Oh crap. Settle in ... it's time for another technical deep dive.
October happens to be Cybersecurity Awareness Month, and as the list of companies I am interested in within this space is expanding, I thought I'd bring you more than you wanted to know about cybersecurity. It gets deep enough on the technical side to explain it to the non-techies out there, then I bring it back around to what our hypergrowth companies are doing in this space and what I see in them.
But even just skimming the surface of network security, it's a lot to cover. So I have spent a lot of my (not so) free time over the past few months to compile these thoughts about cybersecurity, and explaining the multitude of terms and acronyms. I believe it helps to understand the technical history (the way things were and where they are going now), to better understand what is driving the success of our hypergrowth stories in this space.
This is PART 1:
1 - Intro
2 - Network Basics
3 - Attack!
4 - Why SECaaS?
5 - Flavors of Security
6 - A New Dawn
Then in PART 2:
7 - Hypergrowth
8 - A Look at Some Hypergrowth Companies
Intro
Cold autumn drizzle
Silent ghosts in my network
Never to exit
- muji, HHHYPERGROWTH Poet Society, October 2019
We live in a connected world. Every company in today's world MUST have the technical skills to setup, secure, and monitor their day-to-day business operations and company secrets (aka proprietary data: payroll, contracts, intellectual property, payroll, supply chain, customer lists). This is why I like to say [repeatedly] that "EVERY company is a tech company" under this connected global economy.
When it comes to network layout, the norm for companies is to have a complex arrangement. A company typically has digital assets & connected hardware (file storage, data systems, POS systems, printers, IoT sensors, "smart" equipment, cameras) within physical locations (offices, factories, mobile fleet, store fronts) containing a workforce that utilizes computing devices (workstations, laptops, tablets, phones) to track business operations (sales, marketing, finances, HR, payroll, operations, accounting, IT, R&D). And today, the definition of "workforce" is greatly expanding, as companies connect not only their employees across all their enterprise locations, but also remote workers, contractors, vendors, and other partners. And it isn't just physical locations that need securing any more -- the workforce is increasingly going mobile.
And then there is a company's operational infrastructure. A company could be maintaining their own email, HR, payroll, accounting and identity mgmt systems, or, increasingly, they could be using outside SaaS providers. A company may have on-site or remote data-centers that they maintain, or they may use one or more IaaS (Infrastructure-as-a-Service) cloud providers, or some hybrid mixture of the two. And if a company is itself a SaaS company, infrastructure is all the more important as it is also customer facing (hosting web servers and APIs).
And on top of all that networking complexity above, a company needs to SECURE that nest of systems, users, and the processes between them. For that, SaaS services have emerged, providing cybersecurity services to protect your company's assets, systems and/or employees.
- Cybersecurity = Protection of internet-connected systems from cyberattacks.
- Security-as-a-Service (SECaaS) = A SaaS company providing some type of cybersecurity service to enterprises.
Because of all the complexity in securing all of the internal pieces above, SECaaS are forming services that solve some portion of that complexity. When a customer adopts their platform, this means that they become embedded into the daily operations of companies, and typically at a cost that is less than the internal resources (systems and staff) required to "do it yourself".
It is a bit of an epiphany when you finally understand the power behind SaaS enterprise services and their inherent "stickiness". However, I feel cybersecurity-related services have the HIGHEST LEVEL of stickiness due to the nature of security; the universality of how all enterprises need these solutions (and always will!) is driving much of the hypergrowth here. Yes, one doesn't necessarily have to follow the technological ins-and-outs to do well, but I believe a good understanding is critical to knowing where your holdings are in the market, how much is left in their growth, and to spot when those companies are expanding their market opportunities.
Several popular hyper-growth stocks are in the SECaaS space -- OKTA, ZS, CRWD, ESTC -- so it's time to talk tech a bit to explain how these companies fit into the puzzle of security coverage. As you'll see, they all complement each other, and there is room in your portfolio for all of them. (Well, at least in mine.) Other SaaS companies followed here that are not directly related to security are benefiting as well -- IT services like managed databases (MongoDB Atlas & Stitch, Elastic Cloud), infrastructure monitoring (Elastic Stack, Datadog), endpoint communications (Twilio) and incident response (PagerDuty) are also thriving, in part due to this never-ending need to manage and watch your systems.
Network Basics
Conventional network security has always been built on the assumption that that your internal network is a trusted zone, requiring a perimeter be built and maintained to keep the untrusted clients out of it. It's called castle-and-moat security (if it has a name... up until lately, it's just been called "network security" because it was the ONLY option). It was typically comprised of multiple per-purpose hardware devices ("appliances") obtained and set up and maintained by your IT dept.
Network Layers
First, let's talk about what a conventional company's network layout is typically comprised of, as it helps us understand where attacks are hitting. Mary Meeker had a good slide in her 2019 report about the layers of infrastructure. [For the Luddites out there, I'm going to use a really basic analogy alongside these terms -- your house being a trusted network (castle), the outside walls of your house the periphery (moat), and the outside world as untrusted (public internet).]
- Core = A company's data center(s), comprised of on-premise or cloud infrastructure. Typically where the centralized database storage, file repository, and the compute tasks live (aggregation, search, analytics, monitoring). [These are the rooms of your house, each with its own purpose (each system a room). That makes enterprise SaaS services you utilize be a drop-in container you rent that plops a storage pod in your driveway (instant-room) -- in that you have to go outside to access it.]
- Edge = Edge of the company's network that control and manage the network entry into the trusted network. Edge is the gateway used to corral communications from endpoints and allow them access to core. What constitutes the edge varies by industry and purpose of the network - telecommunications network edge could be a cell tower, while a company's network edge may be a specific office's router and firewall. [These are the doors into your house.]
- Endpoint = Hardware devices that connect into a company's network -- all the individual computers, laptops, phones, tablets, printers, IoT sensors, cameras, smart meters, POS terminals, etc. These are the devices the workforce is using, or are remote devices collecting data on their own. [These are the people that want to get into the house to do something. How do you tell friends and neighbors from thieves? SECURITY.]
Network Devices
There are many common basic network devices, which could be either hardware appliances or software-based. [And I will extend the Luddite analogies from above.]
- Network router = Device that moves packets between 2 points in an optimum way. [If your network is a house, think of it as the passageways (hallways and doors) between rooms.]
- Network gateway = Device that joins two networks together, serving as a boundary to both. A gateway is a router, but a router isn't necessarily a gateway. [Think of it as the doorway between the house and outside.]
- Proxy server = A gateway device that acts as an intermediary, to prevent direct access from untrusted networks to trusted. For instance, if a company hosts its own web server, a person's browser is querying a proxy that takes the request and forwards it on the trusted network to the appropriate server, and takes the response and gives it back to the browser on the untrusted network (public internet). [Instead of letting a request from outside into the house, a proxy stands at the door, takes the request, goes and gets the answer from the appropriate room, and takes it back to the door to give the response back to the requester. This helps insulate the core rooms from the outside ne'er-do-wells.]
