Cybersecurity Part 1
December 2024
Market overview and trends
Pace and sophistication of cybersecurity attacks continue to increase
Technical complexity is challenging since attack surface expands outside the perimeter to end devices, cloud infra, and SaaS apps
AI/ML are increasingly implemented within security tools
Increased adoption of platforms as enterprises look to simplify operations
Managed security services for SMB
TAM: $170Bn in 2023, with 11% CAGR
Infrastructure expands and becomes hybrid → attack surfaces increase → hard to manage across platforms
Types of attacks: ransomware attacks are increasingly costly, the average cost of a breach is $4.3M
Increased focus on cloud security
Shortage of cybersecurity professionals -> more enterprises seeking third-party MDR service (managed detection and response)
Long term, tool consolidation will drive vendor consolidation (offering a platform of toolsets)
Network Security
Rise of remote work has redefined network perimeter
software-defined cloud-delivered solutions like ZTNA, CASB, SWG
Emergency of Security Service Edge (SSE)
Move away from MPLS connections to SD-WAN
Eventual emergence into Secure Access Server Edge (SASE)
Network firewalls:
Establishes a barrier between trusted and untrusted network
First gen firewall (yes/no connection) → stateful firewalls (connection state rule) → proxy firewall (could separate legit connections from fake ones)
Open System Interconnection → 7 layers of network → development of ASIC firewall (application-specific integrated circuit)
NetScreen first developed it, then its founder left to start Fortinet
Developing hardware/ASICs - Cisco and Fortinet vs using third-party hardware/ASIC and focusing on software - Check Point and Palo Alto Network
NGFW (next-generation firewall) - same analysis as a proxy firewall but with a focus on Deep Packet Inspection (DPI) - independent security functions converging into a platform
Future: vendors push for higher traffic output to keep up with large internet traffic
Virtual firewalls - Palo Alto’s VM-series - targeted toward cloud-based environments
Can provide the same footprint as on-prem environment - so consistency
Can be scaled up and down to accommodate workflow
Firewall as a service: offload to third-party provider
Secure Access Service Edge (SASE): combines network (SD-WAN) and security capabilities (FWaas, zero trust, ZTNA, SWG, CASB) into one platform
Network Access Control (NAC)
Implement secure access policies to enterprise network
Manages devices/access within an org’s IT infra
Policy-oriented model
Modern NAC: allows agentless devices to run (IoT devices), identify endpoints before malicious code can affect network, API-based integration with other security solutions
Market is mature and concentrated (Cisco and Forcescout)
Cloud Access Security Broker (CASB)
Visibility into and control all cloud activities
Middleman between user and cloud services
Monitor user authentication into SaaS apps (like Salesforce)
Can be used for DLP (data loss prevention), and threat protection (can block access in real-time)
Zero Trust Network Access (ZTNA)
Cloud-based network security technology that leverages identity and context-based access policies to provide secure remote access to apps and data
Authentication through a cloud controller that communicates with Identify Access Management (IAM) infra
Once confirmed, the cloud traffic flows through ZTNA and is encrypted
Historically, employees have access through VPN, but that is slow
Advantages: apps cannot be discovered on the public internet, reducing attack surface by only providing users with what they “need to know”, a secure direct channel to the app
Does not rely on a fixed location to authenticate like VPN
Most enterprises use cloud-delivered ZTNA solutions to replace VPN
Secure Web Gateway (SWG)
URL filtering, advanced threat defense, malware detection, and threat protection
Usually deployed on endpoint or as a proxy between datacenter and users
Protect users from web-based threats by filtering web traffic
CASB secures cloud environment, SWG protects against web-based threats, ZTNA ensures secure access to internal network resources
SD-WAN (software-defined wide area networking)
Added layer of software on top of WAN to ensure application-aware routing and centralized management overlay
Orgs traditionally used MPLS (multiprotocol label switching) networks to relay traffic (all to a central datacenter, then to the internet), but as they shift from datacenter to cloud and internet traffic skyrockets, that becomes very slow
MPLS vs SD: MPLS relies on physical hardware, but has low latency, so good for mission-critical things, higher cost
SD-WAN forwards traffic directly to cloud from branch office
Security Service Edge (SSE)/Secure Access Service Edge (SASE)
Negate the need for on-prem hardware and offer direct routes to cloud resources
Consolidate disparate networking and network security solutions into a single cloud architecture
SSE = FWaas+SWG+CASB+ZTNA; SASE = SSE+SD-WAN
Consistent, cloud-centric approach to network security
Different consumption patterns for SD-WAN → might just consumer SSE
Companies: Netskope, Zscaler , Palo Alto, Versa Networks
Microsegmentation
Rise in east-west traffic (traffic between servers and datacenters)
Can stop the spread of an attack by segmenting data centers
Agent-based segmentation, network-based segmentation, hypervisor-based segmentation (separates by each virtual machine)
Vendors: Illumio, Akamai, Cisco, VMWare, Palo Alto
memo: becoming more prevalent as SSE/SASE vendors look to limit lateral mobility, not a standalone solution anymore
Market map
Legacy players: Cisco, Check Point, Fortinet, Palo Alto
Emerging disruptors (cloud-based): Zscaler, Netskope, Menlo Security, Lookout
SD-WAN: Cato Networks, Versa Networks
