After a boisterous 2015, 2016 looks gloomy for the cybersecurity industry as the market correction and uncertain macro economic environment set in. Last year, investors on Sand Hill Road poured $3.8 billion into security startups, many of which will not make it to the end of this year.
The uncertainty stems well beyond valuations. Entrepreneurs and their investors assumed the chief information security officers (CISO) would clamor for new budget to embrace all of the latest security technology in a bout of paranoia. From our vantage point as an enterprise IT investor in New York, the sentiment in the buyer market is far more rooted in practicality. “I don’t want more budget, I just want a solution that works,” said the CISO of a multinational pharmaceutical and medical device manufacturer in the trenches of evaluating new security technologies fit for cloud environments.
Why are many new security products ill-fit for the enterprise? Smart entrepreneurs with expertise in big data and other technology domains are entering the industry expecting a gold rush. Few, however, have the security expertise to build a product tuned to customer requirements. For example, this year the RSA Conference was swarming with Silicon Valley machine learning experts touting preventative security analytics. Without domain expertise and proof beyond theory, it’s all just “snake oil,” as a Global 2000 security director recently commented to me. Despite this skepticism, Forrester Research pegs 2015 spend on cloud security solutions at half a billion dollars.
The market correction sending shock waves across the industry is opportunistic for CIOs and CISOs to weed through the hype and identify and assess the most important and fastest growing cloud security categories. Last year, cloud access security brokers (CASBs) such as Netskope, Skyhigh Networks, Adallom (acquired by Microsoft), and Perspecsys (acquired by Blue Coat Systems) gained significant momentum by merging once disparate SaaS application security capabilities into a single platform. None of the security control features of a CASB are novel relative to their respective on-premise counterparts. But, CISOs justify the CASB because the one-stop-shop approach eliminates the need to orchestrate new products or redirect old ones to work in the cloud.
This year, a new ecosystem is forming around the next logical step in the cloud security conundrum – the protection of underlying hybrid infrastructure that powers proprietary enterprise applications. Based on uptick in cloud infrastructure security pilots and vendor bake offs at Global 2000s, the most forward-thinking CISOs are already well along this path in 2016. In fact, signals indicate this year will be the breakthrough year for cloud infrastructure security. CISOs recognize that hybrid cloud, software-defined technology, and microservices architectures create new attack vectors that traditional perimeter-based security solutions cannot accommodate. The “aha” moment happens when CISOs realize that cloud-native security solutions have the added benefit of increasing infrastructure utilization.
CISOs developing a roadmap to secure their cloud environments should be prepared for significantly more orchestration work than for securing SaaS. With the extra work will come significant rewards. Bold CIOs and CISOs will take a leap of faith and partner with security innovators to orchestrate their own cloud security systems composed of:
An infrastructure workload segmentation engine
Based on a security paradigm referred to as micro-segmentation, the workload segmentation engine segments the virtualized data center and cloud environments into smaller, more discrete pieces that can have their own set of policies – namely, application workloads. Individual application workloads are tagged and classified by a variety of attributes such as role, environment, or physical location to be further analyzed by downstream components of the cloud security system. vArmour, Illumio, VMware (NSX), and CloudPassage all offer an infrastructure workload segmentation engine.
- What CIOs and CISOs need to know: Choose a vendor that fits your preferred deployment architecture, whether it be a networking or an agent-based model. The networking flavor offers the most comprehensive visibility to identify points of attack, while the software-agent flavor can be easier to implement at the outset. (The catch with the agent method is that if a workload is compromised, the attacker will simply turn off the agent and continue on its destructive path. Agent management is also notoriously complex.) CIOs and CISOs should tread carefully as they balance these benefits with the underlying infrastructure requirements and IT management tradeoffs associated with each architectural approach.