- Firewall = A gateway device acting as a barrier that utilizes pre-set security rules to control & monitor incoming and outgoing network traffic based on pre-determined security rules, typically between a trusted internal network and untrusted external network (public internet). Rules are set as yay/nay (allow or disallow). [This is the locking screen door, letting air in and out (valid requests) but not the mosquitoes (invalid requests).]
- DMZ (De-Militarized Zone) or Screened Subnet = A specialized subnet (separated subdivision of a network) used to isolate external traffic to a different network space than the internal trusted one. It connects to both the trusted network (for communication with core systems like databases) as well as the untrusted network (internet users), such that only the DMZ is visible to the outside world, keeping the trusted network safely isolated. Typically holds web, mail, & FTP servers that must be accessible from the internet. [Think of DMZ like a vestibule or foyer, with a locked door (firewall) to go inside but also a door (firewall) accessible from the outside.]
- Edge devices = A network gateway that controls access to the trusted network, controlling requests and data flows between endpoints and core. This acts as a proxy and firewall to the trusted network. [This is the butler that answers the door and knows who to let in, who to proxy requests for, and who to stop by locking the door.]
So edge devices are gateways that deal with network interconnections, and endpoints are typically remote devices that are connecting to the edge device as a client [knocking on the door and asking the butler to enter]. Cloud computing and IoT have started making the role of edge devices more important, increasing the need for more intelligence (compute) at the network edge. Edge devices can now be polling stand-alone endpoint devices (like IoT sensors) outside the trusted network and acting on them.
- Edge computing = Refers to how edge devices that are gathering remote data from endpoints could be doing compute or analysis BEFORE passing the data to core, as opposed to the core doing it. There are pros and cons to this depending on the use case, but typically it leads to faster response and lower latency (edge is closer to endpoints than core) and less network traffic (edge doesn't have to pass everything to core, it can strip down or anonymize final data). Downside would be that edge devices typically don't have a complete picture that the core would, so is only capable of handling & analyzing its own data subset. [Your butler is sending or receiving messages to the outside to know when a task is done and something needs to be triggered, eg knowing a parcel was delivered outside and triggering someone to go get it.]
Ever-Growing Perimeter
Network security is comprised of products designed to monitor and secure network traffic moving in and out of your perimeter, to stop threats before they materialize. There are many many companies that provide hardware and software for this. It is not an industry to just blaze into as an investor, as much of it is commoditized, and, given the preponderance of a lot of existing infrastructure and hardware, is not an industry that will be disrupted overnight.
Enterprises have to be ever-vigilant to maintain their perimeter, with a lot of monitoring and implementing of new security approaches. Changes are always made with fingers crossed -- yet inevitably, the majority of security actions are reactionary with a perimeter, as the majority of work is in patching holes that are discovered & containing the damage of any breaches. Cybersecurity is generally a game of "whack-a-mole". Gartner estimated in 2017 that enterprise infosec spend is 90% prevention and 10% detection.
It's easy to hit the limits of this perimeter strategy -- companies hope to grow, and often need to expand their trusted networks beyond a simple structure (for example, interconnect multiple locations, or add acquired companies into their network, or allow access to a remote or mobile workforce). This leads to a lot of complexity in maintaining security, as the perimeter becomes much larger than a single location and what one set of devices can handle.
Enterprise networks are designed to be "outside-in" -- users are moving from the outside (untrusted network) to inside (within the trusted). You need to build the perimeter to keep other things out except for those users you permit. There are several ways to allow outside users and other networks to connect to your trusted network.
- VPN (Virtual Private Network) = Extends a private network across a public network (the internet), so that remote users can securely access a trusted network from outside the perimeter. Creates an encrypted tunnel between the end user and the trusted network. This is commonly used to allow remote employees access to an trusted network, in order to access enterprise applications.
- WAN (Wide Area Network) = Separate networks joined together as one, regardless of distance. Useful to interconnect various physical locations together (offices, factories). Can use a VPN or set up dedicated connections with a telco/ISP. [This is like an underground tunnel between your house and another house, so you can go from house to house w/o going outside.]
- Hub-and-spoke topology = WAN layout having one main hub (primary office) and the rest integrated as spokes (all the other locations) off the hub. All traffic is routed through the hub as spokes intercommunicate. Simplest to set up but has a single point of failure.
- Mesh topology = WAN layout having all the networks interconnect with each other directly. More redundant than hub-and-spoke, but harder to build & maintain. Could be utilized over a hub-and-spoke ("Partial Mesh") to have most important locations meshed and secondary ones spoked.
Endless Cloud
All of these topologies still try to maintain a perimeter around a trusted network. When you have multiple locations, security gets complicated fast, as your perimeter has to extend around the entirety of it. But then how do you then maintain that perimeter out further, when your network then expands from on-premise data centers to managed infrastructure in the cloud (IaaS), or when your company starts utilizing enterprise SaaS services on a regular basis? It is difficult to maintain a tight grip on your data when you aren't in charge of the servers it resides on or the network paths it takes. The explosion of cloud infrastructure and SaaS services (driving today's and tomorrow's hypergrowth) hinder a company in maintaining a meaningful perimeter.
Companies are starting to leverage cloud infrastructure due to cost, ease of use, and that it's scalable and can grow with them and their needs. Costs are minimal compared to long-term infrastructure costs of IT staff and in buying, housing, securing and maintaining servers and networking gear. Companies can be in any number of phases of cloud-integration.
- On-premise = Company that has a enterprise network across one or more locations, and maintains their own servers for application and data hosting, hosted on-premise or in a remote data center.
- Cloud-native = Company whose entire business operations are maintained on cloud infrastructure or from using cloud SaaS services.
- Cloud-hybrid = Common combination of the two. Many companies are have been on-premise so long - the only choice until IaaS services took off - that they are slow to migrate. Companies have a lot of existing infrastructure, so are likely adopting cloud initiatives to start testing the waters.
- Cloud-first = Hybrid company that has come to a tipping point, where they will choose SaaS and IaaS solutions over building it themselves or maintaining internal infrastructure. They are not interested in buying any more infrastructure beyond that which they already have in place. Companies can go cloud-first at any time, as they are discovering the cost for SaaS services for infrastructure and for biz-op services are less than buying on-premise software plus the costs in maintaining IT staff and system hardware to maintain that software internally.
Now that systems are be being moved out to the cloud IaaS platforms, and services are being used from SaaS enterprise services, all those network connections passing data back and forth must be protected. Think about all the SaaS/IaaS services now at play in a given company’s toolkit: Microsoft 365 (Office, Excel, Outlook), Google Workspace, Box, Dropbox, Slack, Zoom, Workday, Paycom, ServiceNow, Salesforce, Marketo, Zuora, Shopify, Square, Atlassian, Github, AWS, Azure, Google Cloud. As data transmits to and from those SaaS services throughout the work day, the possibly exists for malicious attachments or activity. You need to protect all traffic between internal trusted network and SaaS services to assure data isn't leaking out and that malicious activity is not coming in. A company has to be sure there are no gaps in their network protection.
