Solving the circle sticker problem in cybersecurity and moving to the Lego blocks approach
Cybersecurity's circle stickers in a square box problem, how it's shaping the industry, and where we can go from here
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
This post is brought to you by… The Blue Team Con.
Defenders! Blue Team Con is Coming to Chicago August 25-27 — Register Now!
Registration is now open for Blue Team Con, the premier defense-oriented cybersecurity conference. Join us for a diverse and inclusive platform exclusively focused on sharing information amongst defenders and protectors of organizations, with more than 30 talks by expert speakers from Microsoft, Meta, CrowdStrike, AWS, DHS and more. New this year is an optional training day featuring exclusive in-depth sessions on key issues. Plus topical villages, a CTF challenge and more. Earn over 21 CPEs!
Blue Team Con runs August 26 and 27 at the Fairmont Chicago Hotel, with training sessions on August 25. More information and tickets at BlueTeamCon.com.
During a discussion with Mona Ghadiri, Director of Product Management at BlueVoyant we both were drawn to the same conclusion: cybersecurity has many vendors. I wrote about the reasons why that is the case before; for those interested to dive into this topic deeper, I highly recommend the previous article. In our chat, Mona described the issue as the “circle stickers in a square box problem” - an analogy that I thought is perfect for illustrating many of the concepts commonly used in the cybersecurity industry.
Mona & I brainstormed ways in which the circle sticker problem can be explained using simple visuals. The piece that follows is the outcome of these discussions.
The circle sticker problem in cybersecurity
The circle sticker problem is very easy to explain: when you place many circle stickers inside a square box, you get two outcomes, overlaps and gaps. In either case, the conclusion is similar: the circles are either too big or too small for all your use cases.
Let’s think of security needs and the enterprise’s attack surface as one big square. A company is given a set of stickers of different sizes, and asked to fully cover that square so that it can be “fully protected”. Although stickers are of different sizes, the number of stickers is never enough to cover the whole surface.
The amount of resources companies can dedicate to security will never be enough to keep buying more and more tools and hoping that the collection of tools will cover the whole attack surface.
As if this wasn’t bad enough, the attack surface (the big square) is constantly expanding and is truly more amorphous than the four sides of the square. With the introduction of new technologies, the emergence of new attack vectors, and new ways bad actors can get into the enterprise’s environment, it is no wonder that the work of defense leaves people feeling like cybersecurity is a never ending slog.
Companies cannot evaluate, procure, or adopt new tools (add new stickers) fast enough, hence the gaps - white spaces not covered with stickers. This is where people usually point to tools, talent, or process gaps as cybersecurity has not done a great job separating human and machine roles in the investigation, instead letting everyone choose their own adventure.
The circle sticker problem and so-called “vendor consolidation”
I have talked at length about why we are not likely to see a massive vendor consolidation in cybersecurity anytime soon, despite what many people in the industry believe. It’s not that consolidation isn’t happening; it is just not happening as fast as many would like it to or easy to implement beyond the big cloud providers like AWS, GCP, or Azure.
What most people are hoping for when they say the words “industry consolidation” is that one vendor can solve all of their problems, providing access to all the capabilities the customer needs. In other words, they are looking for one single sticker that would cover the entire attack surface.
The circle analogy allows us to illustrate why this expectation is unreasonable. For one vendor to replace all other tools, several factors would need to be true.
First, the size of the square (attack surface, or cybersecurity discipline) would need to stay the same. This is not possible because technology is constantly evolving, and when that happens, new attack methods and vectors continue to emerge.
Second, the square (attack surface, or cybersecurity discipline) can't stay the same. The only other way for any company to become a true all-in-one security provider would be to move as fast as the industry and be able to address any new threat as it comes up. This is not possible for another reason: as companies grow, they become slower and less responsive to their surroundings. Shipping software becomes harder because of all the technical debt, bureaucracy, competing priorities, and other challenges.
Third, as the image above makes clear, to remain the one-and-only security tool, the vendor would need to be able to anticipate the new areas that haven’t yet been conceived. Since it’s hard to live in the future and predict every single move of the agile, goal-oriented, and highly motivated attackers, it’s unlikely that any vendor can be ahead all the time. At best, a fully consolidated industry would look like this.
Even this picture - a dominant vendor with several smaller players solving for niche use cases is overly optimistic. There are several distinct areas of security as defined by different types of telemetry (Frank Wang explains it quite well in his blog):
Network
Code
Identity
Security-related data
With that, the best we could hope for in this “consolidated” universe is something like what’s displayed in the illustration below - a world where a few dominant players co-exist with many small startups solving niche and emerging problems.
This chart also illustrates well where the industry appears to be today. There are clear leaders in each of the established segments that correspond to the type of security data, and Thoma Bravo is likely on the way to build a leading identity platform.
From stickers to Lego blocks
Although it is exciting to play with different visuals and look for other problems that can be creatively explained by an image full of yellow circle stickers, the truth is that the cybersecurity of the future cannot be built on the assembly of disjoint point solutions.
The complexity of customer environments is increasing, and so is the number of ways attackers can find their way into the organization. It is highly unlikely that in 2030, we will be connecting more and more disjoint tools and praying that it “just works”.
It isn’t always easy to notice the evolution when one is a part of it, but there is no doubt that cybersecurity is evolving. We are starting to see the effects of data gravity on the industry, the move from promise-based to evidence-based security and the rise of security engineering, the increasing role of open source, as well as the evolution of service providers and channel partners, to name a few.
To us, it is obvious that solving the problems of cybersecurity is not as easy as drawing nice charts. What is also clear is that true industry-defining innovation will not come from a new circle; it won’t be a bigger circle or a circle of a different color. The innovation must come from an entirely new approach.
We think that the new approach to cybersecurity will look like Lego blocks.
This approach will enable customers to:
Try different solutions, easily have them plug into their data, and start delivering value immediately.
Simply “subscribe” to a new service at will, without having to add a new vendor, a new contract, and go through a lengthy purchasing process.
Simply “unsubscribe” from any capability without having to pay penalties and break contractual agreements.
Scale their deployment up and down, without having to negotiate long-term contracts or meet mandatory minimums.
Easily swap out different tools and capabilities, have them talk to one another via open APIs, and co-exist in an ecosystem of security solutions that can be deployed at scale and configured using infrastructure as code.
Security practitioners in these enterprises will be able to use the capabilities they need to assemble the stack that is suitable for their specific organization. Characteristics such as scalability, interoperability, API-first design and testability will be critical to building the security tools of the future.
This “Lego blocks” concept itself isn’t new - different companies are trying to implement it using different approaches and with different degrees of success. Although it remains to be seen which of these (or many other players - existing and upcoming) will win, what’s obvious is that unless cybersecurity solves the circle sticker problem, it won’t be able to mature.
If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do. If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate. If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!
 |
|
Love the analogies here. Legos are hard to put together and take apart at will, if you look at how this has panned out in other industries managing tool sprawl (eg marketing and sales SaaS). It implies nimble and open security and product org cultures. That is hard to come by at scale. But worth aspiring to!