However, since then, things have changed. Let’s revisit those predictions and make some new ones.

1. The Threat Landscape is Changing

2023: Not really.
2026: AI has entered the chat. 

For 2023 I wrote, “everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.”

For the most part, this prediction remains the same. The threat landscape in 2026 will be about the same as 2025, 2024, 2023, and so on. Malware is still a threat. Credential theft remains the primary focus of attackers. And hackers still have the upper hand in every way.

However, when we look at AI systems, there are tremendous changes in the threat landscape. Perhaps the most interesting of these threats are data poisoning attacks. These specifically target AI systems and large language models (LLMs) to produce flawed or misleading output. In 2024, NIST released an advisory about this kind of attack based on a study they conducted titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This study is an interesting read. It is extremely thorough and even identifies some lingering cybersecurity challenges such as the dilemma of open versus closed systems.

The mitigating factor with this kind of treat is that it targets the AI platforms, and not the end users of those platforms. This limits the scope of this threat to a handful of AI platform providers, such as OpenAI, Google, Microsoft, etc. Furthermore, I could not to locate any confirmed instance of a data poisoning attack, however that does not mean it has not happened.

What is a larger issue are employees sending company data into AI platforms with no regard to the sensitivity of that data. This poses a complex challenge for organizations who want to enjoy the benefits of AI but need to protect sensitive data. It also poses a massive challenge for regulated systems under standards such as FedRAMP, CMMC, etc.

Fortunately, the industry is responding to this with ample technologies to manage, monitor, and control AI access as well as model context protocol (MCP) servers. Some examples of AI security providers in this space include Obsidian, Zenity, and Cyberhaven.

2. Executives Will Start Taking Security Seriously

2023: Probably not.
2026: No, and you can turn in your badge with security. 

For 2023, I wrote, “Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.”

Around 2016 or so, I noticed that many executives would tune out the moment cybersecurity was mentioned. I had CEOs once tell me he was sick of security slowing down his company. Here we are a decade later and this attitude has only become more prevalent. A recent example of this attitude happened in early 2025 when the Trump administration wiped out the entire Department of Homeland Security’s Cyber Safety Review board. The message was unambiguous: security is unimportant. 

Executive indifference to security is a massive barrier for security startups. Leaders only care about security when it becomes a catastrophe. And all they really want is to find somebody to blame.

3. Companies will Commit to Stronger Security Defenses

2023: No, they will stick with “good enough” security
2026: Good enough is pretty good.

What I wrote for 2023 remains relevant. “It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.”

Fortunately, “good enough” security is getting pretty good. One example of this was AWS’s recent announcement of their security agent product. This is a cool new AI technology that can scan an environment, locate vulnerabilities, and suggest improvements. While no AI agent will ever be as good as a skilled human penetration tester, for most organization, this agent is all they really need.

Another good example of how “good enough” has improved is Azure Sentinel. What used to be a mediocre SIEM and endpoint product, has evolved into a respectable security platform. Azure environments have Sentinel built-in, so Azure customers can access and use it easily.

4. We Will See a Megabreach that Cannot be Ignored

2023: We are already ignoring them.
2026: Megabreaches, what’s that?

I cannot even think of a megabreach from 2025 that had any significant impact. Apparently, Verizon had a massive leak in August, which they denied. Whatever. This is a classic “boy cried wolf” problem.

5. Security Staffing will See Improvements

2023: Not likely.
2026: Define “improvements.”  

For 2023 I said, “Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.”

The most significant change for 2026 is that AI is changing who companies are hiring. AI can do what a lot of security analysts and engineers once did. It even can write NGINX config scripts, which is something nobody can successfully do. (Yes, that’s a nerdy joke.)

AI can also do a lot of the grunt work industry analysts do, as Richard Stiennon has proved with his IT Harvest platform.

None of this is good news for job seekers. While the cratering US economy accounts for a lot the downsizing, AI is only making it worse. AI will never entirely replace humans, but organizations are testing the limits of that. Teams are being shrunk, and the remaining staff is expected to fill the gaps with AI tools.

This adds up to a bleak outlook for security staffing in 2026.

6. Cloud Eats Security

However, the ultimate prediction for 2026 is that security is everywhere, integrated into everything. In 2021, I identified a growing cybersecurity trend: Cloud Eats Security (also called “platformization”.) Cloud providers, like AWS, Azure, and GCP, and SaaS providers like Salesforce or ServiceNow, were (are) slowly consuming many of the traditional security capabilities (firewall, intrusion detection, vulnerability management, web-application firewalls, etc.)

The impact of this trend is that security is now integrated into the platforms companies use. Companies do not need to purchase individual point-solutions which demand complex and expensive integration efforts. However, even the point solutions are getting on board with this trend, making their products much simpler to roll out and fully integrated into cloud and SaaS offerings.

This was one of the reasons why Google paid $32B for Wiz in 2025. Wiz is a powerful platform that simplifies a lot of cloud security functions. Cloud security providers, like Cloudflare, are also rolling out new capabilities practically everyday. And some of those are free, such as Cloudflare Tunnels which allows anybody to securely host anything on the Internet.

To help monitor all these integrated systems, there are emerging AI-powered security operations products from companies such as AI Strike, Torq, and Dropzone AI.

If all this AI stuff seems unstoppable, and wildly insecure, well, it is. However, there are promising emerging technologies such as Automated Moving Target Defense.

And the final piece of this trend is the rise of automated, integrated managed security providers who can keep an eye on everything. In early 2025, I worked on an MSSP analysis project. I was stunned at how many MSSPs had fully embraced automation, AI, and the cloud in their offerings. Unless your organization is gigantic or a government agency, there is no reason to do security internally. Hire an MSSP. There are a lot of great ones out there that can further simplify security.

Conclusion

For 2026, I predict cybersecurity will continue down the path of more integration, more platformization, and more simplicity. This will not stop attackers, but it does swing the odds of success toward the defenders.

As for the attackers, like the rest of us, they are going to use AI to do their dirty work. And like the rest of us, they are going to generate a lot of pictures of cats playing pickleball. Which means defenders do not need some whiz-bang quantum oscillating over-thruster to stop them. They merely need to make the most of the security tools they already have.

NOTE: The companies mentioned in this blog are for examples only. I received no compensation for mentioning them nor do I endorse them or their technologies. 

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

Surprisingly, not that much.

The most notable changes are the influence of cloud and AI technologies on MSSPs.  However, these factors have not altered the constituent parts of an MSSP.  

Gartner Speaks

To understand what makes an MSSP, consider Gartner’s definition:

A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.

There is nothing wrong with this definition, but it describes what an MSSP does, not what they are.  There is a big difference between those two things.  If you are looking to hire (or build) an MSSP, you must evaluate not only what an MSSP can do, but what they are made of as well.

Managed Security Service Provider Definition  

Based on my research, an MSSP consists of four primary components:

• Platform
• People
• Process
• Scale

Let’s explore each of these components and how they contribute to an MSSP.  

Platform

This is the collection of technologies, tools, and products the MSSP uses to deliver their services.  Platform technologies may be developed in-house or sourced from third party vendors.  Many MSSPs use repurposed open-source products as their proprietary platforms.