When using IaaS infrastructure, the cloud providers are not particularly interested in being the single line of defense, and as such, are none too eager in taking the blame. Capital One was just breached by a former AWS employee, and AWS said "it wasn't us, it was a mis-configured WAF". The complexity of maintaining security doesn't go away when you adopt IaaS for infrastructure. When the perimeter expands out to the cloud servers, maintaining, securing and monitoring that perimeter just became a lot more complex.
Incoming network connections (to your apps) must be protected! Outgoing network connections (your employees conducting business) must be protected! Intercommunication to and from SaaS services must be protected! ALL TRAFFIC must be protected!
ATTACK!
Companies may try to buy their way out of harms way, yet can never expect to remain breach-free. There is an ever-increasing level of sophistication and coordination in attacks, so staff have to be up-to-date in their security knowledge in order to know what to expect -- they have to address the known knowns, as Rumsfeld put it, by buying a lot of security hardware and staff, and by patching and monitoring all those systems continuously. Yet a company cannot help but have gaps in knowledge & expertise within their staff and equipment (the known unknowns), plus new attack vectors are emerging daily from unknown angles (the unknown unknowns). Per IndustryWeek, 2018 saw a massive increase in cyberattacks, so 75% of companies are increasing cybersecurity spend.
It is not a matter of IF you get attacked, but HOW, WHEN, WHERE and WHO. There are many ways for a malicious actor to attack a network, and many possible targets of their attack. Using encrypted traffic and VPNs goes a long way towards mitigating many of these, but it is a CONSTANT battle to keep up-to-date with attack vectors and patching of your computer systems and network hardware. And even then, vulnerabilities can still crop up. For instance, Heartbleed was a major vulnerability discovered in a very heavily used SSL library, that affected nearly every server-side software. IoT devices in your network are another huge risk. It's helpful to have cameras, sensors, and devices hooked up to the network, but it's another potential breach point with its own set of exploits.
One enormous setback with the conventional network security model is that "every company is its own island", meaning every company only sees its own network logs and breach attempts. There are plenty of ways for IT staff to distribute information about attacks and try to keep up to date on security concerns and best practices (newsgroups, blogs, industry groups) - but companies are NOT going to share their security logs and cannot compare notes with others in real-time. It makes for a lopsided battle, where attacks can be coordinated, but the response never is.
What you can lose?
- Personally Identifiable Information (PII) = Term for any data that could potentially identify a specific individual (name, addr, SSN, DOB) or reveal private info a user may have.
- Personal Health Information (PHI) = PII pertaining to medical data, such as your charts, diagnoses, or genetic makeup.
- Payment Card Info (PCI) = PII pertaining to financial payment, typically credit card payment details (CC number, expry date, security code).
- Company secrets = Not PII, but every company has valuable & proprietary data they want kept internal -- intelletual property, software code, competitive plans, supply chains, etc.
- Data Breach = Incident in which sensitive or confidential data was illegally accessed and downloaded. Typically involves theft of data with PII, PHI, PCI, or company secrets (like financial data or intellectual property).
- Incident Response (IR) = An organized approach to addressing and managing the aftermath of a security breach or cyberattack, in order to handle the situation in a way that contains the attack and limits damage.
Who is attacking?
There are a wide variety of possible agents and intents behind a hack attempt:
- Nation states or national governments (cyberwarfare)
- Terrorists (cyberterrorism)
- Industrial spies
- Organized crime groups
- Hackers or Hacktivists
- Business competitors
- Disgruntled insiders
There are different types of hackers, based around the intent of the hack:
- Black Hat hacker = An unethical hacker (malicious actor) that wants violate systems to steal or to cause harm.
- White Hat hacker = An ethical hacker attempting to discover exploits and patch vulnerabilities. Typically has advance authorization to do penetration testing.
- Gray Hat hacker = A mix of the two that lives in the middle. Generally means someone who is breaking laws (hacking w/o authorization or notice to the company) but the intent is not malicious. Some companies are offering bounties for any details on how to breach their systems, so it has become lucrative work.
How are you attacked?
- Attack vector = The path a malicious actor takes into your system, in order to plant malware, steal data, or burrow deeper into your network systems.
- Exploits = Known vulnerabilities in software or hardware systems that become easy entries into your computer if left unpatched. Companies are at high risk here and must remain current on their patching of computer and network systems. IoT devices in particular are problematic in that they are more rarely patched (or, worst of all, are not patchable, so exploits can remain exposed forever!). It is also common to forget to change the default administrative password.
- Zero Day Exploit = An exploit that is newly discovered and has not yet been patched. Big trouble, plus copycats may appear when it starts getting media attention. Even more trouble, however, are the exploits that have NOT been discovered!
- Shadow IT = Software exposed to internet that IT doesn't know about, or the use of unauthorized cloud apps. Hard to patch things when IT is unaware of it being there.
- Social engineering = Use of deception to fool employees into divulging information or system access that they should not be (aka the human element). Beyond network security, the workforce itself is a security factor, where you need to provide education on being security conscious and aware of the threats (employee could click on malware, or could accidentally provide PII or credentials on the phone to a deceitful caller). And attacks aren't solely from the outside of your network - employees can have malicious intent. Companies have to remain diligent in their security efforts, and can never let their guard down.
- Advanced Persistent Threat (APT) = A prolonged and targeted attack that gains access to your trusted network, and potentially remains undetected for a long period of time. A ghost in the machine (as mentioned in my haiku), that is covering its own tracks. The focus of APT attack is more about monitoring your network and stealing data than it is causing damage (which is likely to draw notice).
- Distributed attack = A coordinated attack from multiple nodes across one or more compromised networks. This allows malicious actors to flood servers with requests.
- Distributed Denial of Service (DDoS) attack = A coordinated, distributed attack against your web services or servers, in order to disrupt normal traffic -- most likely to overwhelm a service by flooding it with bogus requests.
- Botnet = A collection of connected devices that have been compromised, in order to be under a hacker's control for DDoS or other distributed attacks. IoT devices with poor security have been making this style of attack easier, and more potent. This allows hackers to greatly multiply their attacks as a sort of malicious super-computer. The Mirai Botnet, set up by a few college kids, is a well-known one.
- Brute Force Attack = An attack that attempts to force its way into an account by guessing as many possible combinations of credentials as possible. Think this is hard? A white hat just earned a $30k bounty from Facebook for his incredibly easy method of brute force attacking a 6-digit passcode (a common way to do 2FA to a mobile phone) in the 10 minute time limit that Instagram allows to reset your password. He proved he could hack into ANY Instagram account for ~$150 in cloud resources. (See article at bottom - it's a good read, and frightening when you realize how easy it can be for a determined hacker to get into your accounts.)
