Answering The Million Dollar Question: Are We Secure?

There’s a prevailing school of thought that the best way to deal with security issues is with the endless and senseless acquisition of appliances and services. Rather than having a silver bullet, we in the security world have silver shotgun shells.

But like most mantras, this one is fundamentally flawed. Technology, no matter how good, is no guarantee of security. Human error, breakdown in processes, and poor implementation can all contribute to insecurity.

The challenge for many CISOs and IT directors lies in getting assurance that not only are technical security investments working correctly, but also ensuring that the human element is similarly robust. The most common way to check this is by hiring the services of a penetration tester or red team. The biggest problems with this are cost (depending on the scale of the organization’s IT infrastructure, a test can easily cost more than $100,000), and ensuring the security of the organization between tests.

Until recently, there was no way to avoid this. But recently we’ve seen a growing market of software products that offer constantly verify the efficacy of existing security infrastructure in a systematic and automated fashion. If implemented and marketed correctly, these will undoubtedly become essential components in enterprise IT environments.

The Battles of the Boardroom

The value proposition of these products is self-evident – they check that security infrastructure is working correctly through standardized processes, and then present them to the relevant IT worker through dashboards, reporting, and metrics.

But there’s a less obvious advantage to these products.

CISOs reporting to the boardroom are under pressure to justify each expense, and while balancing that with the budgetary needs of the organization. In the same conversation, a CISO can be asked why they need more budget for staff, equipment and software, while having to assure the upper-echelons of management that the organization isn’t at risk of falling victim to an attack that felled a competitor.

Perhaps the most difficult question a CISO, politically speaking, might have to answer is “are we secure“.

If they responded in the affirmative, they may struggle to get more funding for equipment, software, and training. Furthermore, if something went wrong and the organization was compromised, they’d be in an uncomfortable situation. Their position within the organization might become untenable. At the very least, their credibility will be dented.

If they say “no”, their effectiveness at the job will be questioned. They may be asked what they had been doing so far.

A more reasonable way to frame the question is as “are we secure enough“?

Are we, as an organization, following best practices? Have we done all we reasonably can do in order to limit the risk of a data breach? Can we, in good conscience, say that we’ve done our job? Have we balanced the risks we face with the business needs of the organization?

These questions can be wrapped up with the bow of “assurance”. But providing assurance as to how well technology and processes are working can prove to be tricky.

The Holy Trinity of Assurance

There are three different approaches to infrastructure-oriented security assurance. The first is the human method, which we alluded to earlier. This involves the organization obtaining the services of an auditor or a pen-tester to manually check systems, procedures, and controls.

This can be an expensive process. It’s also a spot-check that only occurs once a year, and like any human-oriented process, can be prone to human error. As a consequence of this, many enterprises have taken to crowd-sourcing their security testing procedures through “bug bounty” programs like BugCrowd and HackerOne.

The second approach is with the use of an all-in-one security product, where the vendor has pre-integrated and configured all the features needed by the organization. The responsibility (and liability) lies with the vendor. This approach means that it becomes easier to evaluate the efficacy of the product, by observing alerts and the workflow surrounding the product.

The third, and emerging approach, is with automated assurance. There are several startups in this space, and one where we believe there to be considerable potential.

Breaking The Fourth Wall

The relatively low profile of this sphere masks its rapid growth. Already, there are six major contenders – AttackIQ, vThreat, Picus, CyBric, UpGuard and SafeBreach. Each have their own approach to the problem of automating the security assurance market.

From a funding perspective Safebreach has raised more than the other three combined with a $4m venture round led by Sequoia Capital. AttackIQ recently raised $1m from several key players in the security industry. Both Picus and vThreat have built their offerings on angel investments of $200k and $1.6m, while CyBric and UpGuard have both attracted $1.2 and $9.7 million respectively.

The modest funding doesn’t mean these startups aren’t looking for more. In fact, at this stage of their growth, an investor that can bring contacts is more valuable than one that brings in cash alone.

As the profile of these products rises, CISOs and IT directors will come to recognize automated assurance as an essential piece of buckshot in the silver security shotgun shell.

While the total addressable market may be significantly larger, we estimate the current market size to be between $10 and $15 million which should grow to $100 in the coming 5 years. This represents 50% growth year-on-year.

It is also conceivable that automated assurance products eventually be used as a labor-saving tool, although this would be an unintended consequence.

As these technologies gain traction (and more importantly, visibility), it is likely one of the main vendors in the sphere will be acquired by a vendor, or perhaps a consultancy firm.

Likely acquirers would potentially be vendors who already have a stake in the vulnerability space. On a larger scale, vendors with a large portfolio of scanning tools could benefit from a product that determines if they have been deployed and configured properly.

It feels eminently possible that a “blue chip” firm could enter this space. Cisco and IBM both are likely candidates. IBM could compliment Resilient Systems with one of the aforementioned companies.

A large penetration testing company could also acquire such technology to compliment annual testing services with ongoing assurance.