An MSSP’s platform is important, but not as important as you may think.  Buyers do not, necessarily, select an MSSP because it offers an ultra-sophisticated platform (nor should they).  Rather, an MSSP’s platform is a “ticket to ride.”  When buyers evaluate MSSPs, they look at the platform first.  If it appears capable, then they move on to evaluate the other components.

The key components of an MSSP Platform include:

People

Even with automation and AI, MSSPs are completely dependent upon people to run everything and support customers.  The team that runs, manages, and monitors the platform are what makes an MSSP function.  Without them, there is no MSSP.

MSSP teams usually include analysts, support staff, engineers, and developers.

Analysts are the primary service delivery people. They operate the platform, perform security scans, respond to incidents, and deliver reports.  Some MSSPs also employ analysts to perform adjacent professional services such as penetration testing or virtual CISO services.  Analysts form the backbone of an MSSP.

Support staff handle the logistics and customer management functions.  This team may include project managers, customer success representatives, and other non-technical people.  Effective MSSPs use the support team as a “buffer” to allow the analysts and engineers to focus on service delivery.

Engineers operate the infrastructure for the platform. They may also serve as a second-tier support for analysts. Engineers typically operate in background, and only interact with the customers for more complex or bespoke needs, such as assisting with incident response.  

Developers design, built, and deploy the platform and relevant infrastructure components.  Some MSSPs do not differentiate between engineers and developers, and unite them into a common platform group.  Developers often have their own supporting staff of project managers and testing engineers.  

For buyers, it is difficult to assess the skillset of an MSSPs people.  You are not going to be able to meet many of the analysts and engineers working on your account.  However, you can assess the team that engages you in the sales process.  Savvy MSSPs place technical resources early in the sales process.  This ensures the MSSP is building credibility with prospective customers, rather than merely explaining their capability.

Process

Process is the assortment of procedures, practices, policies, and internal culture that operates an MSSP.  Process makes an MSSP sparkle.  Good MSSPs have well defined, well documented, well-maintained processes.  Moreover, they are constantly revising, adapting, and updating them to suit the perpetually shifting threat landscape.

In contrast, bad MSSPs have … nothing.  It is not uncommon for companies to charge into the MSSP business, believing that as long as they have the correct technologies and people to staff the SOC, they are good.  An MSSP is largely useless without effective processes.

Moreover, Process is what gives an MSSP its value.  MSSPs get acquired for their processes, not for their platform or people.  If you are evaluating an MSSP, you want to look closely at the processes they use to conduct their services.

Scale

For an MSSP to be successful, it must be able to put its platform, people, and processes in motion and deliver results. This means designing those components to be agile and adaptable.  It also means having the organizational maturity to accommodate a growing customer base. Scale is therefore a facet of an MSSP’s strategic and tactical execution.

Scale kills weak MSSPs while it fuels smart MSSPs.  Once they begin to acquire customers, the MSSP reaches a critical point where the platform, processes, and people must rapidly change.  This stresses those components, particularly the people.  If the organization lacks effective leadership or empowers people who are uncomfortable with change, the MSSP will begin to struggle.  The company will become unable to handle increased customer load, which will cause customers to become dissatisfied.

Change is discomfort, and savvy MSSPs embrace this discomfort.  They have internal DevOps-style practices that integrate change, growth, and adaptability into everything.

Customers evaluating an MSSP should consider how the MSSP has adapted to the changing threat landscape.  As a customer, constant change can be frustrating. However, if an MSSP can manage this change effectively, it demonstrates and organizational strength and maturity, which is something you want as a customer.

Factors Influencing MSSPs

As I mentioned in the introduction of this article, there are number of influential factors on MSSPs at this time.  In this section, I will address some of the more prevalent influences and how they have changed the MSSP landscape in the past few years.  

Cloud

Ten years ago, MSSP was an “on-premise” business.  In other words, their products were concentrated on managing and monitoring traditional, on-premise technologies (firewalls, IDS, endpoint, etc.).  Today, nearly all MSSPs are cloud-based.  Their platform resides in the cloud and even the management of on-premise equipment, such as firewalls, is handed through cloud products.

AI

Likewise, ten years ago AI was nothing.  Now it dominates every discussion about anything.  Currently, the use of AI in MSSPs is inconsistent.  Much of the AI messaging among MSSPs feels like marketing hype, and not substantive, technical improvement.  Where AI tends to land first is inside the third-party products that use some kind of AI detection method for malware.

Slowly AI is making it into SIEM platforms. However, AI use for threat hunting remains nascent.  Most MSSPs lack the internal expertise to fully integrate AI into their platforms.  Moreover, training an AI to analyze log data is difficult.  Without a sizable set of “positive” (or wanted) events, it is difficult for an AI to identity what constitutes “negative” (or unwanted) events.  Since most SIEM platforms do not store “non-events” this blinds the AI.

Where AI is making a difference is with analysts.  Use of AI for generating scripts, tools, and automations can dramatically accelerate an analysts efforts.  What used to require hours of painstaking coding, testing, and revising of automation scripts can be done in seconds with a prompt to ChatGPT.

However, buyers of MSSP services need to be mindful of this difference.  Merely because an MSSP says they use AI, does not mean it is integrated into the platform (or accessible to the customer).  Analysts using AI to develop scripts or automation is a good thing. However, that does not make the MSSP “AI enabled.”  This is where marketing fluff and process reality can diverge.

Co-Management

Another perpetual challenge with MSSPs is the co-management conundrum.  On the one hand, customers often demand access to the controls the MSSP manages.  On the other hand, giving a customer control creates a race-condition where the customer and MSSP can conflict on management styles or discipline.  Co-management is not necessarily good for customers or MSSPs.  Customers should be prepared to pay more for co-managed platforms vs full-managed ones.

Platform Images

This MSSP platform strategy is special to me, as it was a strategy I played a hand inventing.  In 2017 when I began my research, most MSSPs used a single, monolithic platform where they co-mingled all customer data.  This presented several challenges for using MSSP services in highly regulated environments, where data co-mingling is not permitted per compliance requirements.

My innovation was to use the automation capabilities of cloud environments to deploy an MSSP platform into customer’s own cloud accounts.  This functioned much in the same way as using an Linux or Windows image from a repository.  The image is instantiated independently in each customer’s environment.  Once deployed, it is then customized to suit the customer’s unique needs.  This deployment strategy eliminates all co-mingling issues and will support restrictive compliance requirements.

In 2018 when I built this platform, it was a novel concept.  Today, it is everywhere.  Many MSSP have fully embraced this deployment strategy, as it unlocks lucrative compliance funded opportunities. These types of environments are also more adaptable to customer needs.  

Buyer’s Guide

If you are considering hiring an MSSP, here are some questions you can use to evaluate each component of a potential vendor:

Platform Questions

• Describe the architecture of your platform.
• How is the platform deployed (automation, images, hardware, etc.)?
• What services (capabilities) does it offer?
• What software (agents, etc.) must we install in our environment?
• How does this software communicate with the platform?
• What access do we have to the platform and its components?
• What third-party products does your platform use?
• How do you update the platform?
• How is the platform licensed?
• Where is the data stored?  Is the data co-mingled?
• What reports / data analysis is provided?
• If AI is used, describe how and where.