- SQL Injection = Web server attack against database query services that allow for running additional embedded commands against the database. Could possibly allow for viewing or modifying the database, like injecting new account credentials or showing existing ones. Typically caused by bad software development practices.
- Cross Site Scripting (XSS) = Web server attack that allows a hacker to submit or embed a custom script that other users of the web site may be exposed to. Any website with a forum or comments section has to worry about this.
- Phishing = A form of social engineering involving widely broadcast emails disguised as legitimate messages (ie a Paypal email that asks you to log in to your account) that attempt to lure you onto a fake website in order to capture your user credentials. [Setting up MFA/2FA on your accounts helps alleviate this threat! I recommend using Authy from Twilio to track 2FA tokens.]
- Spear Phishing = A highly targeted phishing attack against a specific group or individual, instead of being widely broadcast out. "Whaling" is a spear phishing attack against a high-value target, like a CEO or politician.
- Business Compromised Email or Man-in-the-Email attack = Attack gaining access to a corporate email account, to pose as a higher up in order to entice or threaten employees into performing an action - typically to commit fraud by getting staff to pay bogus invoices or wire money.
- Malware (malicious software) = Hidden software planted on your system to capture keystrokes, gather sensitive data or gain access. Common types include viruses (manipulates files), worms (self-replicating), trojan horses (masquerades as legitimate), spyware, ransomware and fileless malware.
- Spyware = Malware that allows a user to spy on the user, such as a keyboard logger (captures what you type) or camera or mic capture.
- Ransomware = Malware that encrypts your files, in order to extort you into paying a ransom to regain access. You can ask several US cities how they feel about that (see NPR article). By May, there were 22 known attacks on US public-sector so far in 2019 (see CNN article).
- Fileless malware = Malware that resides entirely in memory (RAM), never writing to disk as a file, in order to evade detection.
- Drive-By-Download = Malware downloaded from a compromised website, where a user inadvertently installs it onto their own system.
- Malvertising = Online ads that lead to malware installation.
- Cryptojacking = Malware to take over your system for its compute power, in order to build a network of systems to mine cryptocurrency on your dime (your hardware and power bill). In mid-2018, 4 of the top 10 malwares were cryptojacking scripts, including #1 and #2.
- Polymorphic malware = A type of malware that constantly changes its identifiable features in order to evade detection. Frequently changes its signature (like having random file names) to evade detection via pattern-matching.
- Wifi spoofing or "evil twin" = Creating a fake wifi network (e.g. "Starbucks-Guest-Wifi") to fool users into connecting to it, in order to eavesdrop on their network traffic. A company demoed it on 60 Minutes back in 2016 (see article).
- Man-in-the-middle attack = Eavesdropping on network traffic in order to sit between two sides of a valid request, acting as the destination while capturing the steps of entry. Websites typically use HTTPS protocol now in order to help thwart this, which makes network traffic encrypted.
- Replay attack = Eavesdropping on network traffic to capture the steps of entry into systems, in order to replay them to gain entry. [Enabling MFA/2FA on your accounts is a good deterrent to this, as you then need another factor that the hacker cannot capture in order to authenticate. Also helped when websites finally all went HTTPS, so credentials are not being sent plaintext.]
- Account hijacking = When an attacker uses stolen account credentials (say, by phishing or keyboard logging malware or replay attack) to conduct malicious or unauthorized activity.
- Session hijacking = Compromising your account by using an existing login token taken in a man-in-the-middle attack.
Why SECaaS?
Whew. There are plenty of ways to get attacked right now - and new attack vectors appear daily. And add to all of this the potential for weakness in any network device's or application's or API's security code, or the lack of password complexity. So you have to trust your IT staff, your network device manufacturers, your staff and your developers to maintain a high level of security at all times.
Which means the bottom line is... it is extremely difficult to fully secure your network! With all these difficulties in creating and maintaining your own "do it yourself" security solution with hardware appliances, combined with an unending stream of attack vectors cropping up, it is pretty easy to see why SECaaS services are so appealing.
The Cloud Security Alliance (CSA) is an industry coalition that is trying to define cybersecurity norms. They have a primer from 2017 on the pros and cons of SECaaS. I don't agree with it completely - in particular they list regulatory concerns as a con, but now the providers are paying attention and helping companies with their adherence by building compliance into their systems. It is way easier to assure compliance when the service is doing it for you.
With that list as a starting point, I think the Pros and Cons, from a CUSTOMER perspective [and INVESTOR perspective in brackets] boil down to:
Pros
- Added insulation - SECaaS can stop the attacks before it hits your system, if they are acting as a gateway or proxy.
- Cloud-based solutions can scale faster and cost less - IT staff & security infrastructure are expensive. THESE SERVICES PAY FOR THEMSELVES in reduced IT staff and having to buy & maintain hardware! [Huge plus for investors. It's hard to quantify how much security should cost since it is preventative, but when you don't need as much IT staff and hardware, that makes a huge difference in reducing overall expenses. Companies are flocking to SECaaS because it reduces cost AND reduces risk.]
- Outsource to experts - It is hard to find ideal staff and, even more difficult, have them maintain current skills and relevant expertise. And those experts are using ML/AI which leads to...
- Shared security strategies & research - SECaaS aren't hindered by the fact that "every company network is an island", as they can pool the logs from all of their clients. This allows for them to better detect and isolate threats that are appearing, and identify attacks that are happening across multiple clients simultaneously. And better yet, they can then apply ML/AI over that shared pool of data to learn from all their clients at once. This is a massive advantage over conventional network security. [Take note! This is what is driving disruption over traditional providers, and they have definitely started catching on. McAfee and Symantec are not sitting still... yet continue to get outpaced.]
- Flexible - Monthly or annual charge, and can typically add on add'l features as needed. [It is a good idea to invest in companies that are making platforms and ecosystems around doing ONE THING WELL and branching off from there, providing their customers additional modules they can expand into. This means customer growth AND $NER growth.]
- Regulatory adherence - Makes it easier to maintain regulations around GDPR, HIPAA and others. SECaaS can build those features directly into their system so you are assured to be in adherence.
Cons
- Lack of visibility - No idea how truly strong the security is, as you have to trust the service. Perhaps they aren't the experts you thought you were hiring. Any good will can all go away with a well-publicized breach! [Higher investment risk. But a 30% haircut doesn't hurt as much when you rode the stock up 200-300% already. IMHO, lots of customer and $NER growth is a good sign that it is solving security issues for companies and proving that it is adapt at doing so.]
- Potential for data leakage - If one customer can see another's data, that is a huge no-no in SaaS. [If a company has a publicized issue here, it will be a stampede to sell. This is a company killer. A company already at the hypergrowth stage, however, has already proven it has its house in order (codebase is solid), so I don't mull over this one.]
- Difficult to change - Can have vendor lock-in. [A huge plus to us investors! Especially when you circle back to the platform that SECaaS companies are providing -- each module you engage means another tendril of stickiness has locked in.]
