The first blog I wrote about elastic cloud gateways prior to Black Hat 2019 referenced next-generation firewalls relative to the shift to application-centric, Layer 7 scanning, and the massive impact that had on the network security market. What I didn’t appreciate at the time is how similar the trajectory of the two spaces would be. In the 10 months since Black Hat, we’ve witnessed a massive amount of momentum in this area. In fact, recently completed ESG research on elastic cloud gateways found that 94% of organizations reported usage of, or some level of interest in, these types of solutions. With secure access services edge (SASE) having become common terminology within the network security space, I’m often asked what the difference is between ECG and SASE. The fact is, there are many more similarities than differences; however, the differences that do exist are important.
Cybersecurity & Networking
-
-
XDR may succeed but XDR vendors face deployment challenges and competition on several fronts.My colleague Dave Gruber and I are all over this new concept called XDR. Just what is this new acronym all about? In a recent CSO Online blog, I defined XDR as:
An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
Hmm, sounds interesting but is there a market for yet another type of security product? (more…)
-
To explore user perspectives around SASE solutions and elastic cloud gateway architectures, Enterprise Strategy Group recently completed a research study on the convergence of network security tools through a consolidated, cloud-delivered platform. The study explored pain points with current approaches and tools, interest in and important elements of an ECG approach, and what organizations expect to gain from implementing an ECG architecture. To explore some of the research, I invited my colleague Jon Oltsik to discuss the findings and what they mean.
In the video, Jon and I discuss:
- ECG interest. Suffice it to say, very few organizations are not interested in an ECG type of network security approach, but we discuss how organizations are thinking about the deployment model and anticipated business outcomes associated with elastic cloud gateways.
- The shift to cloud-delivered network security tools. I share some Enterprise Strategy Group research findings on where the market stands in the transition to cloud, and the reasons organizations are quickly moving to a cloud-delivery model.
- How networking fits into the architecture. We discuss how organizations see networking, and specifically SD-WAN, fitting into security overall, and an ECG approach specifically. I explain that this is a longer transition and will likely vary from company to company.
-
My colleague Dave Gruber is such a great guest that I invited him back for an unparalleled SOAPA video part 3. In our final installment, Dave and I talk about:
- XDR deployment models. XDR deployment will be an iterative process, rolling out on a security controls replacement basis. Dave describes how organizations will have to pick a starting point and then integrate additional controls for incremental architectural benefits over time.
- Who needs XDR? Dave and I agree that midmarket and small enterprise organizations with small security teams will gravitate to XDR sooner rather than later. We may see some industry affinity as well, in verticals like state/local government, education, healthcare, and others.
- XDR and the SOC. XDR won’t replace tried-and-true SOC systems like SIEM, SOAR, or threat intelligence platforms (TIPs) anytime soon so interoperability is key. The best XDR platforms will provide high fidelity alerts and forensic details to these traditional SOC technologies.
- The future of SOAPA and XDR. As an architecture, Dave is bullish on SOAPA, believing it will continue to evolve and improve. XDR is a bit more of a wildcard, especially in the large enterprise market, but Dave and I agree that major technology suppliers are investing and resourcing XDR R&D and go-to-market efforts, so it’s likely to gain momentum. If XDR can fulfill its promise of improving security efficacy and operational efficiency, customers will come running.
Thanks for participating, Dave, old buddy, old pal. More SOAPA videos coming soon!
-
In part 2 of our SOAPA video, I welcome back my astute colleague, Dave Gruber. The conversation turns to XDR, a market segment that Dave and I collaborate on. I ask Dave about:
- The definition of XDR. It’s a nebulous industry term but Dave nails it by explaining that XDR is a method for bringing controls together to improve security telemetry collection, correlation, contextualization, and analytics. There’s also an operational side of XDR to help coordinate response and remediation across multiple controls simultaneously.
- Whether XDR is a product or an architecture. When Dave and I first put our heads together on XDR, we realized that it looks a heck of a lot like SOAPA. Since XDR is often presented as an integrated suite from a single vendor, it’s kind of a product. Alternatively, some vendors offer open APIs and a partner ecosystem, so it’s kind of an architecture as well. Regardless, it’s still definitely SOAPA!
- Where XDR is today. Dave admits that it’s early on for XDR and current versions start with common data collection and correlation, acting as a data lake for security analysts. Many vendors are adding advanced analytics as well. The goal is to detect “low and slow” attacks that compromise systems, move laterally across networks, escalate privileges, and ultimately exfiltrate data. In theory, XDR can detect these campaigns as it has coordinated eyes on everything.
My SOAPA video with Dave was going so well that I invited him back for Part 3 of our video. Unprecedented! Stay tuned.