People Questions

• How is your SOC organized?
• What teams do you have?
• Describe how you on-board analysts?
• What kinds of training, education, or career development does the team receive?
• Who responds to my tickets or phone calls?
• Who manages my account?
• How often can I expect to hear from an analyst?
• Are there any regular meetings, check-ins, or reviews
• If there is an emergency, who do I call?
• How will I be contacted in the event of an incident?

Process Questions

• Describe how my company will be onboarded to the platform.
• Define the data flow within your environment.
• How are access rights assigned, managed, and monitored?
• Describe how your team manages an incident?
• Does your company perform “post-mortems” on incidents?
• If vulnerabilities are detected (if this is part of the service), how will I be notified?
• What role does your company have in remediating vulnerabilities?

Scale Questions

• What kinds of performance metrics do you have for your platform?
• How do you measure success among your teams?
• How often do you revise internal processes?
• How is your platform updated, revised, or adapted to changing conditions?
• How does the organization manage change?
• What is the experience and background of the leadership?
• Does the leadership have information security expertise?
• What is the roadmap for the MSSP?

A savvy MSSP can answer these questions (and more).  An immature one may struggle, or resort to marketing fluff.

Conclusion

MSSPs are an integral part of the information security landscape.  In the past decade they have transformed from simple firewall management, to full-service outlets that can accommodate a diverse set of security services.

There are numerous benefits to engaging an MSSP.  The most significant is that an MSSP can focus on security.  Unless your company intends to build a robust, in-house information security practice, it makes sense to outsource some (if not all) security functions to an MSSP.

For marketing and sales teams, your go to market efforts should focus on explaining the benefits of your four components.  Why is your platform unique? How is your team effective?  What practices or processes make your MSSP special?  And how do you adapt, change, and grow with the volatile security landscape.

While the MSSP market has evolved in the past few years, it has not fundamentally changed.  AI and automation are helping MSSPs scale, but they are not altering what makes an MSSP function.  If you are looking to hire, or build and MSSP, then it is important to evaluate the four primary components of an MSSP.

The post What Is a Managed Security Service Provider (MSSP) appeared first on Zenaciti.

PAN is not the first to try this strategy. Cisco, Symantec, and McAfee all tried, and all failed at building a platform of security products. Microsoft (MS) is well on their way toward a single security platform as well.

PAN’s strategy may be flawed, but the idea is not.

PAN correctly identifies that companies can benefit from a single, unified interface for security monitoring and management. However, their execution is the problem. PAN and MS are both building a Platform for Products. The PAN platform only manages other PAN products, and likewise for Microsoft. This makes these platforms limited and constrained.

What the security industry really needs is a Platform of Platforms (PoP).

What is a Platform of Platforms?

In an ideal world, cybersecurity teams would have a single portal where they could go to interact with their entire information security environment. This is a Platform of Platforms. A PoP would not necessarily manage every aspect of all those disparate products, but rather provide a simplified way to see their status, access key data, and perform routine functions. A PoP unites the entire security infrastructure into a single portal.

With a PoP, security teams could integrate any security product, whether it is PAN, Cisco, Wiz, MS, Crowdstrike, etc. into the platform. Those products would then publish a set of capabilities to the platform.

For example, the PoP would not manage an endpoint security product like Sentinel One. Yet, it could show a list of endpoints not secured along with other useful reports, such as malware blocked. It might also perform some common management functions, like kicking off a network-wide scan or search for a specific file-hash value.

The PoP is a window into endpoint security, but does not replace Sentinel One’s native management tools.

Now before you dismiss this idea, have you looked at ServiceNow or SalesForce lately? They are essentially PoPs.

PoP Drop

Naturally, you are shaking your head saying this is impossible. Ten years ago the management portals companies built for their products were completely closed. Now everybody uses an API, and those APIs are published (some publicly.) APIs are insanely powerful. They open up a product’s possibilities in ways most vendors cannot even imagine.

PoPs could use these APIs to interact with each product, to obtain data and execute functions. SIEM and XDR platforms have been building huge databases of functionality to accommodate a vast library of third party tools. This effort would only be slightly more complex than those efforts. Moreover, this is exactly the kind of problem AI could help solve.

Sounds like a SIEM

SIEMs are the closest relative to a PoP. The challenge with SIEMs is that they are focused exclusively on managing data from products. A PoP would go a step further to actually interact with a product’s native API. However, a SIEM would make a logical starting point to build a PoP. Some of the larger SIEM products are rapidly approaching a PoP-like functionality.

Who Runs PoP Town?

Naturally, the question is who owns or runs this PoP. No single security vendor could do this. Building a PoP would require a company with vast resources and a reasonably neutral position to the vast set of security products on the market.

This is why PAN’s platform is unlikely to succeed. It demands you buy completely into the Cult of Palo Alto Networks. PAN has made it clear they are not going to sell a platform that manages non-PAN products.

The obvious answer to who could do this is the cloud service providers: AWS, Microsoft, and GCP. They have the resources and are reasonably neutral to security products. AWS is already partially there with their Security Hub product. Azure has a security console now, but it is a clunky mess. And GCP has not been acquiring security companies for fun. They obviously have big ideas as well.

A PoP was part of my own vision for a product years ago. I envisioned a platform that could not only build itself but configure a disparate set of tools and provide a single management interface. My vision was too big for my funding, so I downgraded it into a compliance product.

PoP Benefits

The single greatest challenge in cybersecurity is and always has been complexity. The more complex a system is, the more difficult it is to protect it. Modern enterprise environments are insanely complex and insanely complex to secure.

The ultimate purpose of a PoP: create a simpler, more streamlined way to interact with the security architecture. Provide a single place where a diverse group of people, from leadership down to operations can access and interact with the security environment.

A PoP would not replace existing management consoles. Those would still have a place in a PoP environment. There are plenty of use-cases where administrators would need to drop down into a native console to perform administrative functions.

I fully admit that a PoP is a bit of a pipe-dream at this point. The effort necessary to build a viable, working PoP is extreme. However, this is yet another way that cloud providers could continue their consumption of the security industry (see Cloud Eats Security.)

NOTE: Since writing this blog in February of 2024 I have started seeing actual products making a run at this concept. Google’s acquisition of Wiz and Zscaler’s acquisition of Red Canary are two prominent examples of consolidation in the pursuit of an “all in one” style platform.

The post Platform of Platforms appeared first on Zenaciti.

You bought a froduct, a product that is really a feature or collection of features. Froducts are everywhere, but they are particularly pervasive in cloud and security market. Free flowing funds has fostered fertile field for founders flaunting froducts.

What is a Froduct?

For something to be a froduct, it must meet two criteria:

1. Limited Use. Security and cloud froducts target specific needs, such as compliance, data replication, or incident response.
2. Dependencies. Froducts depend on other technologies, systems, or people to work properly.

Froducts are not necessarily a bad thing.  In fact, many innovative technologies begin their life as a foduct.

One example of a successful froduct was Portshift. This Israeli company made a Kubernetes security product. Their product, like many container security products, was really a collection of existing Kubernetes and cloud capabilities. You could do almost everything Portshift did with existing open source tools. You also had to have a containerized application environment — limited uses, critical dependencies.

Portshift brought these features together into a product, racked up some wins, and got acquired. Investors put in $5 million and Cisco paid approximately $100 million for the company (the actual amounts remain undisclosed.) That is a 20x return on capital. A fabulous froduct finish.