- Difficult to migrate into - Companies can have difficulties in changing their network security over to a new service. Luckily, most SaaS companies have a support side that help with onboarding new customers. [From investor standpoint, you see this in a separate segment called Support or Professional Services. That segment's growth can be variable, and it typically has very low margins compared to the SaaS side -- but it is likely a REQUIRED part of the company to get new customers more easily integrated into SaaS services. You can adjust for this by tracking growth rates and margins of Subscription/SaaS side separately from the total, to remove the drag of the Services side. Even better are SECaaS solutions that are so simple to install and run, no service side is needed!]
- Never ending - You can never stop protecting your equipment. Potential for breach will always remain! But let's be fair, the costs never stop regardless if its SaaS or traditional hardware. [This is also a huge plus for us investors. Combine that with the fact that customers are likely saving money on IT staff they would otherwise need to hire, and these services are EXTREMELY STICKY.]
Flavors of Security
There are many types of security concerns and attack vectors, so of course there are many types of on-premise and cloud solutions, and any hybrid between the two. The CSA quantified multiple categories of security way back in 2011 (the olden days, technologically). I used that as a starting point, but expanded it greatly with today's realities, so gathered a lot of new categories off of CSA, OWASP and Gartner. These categories can have overlap, or may have evolved from one another. Devices and SaaS services may integrate features covering multiple of these categories. Many integrate with other SaaS tools (via orchestration, or SaaS-to-SaaS integrations) to cover other areas.
There is a general maxim in cybersecurity of "defense in depth" -- which means overlaying multiple security efforts and having redundancy. So companies will engage many of these services simultaneously. [Warning: there are a lot of acronyms ahead; the tech industry loves their acronyms. I hope this list can be a "cheat sheet" to help you decipher the tech-jargon-heavy marketing as you research and follow companies in this industry.]
Identity Tracking
Services for tracking users and their access rights. SECaaS varieties are typically called IDaaS (Identity-as-a-service).
- Identity and Access Mgmt (IAM) = Tracking & verifying who your users are (workforce and/or customers) and managing their access and policies around it. These days it typically includes Federated Identity Mgmt (FIM), which enables Single Sign On (SSO). [Revisit "Security Basics" in my Okta Deep Dive post if you need a refresher on tech terms around identity.]
- Identity Governance and Admin (IGA) = New category split off from IAM by Gartner. The "admin" of managing identity helps control identity lifecycle, manage passwords, and automate provisioning capabilities. For governance, it involves policy enforcement, role mgmt and segregation of duties, for risk reduction in workflows.
- Privileged Access Mgmt (PAM) = Centralized tracking for sysadmin credentials and system access. Monitors and logs all privileged admin access to systems.
Monitoring & Detection
Services for monitoring systems, or detecting abnormal or threatening behaviors on your network.
- Intrusion Detection System (IDS) = Monitors and analyzes network behavior patterns to detect unusual events or intrusion attempts, and help prevent vulnerability exploits. Passive system to scan network traffic, compared to Intrusion Prevention (IPS).
- Data Loss (or Leak) Prevention (DLP) = Monitor, protect and verify security of data at rest, in motion and in use. Makes sure end users don't send private info outside the trusted network. Helps maintain compliance and mitigate insider threats.
- Security Assessment (or Vulnerability Scanning) = Services that perform scans and audits of infrastructure or applications for vulnerabilities.
- Continuous Monitoring = Automates security monitoring across various sources of security info (mostly device logs). Provides real-time visibility into a company's security posture, providing threat monitoring and performing vulnerability assessments.
- Deep Packet Inspection (DPI) = An advanced packet filtering process for inspecting and monitoring network traffic for malware or other unwanted instructions or behavior. Looks deeper at traffic packets than traditional firewalls. Ineffective against encrypted traffic.
- SSL Inspection = More advanced DPI for intercepting encrypted network traffic (such as HTTPS) via a proxy acting as a man-in-the-middle between the requester and destination, maintaining encryption separately to both ends. It can decrypt and monitor encrypted traffic for malware or other unwanted intrusions.
- Network Traffic Analysis (NTA) = Utilizes ML algorithms and rule-based detection over raw network traffic and flow data, in order to isolate suspicious activities on an enterprise network. Alerts on abnormal traffic patterns.
- User and Entity Behavior Analytics (UEBA) = Utilizes ML algorithms to track normal behavior of users, in order to detect anomalous behaviors or deviations. Focuses on user behavior (as opposed to network traffic), to help mitigate against insider threats, compromised accounts, brute-force attacks, intrusions and APT threats.
- Endpoint Detection & Response (EDR) = Continuous monitoring of endpoint usage to analyze, investigate and respond to advanced threats and broader attacks across many endpoints. Likely integrated with Endpoint Protection (EPP) features. Likely utilizes NTA and UEBA ML/AI algorithms.
- Security Information & Event Management (SIEM) = A forensics-type system for tracking and correlating disparate events from network, system and device logs to generate real-time monitoring & alerts. May include IDS/IPS, NTA, UEBA and SOAR features, or integrate with those services. [Can be called SIEM or SEIM, I am guilty of flipping the I and E many times, even in the same post. Regardless, it is pronounced "sim".]
Protection
Systems for protecting your network by taking an action.
- Intrusion Prevention System (IPS) = Monitors and analyzes network behavior patterns to detect unusual events, in order to prevent intrusion attempts. Similar to Intrusion Detection (IDS) but with add'l alerting & response features.
- Web Application Firewalls (WAF) = Redirects incoming web requests to a service that analyzes and filters traffic before passing it through to the web server. Helps prevent web-based attacks like DDoS, SQL injection, and XSS.
- Next-gen Firewall (NGFW) = Combining of a traditional firewall with other features for smarter packet inspection, typically with features like DPI, IPS, SSL inspection, and WAF.
- Firewall-as-a-Service (FWaaS) = Cloud-based NGFW service.
- API Gateway = System utilized to manage service API endpoints and set policy for access. Serves as a proxy and firewall over APIs or microservices -- being more focused specifically on those than a WAF.
- Secure Web Gateways (SWG) or Web Security Gateways (WSG) = Real-time protection of outgoing web requests. Can include employee compliance checking, policy enforcement, and malware detection.
- Email Security = Inbound & outbound email protection, access control and spam filtering. Helps mitigate against email attacks like phishing, or attached viruses & malware.
- Sandbox = Quarantined process to test files in a managed space (such as an isolated ephemeral VM). Isolates and tests new files for malware and zero-day exploits (the unknowns) away from production servers.
- Network Access Controller (NAC) = Service that allows implementing policies to control access to infrastructure from endpoints. This has gotten more popular as number of endpoints has exploded from BYOD (bring your own device) policies and IoT.
- Next-Gen Anti-Virus (NGAV) = Behavior-based tools to help discover and isolate malware and viruses. Unlike traditional AV, which is signature-based, it tries to determine intent in order to identify malicious behavior.