-
Back in March, I heard from several CISOs about how COVID-19 was disrupting their cybersecurity programs and changing their priorities. A few weeks later, I connected with some CISO friends, and got an update on phase 2 of their pandemic journeys.While no one knows when the coronavirus impact will end, we are getting a good perspective on what the new normal will look like. Here are ten changes I anticipate (in no particular order):
- Work from home (WFH) becomes the default model. This one is an obvious assumption, but one we can back up with data: According to ESG research, 79% of IT executives say that their organization will be more flexible about WFH policies after the pandemic subsides. Furthermore, WFH seems to be, well, working: 78% of knowledge workers report being either more productive working from home or having no change in productivity. Between productivity gains and real estate savings, WFH is a winner — and is driving lots of changes to security investment and priorities.
- Any remnant of a security perimeter is now dead. When I started in security nearly 20 years ago, a group of financial services companies started an organization called the Jericho Forum, which pitched the concept of de-perimeterization. While most security professionals agreed with the idea, scaling security remained a challenge, so network perimeters remained and changed slowly over time. COVID-19 may be the final security perimeter coffin nail. To support a more distributed IT infrastructure, security controls will move wholesale to endpoints — users, devices, applications, data, etc. The good news is that cloud-based management planes will make this architecture much easier to scale and operate than in the past. What are the new perimeters? Users and devices (i.e., identities) and data.
- Hail to the cloud. Cloud workload migration accelerated due to COVID-19 as it was easier to administer cloud infrastructure than on-premises servers, networks, and storage devices. To keep up, CISOs must ramp up cloud security hiring, training, and skills development on their teams. It’s also clear now that the public cloud is the de facto infrastructure for network security controls, consolidating SD-WAN and security services. The same is true for security analytics with data and analytics engines moving quickly to the cloud. Finally, security management planes are heading in the same cloudy direction. CISOs will need new skills for migrating data and tools and managing cloud subscriptions.
- The mainstreaming of attack surface management (ASM). CISOs will need better ways to collect, process, and analyze data for cyber-risk management as users and assets become more distributed and remote. This should happen quickly since most organizations have no idea about all the connections to their network and regularly discover things like previously unknown devices, misconfigured servers, default passwords, partner connections, etc. ASM will evolve from an esoteric area to an enterprise requirement. Vendors like BitSight, Bugcrowd, CyCognito, Randori, and others will benefit from this transition.
- Doubling down on policy management. With everything distributed, CISOs will need to work with business managers to determine who can do what from where and really (and I mean really) tighten up their security policies with granular and dynamic rule sets. Once policies are determined, they’ll also need the CIO’s help to build an infrastructure for policy enforcement and monitoring. There is a tremendous opportunity for security technologies here — vendors that build intuitive, flexible, and scalable policy management engines will clean up.
- Identity management gets an overhaul. Distributed security controls and policy management must be anchored by a modern identity management infrastructure — not the organically grown patchwork we’ve kludged together over the past 20 years. To ease this migration, identity will also migrate to the cloud in a hurry. This is good news for JumpCloud, Okta, and Ping, but I believe cloud service providers like Amazon, Google, VMware, and obviously Microsoft will make a big play here as well.
- Cyber threat intelligence at scale. COVID-19 is a global opportunity for the cyber-underworld, leading to a wave of new scams and attacks. To counteract this trend, organizations need to be able to operationalize, analyze, and hunt for threats at an unprecedented scale. This should represent a growth opportunity for threat intelligence platforms and investigation tools like Anomali, King & Union, Palo Alto Networks, RecordedFuture, ThreatConnect, and ThreatQuotient at the high end of the market. Smaller enterprises will likely dive deeper into threat intelligence services from the likes of Cisco, FireEye, IBM, and Secureworks.
- AI and ML, the next generation. Security teams will need to make sense of more assets, more connections, more movement, and more threats — all at once. Business management’s push for a permanent WFH structure make this an absolute certainty, and there isn’t a security team on the planet that will be able to keep up with the new reality without help. We are currently driving up the AI/ML on-ramp, and we’ll need to get up to speed quickly. This is a wide open opportunity, but somehow, I think that companies like Devo, Google (Chronicle), IBM, Microsoft, SAS, and Splunk will play.
- On to serious security training. WFH and coronavirus-related scams mean the days of security awareness training as a “checkbox” exercise are over. Moving forward, I believe security aptitude will be required for most employees with compensation incentives or penalties associated with performance. Business managers will also be accountable for employee education and penalized when their team’s ignorance leads to a security breach. On the supply side, vendors will need to supplement basic compliance training with more thorough course work designed for knowledge workers.