While froducts are great for founders and investors (when they work), they are not always so good for customers. Froducts can create as many issues as they solve. Yes, you have security mesh on your containers, but who is going to define, manage, and monitor that? Container security mesh, like many other security froducts, is a great idea that is difficult to implement successfully. Froducts often make lofty promises of efficiency, security, and reliability, that are difficult to fully realize.

So where do all these froducts go?

Cloud Eat Froduct

In my recent analysis article, Cloud Eats Security, I described how the Cloud Service Providers (CSPs) such as AWS or Azure, are gobbling up security capabilities.

For example, consider Web Application Firewalls (WAF). A decade ago, WAF was a thriving market, with multiple big players like Imperva and F5. Now, WAF is a few clicks on your AWS, Azure, or Cloudflare console. There is really no reason to buy a WAF anymore.

Cloud providers are slowly gobbling up froducts. Bundling them up into their offerings and making them easier to implement. While their versions of these technologies may not be as good as the stand-alone ones, it does not matter. They are good enough. Like it or not, that is all most buyers want.

Go to Froduct Market

For every froduct that clocks in a 20x return, there are hundreds that merely burn investor cash. The core problem with these places is they have their go-to-market efforts completely wrong.

Security and cloud froduct companies keep struggling to solve security or cloud problems. They put out endless marketing fluff about hacking, peace of mind, and attack surface areas but fail to address the real question that buyers want to know: what business problem do you solve?

Security problems are small, nuanced, esoteric pixies that require lengthy explanation, education, and endurance to comprehend. In contrast business problems are lumbering leviathans that even the most clueless investor can understand. For example…

Business problem: we need money.

Security problem: we need to restrict access to specific users, with approved session tokens.

A security froduct might be innovative and effective, but if it creates any kind of impediment to revenue, then who cares. Startups with froducts need to look way beyond the cool thing they do and think about what those cloud service providers are doing.

Froduct Packaging

The reason AWS can get away with a subpar WAF is because the totality of AWS is more valuable than the individual components. AWS’s value is not in their security or compute capabilities, it is in the platform.

Or another way to say this, AWS does not solve compute problems (or security ones for that matter), they solve business problems with computing products.

Startups can use this same technique to make their languishing froduct more useful and valuable.

For example, which one of these product pitches do you think work better on a C-level executive with limited budget?

Our cloud deployed IAM product integrates with your on-premise Active Directory to synchronize user identities across cloud environments. It can reduce unauthorized access and protect data.

Our product keeps your people working earning revenue.

Do not sell the froduct, sell the better future the froduct (on some big platform) delivers. Froducts, packaged together, to solve large scale problems are irresistible to leaders who want to contain costs. Moreover, they alleviate pain.

So, what are some of these large, business problems? There are only a few of them.

1. People: expensive, fickle, smelly, hungry
2. Money: never enough of it
3. Time: never enough of it

If your froduct platform can replace people, save money, and/or reduce time to success, then you have a winner. If your froduct requires a company to hire more people, pay more money, or consumes more time, you have an uphill battle ahead of you.

Conclusion

When you go shopping for new security products, take the time to consider the dependencies.  You may be buying a froduct.  Likewise, products that integrate with existing platforms, like AWS or Azure, are naturally more effective since they can work on existing environments.

If you are a product company, then you must be able to place your product into the context of a customer’s environment.  Stop talking about the security challenges you address, and start talking about how you will improve the customer’s experience. You can still talk about those security benefits, but only after you and the customer are clear on the business problems you solve.

The post Rise of the Froduct appeared first on Zenaciti.

How many times have we heard some variation of:

• Attacks against ____ will increase.
• _____ attacks will continue to evolve and become more sophisticated.
• The rise of ____ will give attackers new ways to _____ (AI is the latest in this category.)
• Boards will finally get serious about security.
• The cybersecurity staffing crisis will continue.

The cybersecurity industry is stuck in a loop. It keeps predicting the same things, repeating the same stories, and advocating the same exhausted cliches expecting things to change. Every year attacks increase, new technologies will save and/or kill us, and executives are on the edge of finally accepting security as a serious issue. These predictions never come true.

See the 2026 Cybersecurity Predictions

Therefore, I present my anti-predictions for 2023 cybersecurity industry:

The Threat Landscape is Changing

Not really.

In 2023, everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.

In fact, I believe that the threat landscape has remained static for the past 20 years. The threats of today are not dramatically different than 2003. Viruses and worms are now called ransomware, but they function largely the same. Hackers are still hunting for credentials and cracking passwords. The avenues of attack are mostly the same, email, websites, etc. Attacks cause more damage today, but that is relative. Everything is more complex and operating at a larger scale than 2003.

In 2023 we have more technologies to detect threats and more words to define them, but the actual threats are the same.

Executives Will Start Taking Security Seriously

Probably not.

One thing you can always count on when there is a big data breach is social media channels filled with “thought leaders” exasperated at how leadership ignored such obvious security problems. These insufferable Captain Obvious crusaders cannot comprehend how people can be so irresponsible.

The reason for executive inaction is simple, it is easy to blame somebody else. When a breach happens, the board or CEO can line up the IT department and blame them. They can then make a promise to fix everything. (See: Solarwinds case for proof of this.)

Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.

As such, they fall back to the next item on this list.

Companies will Commit to Stronger Security Defenses

No, they will stick with “good enough” security.

It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.

This is why executives are obsessed with copying what other company’s are doing. They reason that if a product is good enough for a big company, like Netflix or Apple, then it must be good for everybody. This ignores the fact that technology is useless unless it is implemented and managed properly.

Companies keep throwing technologies at security problems and consistently fail to operationalize those technologies. That is because doing the operationalization work is complex, unrewarding, tedious, and does not get you likes on LinkedIn. This is a positive feedback loop: bad security, begets more tech, begets more complexity, begets weaker security, and return to start.

Or as RoboCop’s Dick Jones says, “who cares if it works.”

We Will See a Megabreach that Cannot be Ignored

We are already ignoring them.

2023 will undoubtedly see plenty of data breaches. They will get plenty of coverage and then fade from memory. This is partially due to breach fatigue, but also because breaches are not that serious to most companies. They cause a brief period of turmoil, and then are quickly forgotten.

The recent Lastpass breach is a good example. While some of us dumped Lastpass, thousands shrugged off the news. It is too difficult, time consuming, and complex for most organizations to replace them. Once a technology is entrenched in organizations, removing it is painful.

Megabreaches are also so common these days, that they have lost their impact. There is little we can do to stop them.

Security Staffing will See Improvements

Not likely.

Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.

This is because working blue team defense in cybersecurity is like being the janitor’s assistant’s intern. All the miserable work (such as compliance implementation) is dumped on you. The executives treat you with contempt. If you report any serious issues, you are either ignored or retaliated against. When there is a breach, you are blamed, fired, and humiliated. Meanwhile, you are expected to know how to secure everything, everywhere, with flawless perfection.

The cybersecurity industry is top-heavy with self-important thought leaders who are unable or unwilling to get their hands dirty with the operational realities of security. The industry keeps venerating these people, while ignoring the regular folks who grind away everyday keeping things safe.

This also causes skilled security people to seek out careers that are safer, such as penetration testing. Oddly enough, breaking into environments is a more rewarding job than protecting them.

Bitter, Party of One

Okay, maybe all of this sounds a little bitter.