- Endpoint Protection Platform (EPP) = Service deployed on all endpoints for the monitoring and detection of malicious activity. EPP is about protecting the device itself, not the traffic to and from it. That includes NGAV, to help prevent malware and virus attacks, and may include device mgmt and endpoint detection (EDR) capabilities. Remember, endpoint includes any system on a company's network -- each and every server, storage device, workstation, desktop, printer, laptop, mobile device, IoT device, camera, POS systems, etc.
- Advanced Endpoint Protection (AEP) or Advanced Threat Protection (ATP) = Combination of EPP, EDR, and DLP capabilities under a fancier name.
- Cloud Access and Security Brokers (CASB) = Platform to monitor and provide security policy enforcement points between a company and cloud-hosted services, extending security to outside of your firewall. Most commonly used to manage the SaaS services a company utilizes, and block usage of unsanctioned ones. Services could include DLP, SSO, WAF, SWG, threat detection, predictive analytics, and incident response.
- Unified Threat Mgmt (UTM) = The complete package in one hardware appliance, as a souped up next-gen firewall which provides many security features in one. Much simpler for companies to manage instead of piecing together a solution from the desired flavors above, but, as a large downside, provides a potential single point of failure. Made obsolete by cloud-forward solutions like FWaaS.
- Managed Security Services Provider (MSSP) = Outsourced service that uses log aggregation to discover threats and provide response. Customers ship logs to an automated IDS service that provides user alerts via portal.
- Managed Detection and Response Services (MDR) = Outsourced service that uses continuous monitoring to discover threats and provide response. Provides deeper inspection than MSSP, that typically involves human monitoring as well as ML/AI over IDS and EDR (network and endpoint behavior tracking), plus DF/IR services.
Response
Systems to automate response handling or help react to an incident.
- Security Orchestration and Automated Response (SOAR) = Service to collect data and automatically respond to low-level security events w/o intervention. Typically interfaces with other security services like IDS/IPS and EPP, to help automate workflows and incident response handling.
- Distributed Denial of Service (DDoS) Mitigation = Tools to help protect against DDoS attacks. Identifies normal conditions & patterns of network traffic for threat detection, alerting, and traffic filtering.
- Breach Containment = Tools to help analyze and contain breaches, and help isolate attackers. Includes systems for hacker deception (decoys) and capture via baited traps (honeypots).
- Digital Forensics and Incident Response (DF/IR) = Advisory services that help clients deal with a security breach, investigating a security incident to determine scope and time-line of breach, and provide response.
- Internet Security Awareness Training (ISAT) = Training services for your workforce to be educated on cybersecurity, and for admins to learn how to identify threats and utilize security layers.
- Business Continuity and Disaster Recovery (BCDR) = Services that back up data instead of relying on local systems. Helps provide operational resiliency in event of service disruptions. Somewhat ancillary to cybersecurity but vital none-the-less.
A New Dawn
Network appliances ultimately became very commoditized over the past few decades of dominance from large players like Cisco and Juniper. An appliance is simply a piece of networking hardware with a proprietary software controlling it. However, a new trend has started of doing away with purpose-specific appliances, and to instead run these various pieces of your networking as software on a VM stack. This move from appliances to software has really opened up the possibilities of what is possible, as it allows companies to modularize and scale their networking needs easily instead of being locked into using proprietary hardware-based solutions. These software solutions are expanding what is possible with networking. Combine that with a move towards SECaaS for expertise and offloading it from being your IT dept's responsibility, and the entire networking industry is beginning to see a sea change.
Software/Virtualization
- Software Defined Networking (SDN) = Software-based networking controllers to replace device appliances. They allow for the networking flows be controlled programmatically, which allow for more flexibility and customization than hardware would typically allow. Splits the controller (control plane, aka the brains) from the data (data plane, aka traffic flows) for maximum flexibility, as you can adjust or scale up one or the other as needed.
- Software Defined WAN (SD-WAN) = Software-based WAN controllers, which provide more flexibility and customization than hardware WAN devices. Can typically mix and match various connection types and topology layouts as needed.
- Network Virtualization = Just as infrastructure servers are getting virtualized [see VMWare and Nutanix], so too is network equipment. Instead of using dedicated, specific-to-purpose networking appliances, companies can utilize VM servers and run network devices as software virtually. Any networking component can be easily scaled as needed, and combining this trend with SDN (splitting control and data planes) gives a huge amount of flexibility in controlling the network's security and data flows, allowing for more adaptive responses.
- Virtual Network Functions (VNFs) or Network Virtual Functions (NVFs) = Specific VMs in your network virtualization stack that take the place of a particular network device: a firewall, proxy, gateway, load balancer, storage node, or telecommunication hookup. [Industry can't decide which way to call it, apparently.]
- Network Orchestration = Automation of SDN networking devices, by using intercommunication via APIs to cross-coordinate between themselves. This allows networks to scale and adjust themselves based on policy settings, without manual intervention.
- Management and Network Orchestration (MANO) = Architectural framework to run and manage VNFs and to control cross-coordination policies between them.
- Software Defined Access (SD-Access) = SDN at the edge of perimeter, having identity mgmt and policy driven rules to control access into the trusted network. Replaces edge firewall/gateway hardware appliances with orchestrated VNFs.
- Intent-Based Networking (IBN) = Network strategy using ML/AI and MANO to automate VNFs and appliances, in order to make "smart" rule policies that are more intent-based vs device-based (yay/nay) rules. Cisco has been a big proponent, as is it attempting to continue to make network appliances relevant.
Zero Trust
The rise of software-based networking has brought upon us new possibilities. Maintaining a trusted zone within a network perimeter always had a large downside -- once a threat gets inside the perimeter, it can typically move laterally from the breach point into any other systems within the trusted network, and companies typically have few resources to track intruders down and contain them. [Back to the house analogy - once inside, an intruder can go room to room easily.] This is magnified even more for WAN setups, where a breach in one office has the potential of exposing the trusted zone of the entire WAN network. In recent years, there has been a new paradigm that has arisen that throws out the trusted perimeter, given its complexity to set up, the need to continuously maintain it, and the massive downside of having everything in the trusted zone be exposed in a breach.
- Micro-segmentation = Creating smaller secure zones in infrastructure, instead of relying on a trusted network or other network segmentation like DMZs. Security becomes more granular and local to each service (per-application), instead of being centralized within perimeter firewalls. However it adds complexity; as security becomes more fragmented, you need better tools to manage it. Instead of using traditional networking devices, SDN and VNFs are helping power this new method of security. They help enforce security policies to control what should and should not be allowed to transfer among various points on the network.
- Software-Defined Perimeter (SDP) or Black Cloud = Security framework designed to dynamically create direct micro-segmented network connections between the user and the services they can access, once identity is established (trust). Users are never put on the trusted network - it instead creates an ephemeral point-to-point access tunnel from the requester to the services they are allowed to access as determined by policy rules. This prevents lateral movement within the enterprise network, and leaves non-trusted users unable to see any of the internal services available. Also known as "Black Cloud" due to this obscuring of the services within it. CSA states that SDP can stop a variety of network attacks, including DDoS, Exploits, Man-in-the-Middle, and Advanced Persistent Threats.