An automated, adaptive, and centralized security policy control panel
The centralized security policy engine governs all security controls across the infrastructure and application stack. Leveraging workload meta data captured and organized in the workload segmentation engine, the security policy control panel allows security analysts to create fine-grained security policies to prevent and quarantine malicious attacks. Hackers are increasingly sophisticated in their methods of attack, so rather than scripting hundreds, if not thousands of policies by hand to keep up with the changing threat landscape, security policy engines are fast becoming automated. The centralized security policy control panel is in its infancy today. Several vendors offering infrastructure workload segmentation have their eye set on this component of the cloud security ecosystem.
- What CIOs and CISOs need to know: Challenge vendors on their capabilities along three vectors: level of automation, ease of use for security analysts, and integrations with third-party tools. As the heart of the cloud infrastructure security, the policy control panel is likely the most valuable component that will define the next big security company. Vendors gunning for this crown are doubling down on their efforts with ambitious roadmaps spelling a fully autonomous control panel system. A true central nervous system for modern security, the centralized security policy control panels integrate with DevOps tooling, and will bridge network and endpoint protection by way of industry partnerships.
Dynamic security analytics
Security analytics uncover anomalous behavior across networks, applications, users, and workloads and communicate them to the policy control panel so it may take action to quarantine an attacker. Through inter-company data sharing and threat intelligence feeds, security analytics tools adapt their algorithms as the threat landscape evolves. A panoply of new players including Context Relevant*, Threat Stack, vArmour, and Palerra offer cloud security analytics. Context Relevant stands out because its highly customized analytics tune to a customer’s unique industry and business dynamics. Another disruptive startup called Graphistry is leveraging GPUs to provide a sharper and wider pane of glass over existing alert feeds and analytics tools.
- What CIOs and CISOs need to know: Assess your workload segmentation and security policy control provider’s security analytics capabilities before looking at pure-play security analytics vendors. As we’ve said before, data is the competitive moat for any machine-learning application. Workload segmentation and security policy control vendors have a competitive advantage over newer pure-plays because they can leverage their growing customer datasets to purpose-build and embed security analytics capabilities into their product portfolios. We believe highly differentiated solutions that fuse domain expertise and deep learning will be a hot acquisition target for workload segmentation vendors and for legacy SIEM players eager to wet their feet in this exciting market.
Deception networks and honeypots
This component focuses on preventing attacks from happening in the first place. Honeypots lure attackers into a quarantined environment by posing as a vulnerable legacy IT system, an underutilized hypervisor, or a cloud instance. They improve the efficacy of attack detection, and slow the ability of an attacker to propagate across the datacenter. TrapX, GuardiCore, Allure Security, and Illusive Networks are a few early-stage startups offering honeypots to deceit attackers.
- What CIOs and CISOs need to know: Honeypots are being tested by the most innovative organizations today. To go mainstream, vendors must figure out how to implement them with minimal friction and overhead.
It may feel like a herculean feat to stitch together a cloud infrastructure security system. “Be bold, be brave, or be left behind” is the sentiment on Wall Street as forward-thinking IT leaders at leading investment banks recognize the need to take a best-of-breeds approach to securing their data center and cloud. As a first step, CISOs should experiment with the different deployment architectures for workload segmentation to see what works best for their environment. Scrutinize vendors on policy control capabilities, as this component will be the center of gravity in the industry. Look for vendors providing capabilities across more than one of the four component technologies. Note that it’s important to maintain a healthy dose of skeptism as vendors in adjacent spaces start pivoting their messaging towards one or more parts of the cloud infrastructure security system. Lastly, keep flexibility in mind. Your requirements may change as your cloud strategy evolves over the next couple years.
Momentum in this space will rapidly increase this year. I am confident we will see an early leader focused on security controls emerge from amongst the pack.
Michael Yamnitsky is a former industry analyst turned VC at Work-Bench. He leads the firm’s relations with Global 2000 executives and invests in the next generation of enterprise entrepreneurs. Follow him on Twitter @ItsYamnitsky.