I point out these problems because I know they are fixable. I have seen organizations with strong, effective information security programs. I have met some brilliant operators who can single-handedly solve vexing problems. I believe…no…I KNOW there is a brighter future for security.

That brighter future is frustratingly difficult to achieve when there are so many impediments to success. Annual cybersecurity predictions are only perpetuating these problems.

The Brighter Future

Let’s set the cynicism aside and think about what we could do differently this year. Here are some of my ideas:

• Stop buying new technologies, or settle on new ones and plan to stick with them at least a few years.
• AI will not solve everything. It is merely a new tool. It must be mastered like any other tool.
• Hire people that are slightly unqualified for security roles. Grizzled “experienced” people often come with a ton of baggage.
• Focus security on operationalizing and automating every aspect of security.
• Stop making excuses and move all your workloads to the cloud. Containerize as much as you can.
• Pay your operators more so you can attract the smart ones. Hire more of them so they can learn from each other. Reward the creative ones.
• If you hire a managed security provider, hold them accountable. If they cannot deliver, fire them quickly and replace them
• Focus on changing faster, making people more comfortable with change, and making your environment able to change at a moment’s notice. Ability to change = effective security.
• You are not going to educate your users. Users are human and all humans do stupid things. If your company cannot handle human stupidity, then you will never be secure. Human stupidity is a constant. Build systems that can withstand constant interactions with stupidity.
• If you do not have a person on staff who can write (decent) documentation, get one. Now. Document everything. Follow it.

These are only a few ideas. I would love to hear your ideas. That is where real answers begin to emerge. When we accept that something is not working and want to make it better.

Conclusion

I predict in 2023 cybersecurity will make many of the same mistakes. I also predict, a few people will start to see a brighter future. They will become agents of change. They may be disliked and even feared. Yet, they will make a difference.

Making a difference is all any of us can hope for in the coming year.

This article was revised on 11/24/2023 to be a little less cynical.

The post Cybersecurity Anti-Predictions for 2023 appeared first on Zenaciti.

The client’s information security officer did not like my strategy.  I defended my approach adding that the cost of the investigation was not worth it.  Unpatched systems were the likely culprit.

My pitch was ineffective, and the company chose to hire a well-known incident response company instead.  They blew through a few hundred thousand dollars to uncover that their developers did not patch their servers, bots are quick to exploit vulnerable Apache installations, and their security tools are largely unmonitored and unmanaged.

This story highlights one of the more enduring challenges in information security: attack detection and response is complex, expensive, and seldom rewarding.  This company did not discover any giant conspiracies.  They were the victims of a garden variety attack.  The downtime and investigation were expensive and debilitating.  The culprit of the vulnerability was obvious: inconsistent system maintenance and weak security controls.

Challenges with Endpoint Security

While modern endpoint detection and response (XDR) products like Crowdstrike have come a long way at detecting, identifying, and stopping attacks, these platforms still demand a lot of care and feeding.  Companies spend millions each year desperately trying to stop and clean up after attacks.  Often this results in no insights, other than the organization has security vulnerabilities, like every other organization on earth.

What if none of this mattered?  What if, as I suggested to my client, you could destroy and rebuild an environment automatically based on a schedule or triggered input.  Attackers need time to infiltrate systems, move latterly, and exfiltrate data.  If compromised host(s) vanished every few hours, hacking the environment would become enormously difficult (although not impossible).

This is the premise behind Moving Target Defense (MTD). 

What is Moving Target Defense?

MTD, despite being a emerging technology, is not a new concept.  A group of security researchers wrote a detailed book on the topic in 2011: Moving Target Defense, Creating Asymmetric Uncertainty for Cyber Threats.  This book is a bit dense and written before container technologies existed.  However, these researchers had a sound premise, even if the technology at that time was not fully capable of realizing those ideas.

MTD products create a compute environment that is dynamic and non-persistent.  If a host or application is compromised, it is quickly destroyed and replaced with a known-good version from a trusted, read-only repository.

MTD currently comes in two flavors: infrastructure and endpoint.

The endpoint versions work internally within an operating system to randomize memory, isolate the core processor, and prevent unauthorized applications.  This makes the individual system more difficult to crack.  I am hesitant to call these products MTD, since they are merely endpoint products with specialized detection and protection capabilities.

Infrastructure versions work on a larger scale to constantly wipe and rebuild the components of an environment.  These technologies are particularly effective in containerized environments.  A properly architected Kubernetes or OpenShift environment, can become extremely resistant to attack using MTD.

In my opinion, I think it is a stretch to call endpoint products MTD.  These are merely XDR products with MTD-like features.  True MTD must happen at the infrastructure level.

What is so Great about MTD?

MTD is a profoundly effective defense because it is simple.  It shoves aside all the complexities of detection, response, and incident handling.  Rather than try to figure out how a system is hacked, MTD makes a hacked system irrelevant.

Moreover, MTD does not invalidate existing detection and response tools.  It reduces the dependency on these technologies and can augment MTD capabilities.  When MTD and XDR are paired together, the endpoint tools can trigger a rebuild based on the detection of an attack.

Why MTD Now?

The reason MTD has come of age is due to advancements in adjacent technologies.  In the past, traditional hardware environments could not handle the dynamic nature of MTD.  Virtualization brought MTD closer to reality, but was still clunky and unreliable.

With the advent of containerization, MTD not only becomes possible, but preferrable.  Individual containers or pods can be trashed and replaced in a blink.  If the application is architected properly and stores persistent state information in a database (and not on a filesystem) there is no functional limit to how often systems are refreshed.

As more companies move their compute workloads on to Kubernetes, Openshift, and other containerized platforms, MTD becomes a more viable security option.

Who Are the Players in MTD

There are few.  As of December 2022, there is one lone company (I could find) with an infrastructure MTD product: R6 Security, out of Palo Alto.  Their Phoenix platform works with Kubernetes as well as RedHat’s Openshift platform.  It can work on a schedule to refresh the environment or configured to interoperate with other container security tools.  I have seen this product in action, it is slick.

On the endpoint side, there is Morphisec. They claim to have a lightweight agent that performs core isolation, randomization, and other endpoint security enhancements.

What is the Future for MTD?

In a recent post on LinkedIn, Lawrence Pingree, Vice President of Emerging Technologies for Gartner announced that 2023 will be the year of Moving Target Defense (MTD). This is a bold claim for a nascent technology.  However, I think Pingree is right.  The conditions are right for this technology to take off.

With organizations moving more of their core workloads into containerized environments, it only makes sense to use MTD.  Moreover, MTD bundled with other security capabilities creates an extremely resilient environment.

However, now that Gartner has said MTD is hot, expect a lot of other security companies to suddenly “add” this capability to their product.

The Bad News about MTD

MTD is not a panacea that will solve every security problem everywhere forever.  There is one, big gotcha with MTD: application architecture.

For MTD to work properly, the application environment must be architected to handle constant change.  This means using rest APIs and microservices, rather than traditional monolithic applications.  It also means persistent information, cannot be stored within a container or on a filesystem.  It must be stored in a shared repository such as a database.  Moreover, state information must be isolated and protected, such that an attack could not break through the MTD layer, into the backend environment.