- Zero Trust Network Access (ZTNA) = Access system based on using software-defined perimeters to create secure network connectivity between entities, but with no implicit trust (regardless of whether they are inside or outside of any perimeter) until an identity is established. Within trusted perimeters, the default access level was "allow", but under Zero Trust, it is now "deny". Zero Trust = Always Verify, as all users must be verified on every system accessed, at all times. And when establishing identity, it can adaptively factor in other attributes and context (time of access, geo-location, and device used) while determining trust. Gartner calls this "Client-Initiated ZTNA" as it requires a client agent to be installed on the endpoint device. Zscaler is adopting this variety.
- Identity Aware Proxy (IAP) = A flavor of Zero Trust that utilizes a cloud service that verifies identity, and, once trust is established, acts as proxy to the services that that user can access. This adds centralized identity checking (IAM) to a Zero Trust stack instead of it being handled per-service, and as such can be used to more-easily "SaaS-ify" legacy on-premise services without having to modify them for Zero Trust. It avoids using SDP micro-segments however, instead it serves as a centralized cloud proxy. Gartner calls this "Service-Initiated ZTNA", as no client agent is needed, but as a downside, it only works with HTTP-based web applications. Google ("BeyondCorp") and Akamai are adopting this variety, as is Okta.
- Zero Trust Privilege = A flavor of Zero Trust for managing and securing Privileged Access (PAM). Instead of securing applications, it controls access to server infrastructure via a Zero Trust method.
Added Complexity
The key to enabling Zero Trust is micro-segmentation handled via SDNs/VNFs, in order to maintain a software-defined perimeter instead of a traditional, network appliance driven one. Each service must maintain its own security, which, unlike castle-and-moat, prevents the entire trusted zone from being compromised. This makes it inherently more secure, as any breach will typically be constrained to only that system, not the others, as no lateral movement within the network is possible. However, going Zero Trust requires a huge mentality shift by IT staff maintaining these enterprise networks.
- Zero Trust is designing the security from the "inside out" instead of the "outside in". You must map out and understand all valid paths a user can take to every server resource. You need to track what systems or users have to talk to what servers or services. For example, what exact systems need to be able to talk directly to your database server, and over what network paths?
- You must adopt the "principle of least privilege" across your systems. Default access is "deny" under Zero Trust, as opposed to "allow" in traditional trusted networks. Every request to a service must prove identity. You must utilize a role-based access (RBAC) system to limit who can access each system, always keeping users at the lowest level needed.
- Since security is per-system, every system must verify users & monitor its traffic at all times. Tying Zero Trust services into a common identity tracking system is a must. Every resource should be keeping its own logs, which need to be continuously analyzed. Monitoring and analysis becomes more complex, as expected, since security must be tracked so so granularly.
- This massively changes the traditional layout. Zero Trust means NO PERIMETER, and hence, no EDGE gateways needed. Your server resources no longer need to be centralized, and can be scattered across any environment. What was edge compute becomes just another server or service. Every server becomes just another endpoint - so your network essentially becomes endpoint-to-endpoint. This layout dovetails nicely with using external SaaS services and cloud infrastructure, as those are just more endpoints. User devices will now talk directly to biz op services and database systems, regardless of where those live. Endpoint security becomes critical, and it must be layered directly with network security.
By combining the benefits of SECaaS services PLUS the endpoint-focused strategy of Zero Trust, and it seems to be a new dawn for cybersecurity. You can now hire the experts in security (SECaaS), instead of having to build and maintain it yourself, while doing away with trusted perimeters by securing everything individually (Zero Trust). The SECaaS services can be the ones figuring out the complex security concerns PLUS help mitigate the complexity of managing, monitoring and analyzing all those scattered systems.
Zero Trust is making huge gains in popularity in today's world where fractured networking is the norm (cloud and hybrid infrastructure, and an increasingly mobile workforce). However, companies may be hesitant to adopt it due to the fact they have already sunk so much money into building out their perimeter protection. The inherent complexity of managing the more-granular security and micro-segmentation means "do it yourself" Zero Trust is out of the question for most companies. They have to find a SECaaS service that does it for them that can be easily integrated into their architecture.
For cloud-first or cloud-native companies, adopting Zero Trust is a much easier choice. For those companies with a lot of existing traditional networking infrastructure around securing a perimeter, they likely want to move slow. The SECasS must help them adopt these new strategies while safely migrating their existing infrastructure towards a Zero Trust driven one. It would have to be done carefully, in tandem with and ancillary to their existing security layout... then would likely roll out further in baby-steps from there (land-and-expand). Ultimately, Zero Trust is a SIMPLER arrangement, but when using it in a hybrid scenarios as companies start to adopt it, coupled with the mentality changes I mentioned above, it seems more complex out of the box and requires some effort to start adopting. So while Zero Trust is a disruptor to the castle-and-moat and hub-and-spoke paradigms, given the prevalence of those traditional security setups, it has barriers to adoption. Companies aren't prepared to throw it all out and start anew. Cloud use & mobile employees, which by definition live outside a company's perimeter (and so are fracturing that perimeter), are the likely primary drivers of the move toward Zero Trust, instead of IT execs being forward-thinking enough to realize its potential in better securing their systems.
The easy sell is that ZTNA replaces VPNs & DMZs, if not the entire network perimeter. It is also a more customizable and secure tool to expose your apps & services than WAFs (for public-facing web sites) and API Gateways (for exposed APIs) are built for. There are some specific use cases that Gartner highlighted where companies might start adopting ZTNA alongside their existing trusted network:
- Opening apps/services up to a collaborative partner ecosystem.
- Normalizing app experience, regardless if on or off the trusted network.
- Assuring end-to-end encryption, if you don't trust an intermediary or cloud provider.
- Providing app-specific access to remote and mobile employees and partners (replacing a VPN).
- Extending access to an acquired company (M&A).
- Isolating high-value apps, to reduce insider threats.
- Allow users to access enterprise apps from personal devices (BYOD).
- Create secure enclaves of IoT devices.
- Cloaking systems on hostile or unknown networks.
- Enabling SaaS apps to safely connect back into your on-premise or cloud apps.
One way or another, it's coming. Gartner estimates that by 2022, 80% of new business services opened up to ecosystem partners will be accessed through Zero Trust, and by 2023, 60% of enterprises will phase out their VPN in favor of Zero Trust, and 40% will use it on other use cases.
A Proactive Mindset
One maxim in security is that you can never have enough. Companies will always layer security efforts, by having services sit over each other (like layers of an onion) in hopes of covering all the bases. So every company needs all these services:
- A component to manage user identities and be utilized to establish trust (IAM, IGA, PAM).
