Product Roadmap for the Information Security Industry
In RSA Conference 2014: The Bully, the Nerdy Kid, and the Rumble That Didn’t Happen (6 March 2014), I noted that among the dozen high-profile keynotes, just four of them even mentionedthe escalating tension between the role of surveillance in our government’s mission to defend us, and in its mission to protect our privacy and civil liberties – and one of those was from the government itself.
Clearly top-shelf sponsorship dollars can get you a high-profile keynote at the industry’s leading conference, but it doesn’t make you a leader.
On the other hand, the keynote speakers from solution providers (HP, McAfee, Qualys, Juniper, RSA, Microsoft, Symantec, and Cisco) were actually pretty unified on a couple of key points related to another hot topic – cybercrime:
- The cybercrime problem is bad and growing worse, and it’s reached the point that something different needs to be done
- To address the problem, there’s consensus that government, solution providers, and enterprises need to work together
Recognition that we have a serious problem, and recognition that we can’t address it alone, is just a beginning – but at least it’s a start down the right path. For what it’s worth, all of the time-tested 12-step programs start exactly that way.
Beyond that, the keynote speakers from solution providers generally did what they do best: talk about their vision for the technologies and services that their companies build. It turned out that a few high-level themes were remarkably consistent – mind you, this has not been typical for the RSA Conferences of the past – to the extent that I started thinking that they were collectively outlining the product roadmap for the information security industry as a whole. Here are four overarching themes:
- Greater focus on identifying vulnerabilities and threats
- “Spot and block zero-day threats”
- “End-to-end-intelligence – tools must move from a standalone, detect-and-report model to a model that is connected and informed”
- “Not only threats, but also indicators of compromise, asset information … other information you want to subscribe to”
- “Security products become rich sources of intelligence – a massive, global sensor network”
- “Greater threat awareness – based on big data and analytics”
- “Identify vulnerabilities on our perimeter, before they are exploited”
- Shared intelligence
- “Intelligent and integrated systems, to enable automated response”
- “Build in and share actionable intelligence – the data is there”
- “A publish-and-subscribe messaging layer as the basis for a connected architecture”
- “A secure, integrated platform to share our collective intelligence and insights, and to improve our collective defense”
- “Programmable networks and dynamic policies, to provide the ability to take action”
- “Redefine vulnerability management as a continuous and real-time process – continuously scanning and feeding into centralized, real-time intelligence and analytics”
- Cloud-based services
- “Deep inspection – from a central, shared repository”
- “Secure, elastic big data store for all the security data you choose to send to it”
- “A security brain in the cloud”
- “Open standards are essential to automation”
- “Indicators of compromise are the new signatures for malicious code or malicious activity … but they need to be simpler and standardized”
Let’s simplify this even further – they’re all envisioning a security infrastructure that:
- Generates massive amounts of data from a wide variety of sensors and sources
- Ingests the data centrally for efficient analysis, investigation, and retrospection
- Generates intelligence that can be shared and acted upon, across products and across organizations
- Leverages the scale, elasticity, and economics of a cloud-based delivery platform
- Leverages standards for simplicity of integration and automation
This unity of vision is encouraging – and one can easily see how it would disrupt the advantages currently enjoyed by the attackers, who are able to target and exploit individual people, products, and companies that are each acting more or less in isolation. If we can scan, inform, and respond faster than they can (for fear of being detected), we can change the economics for the attackers – and make their successful exploits require precision and perfect alignment more like “the perfect jewel heist”, as one keynote speaker put it.
Even at Internet speed, however, realizing this kind of vision will take time (years) and sustained investment (millions) – especially if we’re talking about multi-vendor, standards-based solutions. Most likely, we’ll see small and focused start-ups begin to appear that incorporate these themes, which larger solution providers will monitor and acquire over time based on fit with their existing product and service portfolios. That’s the traditional pattern for the information security industry – although the key difference is that this vision hinges on thenetwork effect of common intelligence shared over multiple subscribers, which can’t be achieved by a fragmented solution space. The smartest start-ups will play for that end-game from the very beginning.
If it comes to pass, we’ll look back at RSA Conference 2014 as the beginning of the re-invention of information security.