One fear I have about MTD is how it can break applications.  This is why many endpoint products with these features struggle for traction.  They offer all these novel memory and processor randomization tricks, that crashes regular applications.  They quickly devolve into a configuration mess of whitelisting specific functions, which kind of negates the whole point of MTD.

This is why I believe the future for MTD is in infrastructure products and not endpoint.

Conclusion

What captivates me most about MTD is that it disrupts the entire hacking environment.  Rather than trying to outsmart the hackers (which has consistently proven to fail) MTD devalues the hacker’s advantage.  It does not merely level the playing field, it wipes the field out and replaces it with a new, fresh, clean one eliminating all the hacker’s clever attacks.  MTD also forces an organization to architect their applications in a more modular, resilient manner.

MTD might not be the panacea that solves everything, but it has the potential to disrupt the security market as much as it disrupts the hacking environment.

The post Moving Target Defense Is Set to Disrupt Endpoint Security appeared first on Zenaciti.

It is all those things and more.

Just because the Metaverse is overhyped does not mean we should dismiss it. If you look at the Metaverse in the context of its closest cousin, immersive, online, interactive games, such as Fortnite or Minecraft, then its success seems pre-ordained. For example, Fortnite has over 350 million users and generates billions in revenue. Is the Metaverse Fortnite Next?

The Metaverse is a combination of grand promises and formidable obstacles. While it promises to deliver an immersive and engaging way to interact with people and companies, it faces enormous technical, structural, and social impediments. Let’s look at some of these obstacles and one notion of how they might get fixed.

Interoperability

Among all the monsters that lurk among the Metaverses, interoperability is the most difficult kraken to slay. Currently, Metaverse worlds do not seamlessly interact with each other. If you buy something on one site, it does not (easily) transfer to any other sites. There are no agreed-upon standards for how information is stored, exchanged, or secured. There are no standards to protect children from adult content.

The Metaverse is currently a collection of isolated worlds (like online games) that need to work together. The only way that can happen is if all the sites standardize around a common set of protocols.

Blockchains

Part of the reason for the lack of Metaverse standards is its reliance on Blockchain technologies to store and distribute data. Blockchain is a decentralized transactional system. Cryptocurrencies are the most popular implementation of blockchains. The use of blockchains means no single authority controls the transactional database (or chain.)

However, the lack of central authority has failed to make cryptocurrencies safer, freer, or more accessible. Instead, it has given fertile ground to scammers and criminals who can manipulate the lack of central authority to inject false information or steal blocks.

In response, most blockchain-based systems are transitioning to hybrid or closed systems, where there is a central authority to arbitrate transactions. When there is a central authority, there can be certainty and the enforcement of standards. However, this unleashes another kraken.

Zuckerberg

Nobody exerts more gravitational pull in the Metaverses quite like Meta (aka Facebook) and its CEO Mark Zuckerberg. He sees the Metaverse as the next big thing and wants to dominate it. Zuckerberg’s influence is simultaneously the best and worst thing for the Metaverse.

On one hand, Meta and Zuckerberg have the influence, power, and scale to promote and expand the Metaverse like nobody else. One way Meta does this is with the Occulus headset, which is widely regarded as the gold standard for VR headsets. To his credit, Zuckerberg is a technically skilled leader who understands the problems of interoperability and genuinely wants to fix them.

On the other hand, it is Meta’s control that makes people nervous. The more control Meta gets, the more the Metaverse may feel like Facebook Next rather than Fortnite Next.

Hardware

To really get into the Metaverse, you need a virtual reality headset. Fortunately, these are becoming more affordable. Also, headsets are not necessarily required. Most operating systems and web browsers now include VR rendering libraries. It is possible to experience the Metaverse without a headset; however, the experience is less engaging.

Nevertheless, VR hardware is not widespread yet. Also, VR technologies have extreme bandwidth demands, which leaves people with slower connections behind. Among all the Metaverse impediments, hardware is one of the easiest to overcome.

Security

The lack of standards in the Metaverse also means there is a lack of security. These security problems exist at multiple levels. Many of the headsets require wide-open network connections. The application programming interfaces (API) that fuel the data exchange of the Metaverse are equally unsecured. Metaverse databases or blockchains contain not only your identity but also virtual items of value, including an immense amount of data on your personal behaviors. If Facebook is a gold mine of metadata about you, the Metaverse is a whole universe filled with exotic treasures.

Creeps

It is not hyperbole to say the gaming world is filled with creeps. A whole subculture of gaming men genuinely believes that harassing women, people of color, and other marginalized communities is not merely acceptable, but is somehow a free-speech birthright. The lack of moderation in online games and social media has fueled the growth of self-defending communities of creeps who empower, validate, and protect bad behaviors.

The Metaverse will supercharge these creeps. It provides them with a whole new dimension of ways to harass people with images, objects, and behaviors.

Decades of research have shown that if gamers do not face consequences for bad behavior, they will not self-correct. Of course, when the creeps are confronted, they quickly hide behind the banner of free speech. This entangles all the other Metaverse obstacles with the sticky moral quandaries of free speech and censorship.

If interoperability is the most significant technical impediment for the Metaverse, the creeps and their free-speech claims are the largest social ones.

Conclusion

If the Metaverse is going to live up to its promises of a new way for people to interact, it must resolve these obstacles. While there are many ways these could be handled independently, there is only one universal solution. The Metaverse desperately needs one or more standards bodies to regulate these issues and enforce standards. For this body to work, it must be internationally accepted and not under the dominance of any single commercial entity. However, it must involve key commercial players, like Meta, Epic, and Microsoft, to name a few.

There are some existing logical bodies, such as the United Nation’s ITU or World Wide Web Consortium. Regardless of which body takes on this task, with the right standards-based regulation, the Metaverse is far more likely to fulfill its promises.

Originally published at https://www.nasdaq.com on April 28, 2022.

The post Can the Metaverse Overcome Its Obstacles? appeared first on Zenaciti.

Read the rest of this article at NASDAQ.com 

The post All-Consuming Cloud appeared first on Zenaciti.

Over the past 20 years, cybersecurity has played an unwinnable game. In this game, the attackers make all the rules, score all the points, and can quit anytime without losing.

Meanwhile, the defenders are encumbered with a cavalcade of rules, tools, and fools: insidious compliance rules that drag down progress, a messy assortment of security tools that never work together, and company executives that dismiss security as a nuisance inhibiting their success.

If you have ever had to implement enterprise information security you know that it is not merely difficult, it is profoundly difficult. However, what is the alternative? Companies must defend themselves. And so, security professionals diligently persevere. They buy new tech, hire more people, and fight enemies inside and out. After a while, the virtuousness of their perseverance becomes indistinguishable from insanity.

Beyond Human

The crux of this Unwinnable Game is that protecting modern IT systems exceeds human cognitive abilities. Information security, even for a modest sized organization, is insanely complex, volatile, and error-prone. This has left CISOs playing a game they can never win. See more about What is Wrong with CISOs.

If humans cannot handle security, then who or what can? Automation? Artificial Intelligence (AI)?

AI and automation both have tremendous potential to make security less complex and more reliable. Automation tools can repeatedly (and tirelessly) analyze data to identify outliers and potential attacks. AI can, theoretically, adapt to changing environments.

Unfortunately, these tools have massive hurdles to adoption.