- A component to manage and protect the endpoint devices (EPP/NGAV, EDR).
- A component to secure incoming traffic (ZTNA, IAP, WAF, API Gateway) to a company's services.
- A component to secure outgoing traffic from endpoints and communications with SaaS providers (SWG, CASB, DLP).
- A component to watch and monitor everything (SIEM) and orchestrate the user/policy changes (SOAR).
- And finally, a component to apply ML/AI over it all to analyze the entire stack - network, devices, & users - and to adapt the security rules & responses as necessary (SIEM, NTA, UEBA, EDR, MDR, SOAR).
Beyond Zero Trust, Gartner ultimately recommends a Continuous Adaptive Risk and Trust Assessment (CARTA) mindset, which uses the above layers just mentioned, but recognizes that security decisions and responses must continuously adapt to new threats. ML and AI must be used to help find threats by looking at traffic patterns as well as user & network behaviors, in order to adapt security rules as conditions change. To achieve this, they state several security layers must be present:
- Identity mgmt system
- Zero Trust networking (incoming traffic)
- Endpoint protection (device and traffic)
- Continual monitoring with ML/AI
In a nutshell, CARTA is about transforming those traditional yay/nay rules-based policies (firewalls) into adaptive ones through the use of Zero Trust and ML/AI, and, in doing so, turning reactive security methods into proactive ones. A big part of becoming proactive is to factor in context and behavior of users and their network traffic.
- Indicators of Compromise (IOCs) = Reactive approach that tries to detect the unique characteristics of a breach. Examples: detecting malware, exploits, or attack signatures.
- Indicators of Attack (IOAs) = Proactive approach focusing on detecting the intent of what an attacker is trying to accomplish, by looking a user behavior and network traffic. Determines the series of actions an adversary would take. Examples: detecting code execution, persistence, stealth, or lateral movements within the network.
For example, picture a system that can factor in contextual awareness of the user's request, like geo-location and device the request is coming from. In evaluating whether to trust a new incoming request, is that employee really going to be accessing this service on a new device from Hong Kong when she accessed it an hour ago from her usual device in NYC, even if her credentials match? It could adapt its rules in that case, and instead ask for further authentication factors (MFA) before trust is established. Given the vast number of unknown vectors, using ML/AI over an adaptive CARTA strategy appears to be a much better approach than the traditional reactive "fingers crossed" methods. Security components will still have a reactive side (analyzing logs), but it can now react better and adapt in real-time.
Companies are finding a better overall shell of security when combining and layering the factors above, and continually analyzing them all. Continual analysis allows for continual adaptation of your security posture, in response to new information and threats. Gartner predicts that by 2020, 25% of new digital business initiatives will adopt a CARTA approach, up from fewer than 5% in 2017. That seems a touch slow to me. Outside of those stats, I believe many companies are already unknowingly moving this direction by using SECaaS services that are adopting ML/AI over their entire customer base's logs and are using more contextual awareness in adaptive rule decisions. Since the SECaaS services are already moving this direction, that means companies are naturally heading towards CARTA, whether they know the acronym or not. ML/AI is a major focus, and is only going to continue to expand from here -- which is why every company in this space has ML/AI in big bold letters in their marketing. [And expect ML/AI use to increase on both sides; attacks to start getting smarter too!]
This new wave of security is leaving the former networking behemoths behind, since the next generation of SECaaS services are cropping up to solve these needs for enterprises that are more powerful and secure than any appliance-based system protecting an island (an individual company's network) could be. Zero Trust and CARTA are disrupting the traditional methods, so I personally find them to be the pillars required to invest in this space, and... what do you know... I happen to have investments covering all 4 factors above.
Putting it all together
After I wrote all the above, Gartner released another research paper to define a new recommended path forward for overall enterprise networking & its security, that basically agrees with and combines all the above. [I learned about it from the last Zscaler earnings call that I finally listened to last week, where the CEO was touting this paper heavily.]
In today's reality, so many external users are trying to get into a company's systems (remote workers, contractors, partners, customers, internally connected SaaS... and 5G and IoT and are only going to complicate it further), identity checking and access control should not be centralized and funneled into a company's data center. A network must remain agile, and not be locked into an inflexible security posture.
- Secure Access Service Edge (SASE) = Combination of software-defined network capabilities (eg SD-WAN, SD-Access), with comprehensive network security at its edge for incoming and outgoing traffic (eg SWG, CASB, FWaaS and ZTNA), utilizing CARTA methods (eg NTA, UEBA) to learn and adapt.
SASE [pronounced "sassy"] combines:
- Software-defined networking, to network your enterprise and IaaS and end users together.
- At its edge must be a complete cloud-based, identity-centric Zero Trust and CARTA solution to secure all endpoint traffic.
These two sides must go hand-in-hand now, and converge as an orchestrated whole - either from a complete all-in-one vendor, or one vendor for networking and another for cloud-based cybersecurity over it. While Gartner posits that uber-services will arise that provide it all, I think our specialized SECaaS providers will continue to be successful, since they carve out a clear boundary for the core service they provide, provide a cohesive platform for providing that core service while allowing expansion into other ancillary services, and allow tying that platform into a partner ecosystem, in order to integrate with other services as a cohesive, orchestrated whole.
I don't know if their "sassy" SASE term will take off (Zero Trust did, CARTA didn't) -- but the underlying concept is solid. This is the future of networking.
[A year later: SASE and Zero Trust concepts have fast-forwarded in the public eye, as the global pandemic of 2020 forced enterprise workforces to work-from-home, further scattering enterprise networks. Attacks have multipled in the confusion, and enterprise cybersecurity has become a critical part of doing business.]
Add’l Reading
[In particular, I recommend reading the Gartner reports, if you want to see what enterprise decision-makers are reading. And now you know all the terms they bandy about!]
- IndustryWeek - Cyberattacks Skyrocket in 2018
- Krebs on Security - Capital One AWS hack
- CSO Online - History behind Mirai Botnet
- ThreatPost - Researcher could hack any Instagram account via brute force attack with $150 in cloud resources
- CNN - Summary of US cities hit by ransomware, May 2019
- NPR - Cities taken hostage with ransomware attacks
- Check Point - Top 10 malware, July 2018
- Lookout demoed man-in-the-middle attack on 60 Minutes, 2016
- MITRE ATT&CK - Global db of cyberattack methods, and knowledge base of techniques to counter them
- CSA - Pros and Cons of SECaaS (pretty stale)
- Gartner - Guide to Zero Trust (ZTNA)
- Gartner - Zero Trust is first step toward CARTA
- Gartner - The Future of Network Security is in the Cloud (SASE)
... Part 2 is here, where I delve into the gory details of our cybersecurity-related hypergrowth companies, and reference all these terms you just learned. I need to add a few things to my writeup: Elastic and Okta have both been busy over the past month with new exciting products/features, ZScaler just added a new angle, and CrowdStrike and Zscaler teamed up.