- Tighter security and IT operations cooperation. Provisioning secure endpoints, cloud workloads, or network infrastructure will require security to be “baked in” rather than “bolted on.” Additionally, security policy enforcement and monitoring will need to be coordinated all over the place. In the past, security and IT operations teams had different objectives, metrics, and compensation structures. Given all the work ahead, it’s likely that organizations will measure these teams based upon common projects rather than disparate goals. This should be good news for vendors like ExtraHop, Netscout, ServiceNow, and Tanium, that have technologies and experience in both areas. Security vendors will need to improve their IT operations chops if they want to keep up.
There’s lots of changes and lots to think about. More soon from me as I’m following the impact of COVID-19 closely.
-
The SOAPA video series has featured a series of prolific industry beacons representing leading security operations technology vendors. That will continue, but I thought I’d shake up the format a bit by inviting my colleague and friend, Dave Gruber, to participate.
Aside from his movie star good looks, I invited Dave to participate because he spent several years at Carbon Black in the EDR market, and EDR has become a primary component of SOAPA. Furthermore, Dave and I are co-covering a burgeoning segment called XDR, which is sort of a vendor-driven turnkey SOAPA offering.
In part 1 of our video, Dave and I chat about:
- The role of EDR. Dave talks about how EDR monitors endpoint telemetry and works with SIEM and SOAR to accelerate and automate incident response.
- EDR integration. SOAPA is all about integration and interoperability for security operations. Dave says that EDR is often paired with network traffic analysis (NTA), cloud data, email security data, and other sources. Everything rolls up to the SOC for analysis, investigations, and remediation actions.
- EDR adoption. Dave tells us about ESG research indicating that EDR is gaining market penetration, especially as part of new endpoint security suites.
- EDR vs. MDR. I ask Dave what makes organizations buy and operate EDR as opposed to using a managed detection and response (MDR) solution. Dave explains that EDR has gotten easier and many customers want to “own” security analytics and operations. Nevertheless, MDR is a viable alternative or can be used to augment the security staff’s capacity and skills.
Great stuff! Look for more from Dave and I in part 2 of our SOAPA video soon.
-
It’s great to be back with the SOAPA video series, albeit in a remote format. Nevertheless, I was excited to interview Hugh Njemanze, CEO of Anomali, a leading threat intelligence platform (TIP). In part 2 of our video, Hugh and I yak about:
- The impact of COVID-19. Hugh agrees that the global pandemic has led to a steep increase in cybercrime activity. Anomali researchers are closely following this, curating COVID-19 specific threat intelligence, and sharing it with customers and the general public.
- Security operations technology integration. Back to SOAPA, I mention to Hugh that ESG research indicates that 84% of enterprise organizations are active or somewhat active with security operations technology integration. Anomali sees similar trends and is often integrated with security technologies like SIEM, SOAR, and NGFWs, adding the right threat intelligence for security analysis and process automation.
- Security operations in the cloud. ESG research says that 58% of organizations prefer to purchase or are willing to purchase cloud-based security operations technologies. That’s fine with cloud-native Anomali. In the early days, Anomali assumed the role of cloud evangelist but Hugh says that SaaS-based TIPs are now mainstream. With the influence of the pandemic, threat intelligence SaaS platforms like Anomali will only gain momentum.
- The future of security operations. Hugh believes SOAPA has a bright future, driven by the need for more integration, automation, and analytics. Security operations technologies will get simpler and more powerful.
Many thanks to Hugh and Anomali for participating in the SOAPA video series! Look for more videos soon.
-
It’s not surprising that IT is getting more complicated. Digital transformation initiatives are proliferating across industries, and building out hybrid and multi-cloud environments is gaining traction. The need for speed is essential—especially when it comes to networking.
With this in mind, Cisco and Google recently announced their joint turnkey networking solution—Cisco SD-WAN Hub with Google Cloud. Google Cloud is providing hybrid and multi-cloud services, connectivity and security solutions, and Cisco SD-WAN solutions are offering single pane-of-glass SD-WAN management and secure connectivity to the cloud, streamlining operations by automating routine tasks.
-
Cisco and Google Cloud recently announced Cisco SD-WAN Cloud Hub with Google Cloud, a new collaborative turnkey networking solution. Cisco’s SD-WAN capabilities (policy, security, and telemetry) merged with Google Cloud’s software-defined backbone offer organizations an effective means to ensure that security and compliance policies—as well as application service-level objectives (SLOs)—can easily extend across the network. The solution offers organizations a comprehensive way to view the end-to-end network, providing secure on-demand connectivity from customer locations, through Google Cloud’s backbone, as well as applications running in Google Cloud, other clouds, private data centers, or SaaS applications.
-
The SOAPA video series is back! In this global pandemic edition, I speak with Hugh Njemanze, CEO of Anomali, a leading threat intelligence platform (TIP). In part 1 of my chat with Hugh, we discuss:
- Security operations difficulties. Enterprise Strategy Group research indicates that 63% of organizations claim that security operations are more difficult than they were 2 years ago. Hugh agrees and believes these difficulties are related to the breadth of tools and practices that are creating visibility and process gaps.
