

Identity and Access Management (IAM) solutions are designed to ensure employees have proper access to applications and data by defining and maintaining the roles and privileges of individuals. This is pretty big in scope. Governance tools orchestrate the user lifecycle that is the process by which a user onboards and offboard the company. Access tools look at monitoring each of the applications a user has access to and provides a centralized place to grant access requests. Organizations also leverage single sign-on solutions (SSO) or password managers for ease of authentication to multiple applications. All of this data needs to be logged as well — this means setting rules, for ex. block a user from an access to an application if they don’t belong on a development team, to understand the risks of a user.

Threat Intelligence tools provide open-sourced intelligence, context, and advice on how to respond to potential threats or attacks seen in the industry. This data consists of Indicators of Compromises (IOC) such as IP addresses, URLs, domain names, file hashes, etc, that are known to be malicious. It can then be fed into security solutions such as the SIEM so it triggers an alert when the threat is seen. Mature organizations can also engage in threat hunting practices to proactively hunt for threats that might be persisting in their network.

Incident Response solutions are used to respond to a cyberattack or threat. This consists of defined procedures and policies to follow, and tools that can automate a response workflow in an event of a breach. For example, upon a user infected with malware, the Incident Response team can leverage a defined ‘malware’ playbook which can automate identifying the malware and blocking that computer’s access to company data.

Endpoint security refers to the protection of an endpoint device (any Internet-capable computer hardware device such as laptops, phones, printers). The responsibility lies on the security of the specific device but organizations usually have a centralized management console for capturing logs and enforcing network-wide policies. To secure endpoint devices, these solutions use encryption on the endpoint to prevent data leaks and application controls to prevent users from downloading or executing unsecure applications. Endpoint solution tools provide organizations with a holistic view into all their devices, continuous monitoring, and patching if needed.

Network security is really a combination of defenses at the network traffic layer to ensure that data transfer is secure. In relation to endpoint protection, network security focuses on how those endpoints interact and its connective tissue. Network security starts with Network Access Control (NAC), a check on whether the user should have access to the network, and encompasses defining the policy scenarios or managing guest network access. Antivirus and antimalware tools help scan for malware upon entry into the network, firewalls define rules to block external traffic to the internal network, and intrusion prevention systems (IPS) scans network traffic to block attacks. Some other components of network tools that inform unaware employees are email-based solutions that can detect email threats such as phishing, web security tools that can identify malicious websites, or data loss prevention (DLP) that protects data actively being used on an endpoint.

Cloud security is still the protection of your data and applications, but without having to manage physical servers, organizations will use tools to monitor and protect information out of their cloud resources. Many cloud platforms now try to build tools out of the box with their cloud services. It’s also important for organizations to ensure they understand how their third-party services are safeguarding their data. Cloud security is getting increasingly complex as organizations are now deploying apps and workloads in different cloud environments and it is tough to get a comprehensive picture.

Services

Managed Security Services (MSS) are services sold to organizations to, in essence, manage their security program for them in whichever capacity. These service providers leverage the products above but generally ensures it fits the use of the organization. Each provider has its target market in terms of what services they offer and their expertise. For organizations, this allows them to not have to build a security team in house.

Security Strategy and Consulting is offered by the big services providers as well to help organizations build a strategy and implement a security program. This includes identifying gaps in their current program, allocating resources and helping build a roadmap for program maturity.

The Next Big Challenge: Integration

You might think that there are too many tools, that, while each serve a specific purpose, need to work together — and you wouldn’t be wrong. With the amount of vendors in each of those markets, it’s extremely challenging. A 2017 survey of 412 IT and security professionals found that 40% of respondents use between 10 and 25 security tools. Another 30% use between 26 to 50 tools. In another survey by Ovum, over 73% of respondents (financial services companies) were running more than 25 security tools. These aren’t also just for separate use cases. Some 53% of large companies have deployed three or more endpoint security networks. “Cyberdefense is about having an integrated set of tools that work together to prevent attacks,” said Crowell, a former deputy director of the U.S. National Security Agency. “But the industry now has a thousand points of light and no illumination.”

A report from Research and Markets find that “one of the main barriers to adoption of SaaS security among large enterprises is the integration challenges of SaaS-enabled applications with the existing IT infrastructure”. These products do not have a similar language or protocol, takes development effort to integrate, and don’t leverage insights from each other. In addition, when some of these tools do not align well with each other, security programs are left with big gaps or overlap in coverage that render some features redundant.

A study from Cisco finds that 62% of enterprises are looking to consolidate their vendors. 82% are actively building an architecture that integrates multiple individual products. We already see large vendors make moves to provide more holistic products and a one-stop-shop for organizations. Splunk’s logging platform in combination with its acquisition of Phantom’s incident response provides a tighter integration stack. Cisco acquired a cloud-based identity and access provider, Duo Security, to bolster integrations into its network and cloud security products. It’ll be interesting to see this develop further in the next few years and how this industry will continue to change. I believe that this challenge will shape the future and who will emerge as the market leaders.