This week, despite fears of Coronavirus, tens of thousands of security professionals and hundreds of vendors descended on San Francisco for the 2020 edition of RSA Conference. Walking around in the exhibition floor, you could see some truly cutting-edge technologies, aimed at tackling organizations’ biggest security issues. The security industry is still playing catch-up after the massive leap forward made in malware capabilities over a decade ago – a leap that made APT attacks, ransomware and rampant identity theft possible, so seeing another wave of security tools better equipped to handle these threats is always great. However, while the cutting-edge solutions offered by the industry is pushing the boundaries on what’s possible, it seems the companies who developed them had one major market in mind – the large enterprises. This is not in any way surprising, after all, only large enterprises can pay the premium for the latest technology, which without a doubt cost quite a lot for the vendors to develop. This goes beyond mere pricing, most solutions are designed with security professionals in mind – SOC analysts, threat hunters, threat intelligence analysts and CISOs. However, this focus in large enterprises has a major side effect, creating a long tail of insecurity. After all, most businesses are not large enterprises, they do not have massive security budgets, SOCs or even cyber security specialists. Like in many industries, the expectation is that the latest technology will eventually “trickle down” to the common user, but since cyber attacks are threatening organizations today, in the cyber security space there is an urgency that does not exist in other industries.
Unless the goal of this industry is to turn security into the privilege of the few large enterprises that can afford it, the industry has to change its focus and making the latest technology, services and capabilities available to all. This will require more than creating new pricing models or go-to market strategies – the solutions themselves must change. When a solution is built for security professionals, it is designed in a certain way – it will be feature rich to enable the flexibility that is much needed in a SOC environment and for the work of a professional. However, for smaller organizations, this flexibility may mean a mountain of options that will only make the use of the solution harder. Integrations may be available, but most likely through the use of APIs, enabling security teams to script code that would connect these solutions to their existing solutions in their ecosystem. Expecting small organizations to write integration scripts, however, is not realistic.
The security industry seems to have an answer for that – MSSPs. If you can’t do it yourself, or couldn’t be bothered to do it yourself, outsource it. The MSSPs will bring the knowledge, the tools and everything needed to keep the organization secure. While MSSPs do provide a great and important service, they are not a solution that fits all – be it due to pricing, a unique infrastructure, or any other reason. When that is the case – organizations should still have the tools to protect themselves.
The problem lies in the very nature of the technology we all use on a daily basis. By default, most technologies are insecure. Install a mail server, and it will enable malware embedded in documents to reach its users. Write a web application using PHP and MySQL, and unless you have taken specific and active measures to prevent it, attackers could use SQL injections to loot your data. Even the cloud, a much more recent and modern solution, is filled with so many options and controls, it is a hotbed for misconfiguration and therefore insecurity. This leads to patches upon patches of security solutions – for the mail, for the network perimeter, for endpoint security. Organizations without a massive security budget, but ones who have reached the point of implementing some of these technologies, not only have a hard time covering all their bases, but when they do it is usually without the protection of the latest and cutting-edge solutions.
The security industry should still invest many efforts in fighting the latest threats, otherwise there would be no cure for them. However, we should also start investing in the accessibility of these technologies, from pricing to design, to ensure that the tail becomes shorter.