First, implementing AI and automation are well beyond the technical capabilities of most security teams. Most security teams struggle to maintain basic hygiene. Expecting them to install, tune, and manage complex AI technologies is unrealistic.

Second, these tools demand standardization. Environments with disparate systems are impossible to automate and confound AI engines.

Lastly, AI engines demand vast amounts of data to build accurate propensity models. This means the engine must have both abnormal and normal data (and anything in between). Most security technologies discard or ignore normal data, favoring the abnormal. This is because the humans who manage those security products cannot handle the onslaught of both normal and abnormal data.

Introducing Platformization

This is the point when cloud providers, like AWS, Microsoft, and Google, as well as large SaaS providers, like SalesForce and ServiceNow join the chat. Cloud providers have huge advantages in regard to automation and AI. They are skilled at taking technologies and processes, and transforming them into standardized, easy to implement, and automated services. AWS has the people, purpose, and scale to build AI engines. Mostly, cloud providers have a huge advantage over the point players, like Crowdstrike or Splunk. Cloud providers can see everything, normal and abnormal. This makes them a logical place to implement security.

The reason computing workloads are moved to the cloud is because the cloud providers simplify complex technology into standardized services. Cloud and SaaS have already consumed entire markets, such as email. Ten years ago, if you needed an email server, you had to setup, manage, and secure your own. Today, with a few clicks and a script you can have an enterprise class email system at Microsoft or Google, pre-configured and secured correctly. There are few reasons to run your own mail server these days.

Security is no longer an add-on product. It is inside the platforms companies already use.

The New Cloud Order

By 2030, security will inside the platform, not outside it. These integrated services will extend out to endpoints and IoT devices as well. What we know today as the security industry, with thousands of vendors all selling point products will dramatically change. It will be more about integrating capabilities into existing cloud and SaaS platforms.

This trend is already in motion. The impact of this shift will be felt far and wide. Some of the things we can expect include:

• The demand for point security products will not disappear, rather it will move down-market to SMB and laggard industries that refuse to adopt the cloud.
• The market valuations for security point solutions will decline as they run out of customers.
• The demand for in-house security expertise will decline. With cloud services and AI doing much of the dirty work, in-house teams will have less to do. This will make the security roles less about twiddling with tools and more about managing risk posture throughout the organization. This will also fuel expansion in the managed security segment.
• Since everything in the cloud can be automated through an API, a new class of value-added resellers will emerge: automation integrators. These providers will repackage automations between different providers. They will offer pre-built architectures, with your preferred vendors (like ServiceNow or Salesforce) pre-integrated. With a few clicks you will be able to build an entire enterprise infrastructure with everything tightly integrated.
• The market for managed security providers (MSSP) will grow, however they must adapt to work with the cloud. The traditional MSSP, with a big SOC managing hardware devices, will be less relevant. MSSP will also move down-market into SMB environments. It will be less expensive and simpler for organizations to outsource security monitoring than attempting to do it in-house.
• Demand for stand-alone security awareness and application code scanning solutions will remain stable or increase. These services are difficult for cloud providers to adopt, due to the customized nature of them. However, security awareness training has already moved to cloud-delivery. Likewise, most application code scanners have SaaS delivered versions as well.
• Hardware security products must refocus on access, with tight integration to cloud services. Many of the hardware vendors, like Palo Alto Networks and Fortinet have already begun this transition.
• Compliance will be devalued. Compliant environments can be built, certified, and authorized through automated means. Compliance bodies will resist this at first, but the cloud providers will strong-arm them into adopting. You already see the beginnings of this, with the FedRAMP office push their standardized OSCAL language.
• Multi-cloud will become more difficult as cloud providers find more ways to create lock-in strategies. This will also increase the need for automation integrators, which can smooth out multi-cloud adoption complexities.
• Attacks and ransomware will shift focus to “softer” targets such as laptops and IoT devices.
• AI engines will become increasingly more capable at identifying new attacks. However, people will need to manage the response and remediation.
• Automation will extend to remediation tools. Cleaning up an intrusion will no longer require expensive engagements with outside consultants. Rather, automation tools will gather evidence, wipe out affected systems, and rebuild from known-good repositories.
• Risk management will become more important to companies, as they shift from a purely reactionary approach to that of controlling risks.
• Watch closely anybody AWS, Azure, Google, Salesforce, Service Now, Oracle, SAP etc. acquires. They will start vacuuming up technologies that will serve this change. AWS has already done a few.

Evidence

The evidence of this movement is already out there.

• Microsoft Azure has their own Security Event and Information Management (SIEM) product: Sentinel
• AWS has rolled out Guard Duty and WAF, rendering the need for standalone WAF or IDS/IPS less relevant.
• Google’s Chronicle integrates multiple security functions as well as some AI capabilities.
• At re:Invent 2022, AWS announced Security Lake a new SIEM product similar to Chronicle and Sentinel
• Google purchased Wiz, with the intention to integrate it into their cloud offerings.
• AWS announced Security Agent, an AI-based vulnerability identification and remediation tool.

Counterpoints

Of course, this trend will encounter resistance from all those vendors. Just as hardware vendors ignored the writing on the wall in the early 2000s, so too with the sea of booths at the RSA ignore the rising cloud waters around them. However, let’s consider some contrary points.

Cloud services are not as accurate or capable as dedicated point solutions.

This may be true, but it does not matter. The cost and complexity of implementing, optimizing, and managing point solutions is already higher than adopting cloud-native tools. Moreover, the quality of a product is largely irrelevant in the grand scheme of protecting a business. Most of the companies that experienced a large data breach possessed cutting edge security technologies. It is not the technology that protects a company, it is how the technology is implemented, managed, and monitored.

Cloud providers are incentivized to ignore or cover up security problems. You cannot have the fox guarding the henhouse!

Pushing the farm clichés aside, this is untrue. Cloud providers are under tremendous legal, regulatory, and reputational pressure to secure their services. For example, a few years back AWS took heat for customers with public S3 bucks. Even though this is a legitimate configuration, and customers are entirely responsible for setting this access, AWS still implemented improvements to lock down S3 buckets even more.

Furthermore, if you are going to entrust the entirety of your company’s data and processing to AWS, why can you not trust their security? Lastly, cloud providers are deeply incentivized to protect customer’s workloads for one less savory reason: lock-in. If a cloud platform is consistently having security issues, customers will leave and move to a competitor’s platform.

This is monopolistic, many organizations will reject using cloud-native security tools leaving a market for point-solution vendors.

Yes, some companies will resist, however this will not stop the cloud providers. Those companies that resist will be at a disadvantage. Security today is an insanely inefficient and error-prone precisely because there are too many tools which are difficult to interoperate. Automating and standardizing security is the only way to contain this expanding inefficiency. Those companies that resist, will lose the efficiency and effectiveness gains of those companies who do adopt the cloud-native security tools.

The follow-on question for this is: at what point do the cloud providers transform from merely providing a compute service, to being a utility. Where are the limits of their reach? That is a larger, complex question for another article.

Conclusion

Information security is stuck playing a game it will never win. However, unlike the sage wisdom of Wargames which suggested the only winning move is not to play, we do not have that choice. We must defend our data, our infrastructure, and our nations from cyberattacks.

Information security teams can win this game, if they leave defense to the robots. Only automation can adapt, react, and protect at the scale necessary to defend an enterprise. And only the cloud providers have the scale, resources, and motivation to be able to build these robots effectively.