- Issues around alert fatigue and keeping up with security threats. Hugh reminds me that security operations is a big data problem. The challenge is to find threat intelligence insights and share this data with systems of record like SIEM and SOAR. This level of integration can bolster efficiency.
- Operationalizing threat intelligence. I hear this requirement often, so I ask Hugh what the term means to him. Hugh responds that organizations must make better use of threat intel trigger alerts that can help organizations capture the right data and take immediate actions.
- Skills requirements for threat intelligence analysis. Not everyone can hire an ex-intelligence analyst so I ask Hugh how Anomali customers can get continuous value out of their TIP. Hugh described how Anomali Lens “reads” intelligence reports and highlights important details about adversary tactics, techniques, and procedures (TTPs) and indicator of compromise (IoCs). Furthermore, Anomali Match can then be used to compare threat indicators to historical network data. In other words, Anomali applies machine intelligence to help human beings interpret and act upon threat intelligence.
In my humble opinion, TIPs like Anomali are an undervalued but integral part of strong security operations. Thanks to Anomali and Hugh for participating in the ESG SOAPA video series, stay tuned for part 2.
-
In addition to reporting very strong growth in its fiscal third quarter, Zscaler announced the completed acquisition of Edgewise Networks last week. At a price tag of $31 million, this won’t be a deal that turns many heads, but maybe it should. We’ve seen much of the industry shift to a cloud-delivered network security approach over the last 10 months, something ESG calls elastic cloud gateways (ECGs). In many ways, this is the logical evolution of the approach Zscaler introduced more than 10 years ago. However, the Edgewise Networks deal, along with the recent acquisition of cloud security posture management (CSPM) vendor Cloudneeti show that Zscaler is beginning to think beyond just user access and toward a broader approach to cloud security overall. Specifically, the addition of Edgewise Networks strengthens Zscaler’s zero-trust capabilities to address not only the workforce, but also applications and workloads.Edgewise certainly covers the essential capabilities for microsegmentation. Recent ESG research asked respondents for the most important attributes in a microsegmentation solution. The top factor cited by 42% of respondents was the ability to identify and map the traffic and relationships between workloads, applications, and other entities. Also of high importance is support across multiple deployment models (i.e., data center, public cloud, and containers), which was cited by 39% of respondents. Edgewise has both these bases covered.
However, Edgewise provides an interesting take on these typical approaches to microsegmentation by adding a layer of identity authentication between applications or services. This, as well as some of the machine learning capabilities Edgewise brings to the table, could see interesting uses within Zscaler’s current zero-trust access solutions over time. Better visibility into user application access patterns, built-in identity validation, and the machine learning engine itself could all enhance Zscaler’s Private Access offering.
One challenge Zscaler will face is getting this in front of the right people. The ownership for microsegmentation solutions remains fractured, with IT ops, SecOps, DevOps and application development, and the network security teams all potentially having input depending on the organization. Zscaler’s C-level focus should help here, as will providing solutions supporting a more well-rounded zero-trust approach. However, building DevOps credibility will be paramount.
These recent tuck-in acquisitions have potential upside with limited risk due to the small acquisition costs. We expect to see cloud adoption continue to accelerate as organizations look for increased flexibility, agility, and cost-savings due to the impact from COVID-19. Microsegmentation capabilities to support a zero-trust approach and CSPM are two areas of security sure to benefit from the increased focus.
XDR may succeed but XDR vendors face deployment challenges and competition on several fronts.
Back in March, I heard from several CISOs about how COVID-19 was disrupting their cybersecurity programs and 
It’s not surprising that IT is getting more complicated. Digital transformation initiatives are proliferating across industries, and building out hybrid and multi-cloud environments is gaining traction. The need for speed is essential—especially when it comes to networking. 
In addition to reporting very strong growth in its fiscal third quarter, Zscaler announced the completed acquisition of Edgewise Networks last week. At a price tag of $31 million, this won’t be a deal that turns many heads, but maybe it should. We’ve seen much of the industry shift to a cloud-delivered network security approach over the last 10 months, something ESG calls elastic cloud gateways (ECGs). In many ways, this is the logical evolution of the approach Zscaler introduced more than 10 years ago. However, the Edgewise Networks deal, along with the recent acquisition of cloud security posture management (CSPM) vendor Cloudneeti show that Zscaler is beginning to think beyond just user access and toward a broader approach to cloud security overall. Specifically, the addition of Edgewise Networks strengthens Zscaler’s zero-trust capabilities to address not only the workforce, but also applications and workloads.