This was originally published in December 2021 and revised a few times since then.

The post Cloud Eats Security appeared first on Zenaciti.

1. What is the Intent?
2. Who is in the Room?
3. What are the Dependencies?
4. What is NOT Being Said?
5. What is the Market?

In this second, and final part we pick up where we left off.

6.      Does it Work?

This question is as obvious as it sounds.  Does the product do what the company claims it does? This is easy to answer if you can rise above the company’s messaging and posturing.

The first part of this question is to have the company’s sales engineers demo the product.  Ideally, I want to see how they explain the product, its features, and its strengths.  My focus with them is the infrastructure of the product; where it is deployed, how it is installed, what third party products does it need, etc.

When time permits, I like to install and use the product myself. I have a rich background in installing technology, so this can be fun. It can also be miserable, like the encryption product I reviewed once that bricked my laptop.

With some hands-on experience under my belt, the next step is to see what others have to say.

7.      What Do the (Real) Users Say?

During most due diligence projects, the company will set up one or more user meetings. These are useful since I can hear how the product performs in the real world. However, it is unlikely they will put unhappy customers in front of me.  As such, I need some “unfiltered” opinions.

Online user groups, like Reddit, can be useful here. While you cannot fully trust on-line sources, they can give you clues to what is bothering users. Many years ago, I was analyzing a web gateway product. I noticed numerous online users complaining about logging capabilities. When the SE’s showed me the product, I specifically had them focus on logging. They got defensive. Eventually, the product manager fessed up that their logging capabilities were weak. Had I not read all those on-line complaints, I might not have thought to dig into the product’s logging capabilities.

However, user groups almost always skew to the negative. Nevertheless, between the handpicked customers the company provides, and the rants of people on the Internet, I can assemble a picture of the product’s real-world usage.

8.      What Problem Does It Solve?

How a product is sold to customers says a lot about its potential. A smooth sales process translates to scale, while a clunky process can hinder a product’s growth. Analyzing a company’s sales processes can be highly entertaining, but it does not give much insight into the product’s technical capabilities. This is because there are plenty of technically weak products that sell well, while innovative ones languish.

However, sales can provide insight into the market for a product, if you look at why people buy it.

This begins with an understanding of the sales personas.  These are the generalized roles at a prospective customer that sales works with to close the deal. There are four sales personas:

• Champion: person who identifies the product and promotes it within the company
• Evaluator: person who assesses the product for use and provides a recommendation for purchase, or not
• Influencer: person who’s opinion of the product holds weight among the other personas
• Decision Maker is the person who makes the final decision to buy the product

While a single person may embody all these personas, that is uncommon.  Even small companies divide the decision maker from the evaluator.

Evaluators and influencers are where this why question has the most traction. These personas are typically tasked with vetting the product for use. If they see something they like, they will recommend the product. Mostly, they will want to solve a problem.

The clearer a company defines the problem their product solves, the more convinced the evaluators and influencers will become. Therefore, when I meet customers of a product, I want to talk to the person(s) who evaluated the product prior to sale.  I want to hear why they bought the product, to determine if the company solves a real problem and they communicate that effectively.

A few years ago, I was performing due diligence on a threat intelligence platform. The sales team complained of losing to competitors when they got into evaluations. I had them walk me through a typical technical deep dive with a customer doing an evaluation. The issue was obvious. They could not effectively define what problem their product resolved.

This also had an impact on product development and marketing. The company kept adding features, trying to out-innovate their competitors. Consequently, the product was a mess of features, that sounded cool, but again did not address specific business problems.

Why companies buy (or do not buy) a product can give you a ton of insight into not only sales, but the entire product development process.

9.      Where is the Data?

This is another deep-in-the-weeds issue, but it is a looking glass into a product’s maturity. Mature products handle data properly. Immature ones do not.

A few years ago, I was analyzing an attractive up-and-coming security analytics tool. I asked about data handling. The engineers fumbled around the question, ultimately trying to convince me that saving the data in flat text files to the file system was an ingenious strategy. It was not. It was a terrible way for a security product to store data. Despite looking attractive and powerful, the product had some serious technical problems under the covers. My questioning about data handling revealed these issues.

For this, I investigate how the data is stored, access controls, encryption, auditing, and distribution of data (redundancy.) I also love it when companies supply their data models. I can analyze the structure of their database(s) and see if they are well architected, or a patchwork of disparate databases.

10.      What is the Vision?

If I had to pick one thing that sets great companies apart from mediocre ones, it is vision. Vision answers the simple question “why?”  Why does this product (or company) exist? Why should I care? The clearer a company is about these questions, the better their products tend to be. However, there is nothing simple about vision.

A strong vision connects the product and company to a genuine purpose. Something that can motivate people to a higher cause. Consider Tesla’s vision, to accelerate the world’s transition to sustainable energy. This is a strong vision. Notice it does not mention cars.

Vision is like an invisible guardrail that keeps a company focused on a higher calling. It gives leaders an intangible push to look beyond the mere function of a product, to how that product can fulfill a higher purpose.  Without a strong vision, companies and their products become mediocre.

I am routinely surprised how few leaders understand the power of vision. I think it makes them uncomfortable. Perhaps its because it seems light and “touchy feely.” Yet vision is what motivates people.  As Simon Sinek reminds us, people do not buy what you do, but why you do it.

I could not tell you exactly what vision needs to be. It is different for each organization. However, I know what it is not.  Vision is not merely making money, dominating a market, or “delivering shareholder value.”  Those things are the result of a strong vision, not a vision itself.

Where I look for vision is inside everything. It should start with the leadership, particularly the C-level suite. However, vision should permeate every level of the company, from the executive office to the janitor’s office.

Conclusion

Reflecting on all my due diligence projects, I realize there is more to them than encryption protocols and marketing presentations.  They are complex efforts with a lot of information. In many ways, I find due diligence work similar to risk assessments. Large quantities of data, which when laid out, paint a picture. That picture may be one of ingenuity, opportunity, and prosperity…or not.  Or something in between.

I wrote this blog as a marketing tool as well as a lesson for companies who are getting a visit from a technical due diligence consultant. Ideally, the ideas I shared here will help you assess your own company and make improvements before a person like me shows up.

I will leave you with one of the more poignant moments from my due diligence work.  Many years ago, I spent months analyzing a company. In the final meeting, we were going over all the findings. After the presentation, the CEO of the acquiring company pulled me aside and asked me, “give it to me straight, what is the largest risk in this deal?”

I thought of all the technical weaknesses in the product, the poor logging, the laughable 10Gb performance, and the lack of a good cloud product.  However, those were not the biggest risk.

“There is no vision here. The leadership is…lost.”

The leaders could speak confidently of the product’s features, but not about the company’s purpose.  The leaders were connected to plenty of important people, but they could not explain why I should care about their products. The CEO of the acquiring company nodded and smiled broadly. I had confirmed what he suspected, but nobody was brave enough to say.

If you want a great product, start with the ten hairy questions, and answer them honestly. That way when the investors are sniffing around and they send in some guy like me, you will be ready.

Also, I am not washing your dishes.

Go back to read Part 1

The post Big Hairy Questions: Strategies for Technical Due Diligence (Part 2) appeared first on Zenaciti.