Micro-segmenttion: Illumio
Potential pitch target: Palo Alto Networks (very comprehensive offerings), Zscaler
Cloud Workload Security
Cloud Access Security Broker (CASB); Cloud Workload Protection Platforms (CWPP); Cloud Security Posture Management (CSPM); SaaS Security Posture Management (SSPM) → converged Cloud-Native Application Protection Platforms (CNAPP)
Cloud Workload Protection Platforms (CWPP)
Securing and providing visibility across multi-cloud environments (across VMs, physical machines, containers, and serverless deployments) (across public, private, hybrid clouds, and even on-prem)
8 variants across the market, but most provide hardening and configuration, application control, user behavior monitoring
Broad spectrum: general offering, usually by legacy players (Broadcomm, McAfee, Microsoft, Sophos)
Container-focused: Aqua Security, NeuVector, Palo Alto, Sysdig
Serverless-focused: very similar to container-focused
Memory and process integrity protection: vendors concerned with memory and process integrity to protect compute resources
Identity-based: uses strict entitlement control and process isolation (Cisco, Illumio Palo Alto, Zscaler)
EDR-focused: EDR vendors that grew to include cloud capabilities (CrowdStrike, Lacework, SentinelOne)
CWPP often sold with complementary capabilities, especially with CSPM
Cloud Security Posture Management (CSPM)
Enterprise is responsible for “security in the cloud” while cloud provider is responsible for “security of the cloud”
Proper configuration and monitoring for all cloud IaaS, PaaS, IAM, and firewall
CSPM created to identify misconfiguration issues and gaps
Provide: map existing configurations to a compliance framework, can monitor storage buckets for alerts
More advanced: autoroute alerts to each security team
CSPM vendors getting acquired by CWPP legacy players (Crowdstrike, Palo Alto); or as standalone (Wiz, Lacework, Orca Security)
CWPP vs CSPM
CWPP is focused on multi-cloud/hybrid environment
CSPM is more cloud-native, but makes sure infra around workload is secured
CASB secures cloud access, CSPM ensures cloud configuration compliance, and CWPP protects workloads
Application Security
Trend: to apply security measures early on in software development, ahead of releases → DevSecOps
Market is split into: Application Security Testing (AST) and Application Runtime Security (ARS)
Application Security Testing (AST)
Tools and processes to detect weaknesses in source code during software development lifecycle (SDLC); reduces remediation cost during deployment
Software Composition Analysis (SCA)
Identifies all third-party libraries and open-source softwares used in the code against known and unknown vulnerabilities
A lot of developers are using open-source software (OSS) to save time
That is public info and might not be all correct → need for SCA to go through and examine them
Best used in conjunction with SAST (both pre-production)
Company: Snyk
Static Application Security Testing (SAST)
Most used early in the development cycle - does not require functional app code
Scans and analyzes the entire codebase - “White box” tool, checking the inner workings, takes the developer’s perspective
Developers run SAST on source code as it is updated with every release
Language dependent
early in the cycle - used with DAST and IAST
Company: Checkmarx, Contrast Security, ShiftLeft
Dynamic Application Security Testing (DAST)
Simulate real-world attacks and find vulnerabilities - “black box” tool, checks how the system functions to external unexpected events, takes hacker’s perspective
Does not have access to underlying source code so cannot provide exact location of alert
Language independent
Executed at runtime; best used with RASP
Companies: Qualys, Tenable
Interactive Application Security Testing (IAST)
Best of DAST and SAST (has access to the underlying codebase and simulates real-world attacks)
Takes an inside AND outside perspective
Able to integrate with CI/CD - real-time results
Does not scan the entire codebase, language-dependent
Very low rate of false positives - reuses existing test cases
Developers will eventually replace DAST with IAST, but SAST can’t be replaced because of how comprehensive it is
Company: Checkmarx, Contrast Security
Application Runtime Security (ARS)
Post-deployment, focuses on runtime health
Challenges: volume of real-time alerts → applying analytics and ML to fix those faster
Has to be used with other tools outside of app security to best have an overarching view of security landscape (ex: EDR, IAM, infra security)
Runtime Application Self-Protection (RASP)
Control application execution, detect vulnerabilities, and prevent attacks in real-time
Deploys a wrapper around an app that can intercept calls from the app to the server (to make sure the call is secure)
Fully automated, no humans
Runs on the server running the app, but does not have access to the source code and cannot pinpoint the exact location of the vulnerability; an in-app solution
Company: Avocado Sytems, Contrast Security
Web Application Firewall (WAF)
Protects the app layer (layer 7 of OSI) vs traditional firewall protects network and transport (layer 3 and 4)
Responds to a wide range of attacks
Can integrate with other network security tools (sits on different layer)
More customizable and changeable than RASP
Sits between users and applications, can create more latency
Company: proliferation, everyone seems to offer one
Container Security
A container includes all executables (codes, libraries, configuration files) and can be deployed in all environments (public cloud, private cloud, individual computer, etc.)
More lightweight than VMs since it is not physical, crucial to app development
Kubernetes is the leading container orchestration platforms
Because they are ephemeral, it is harder to pinpoint anomalies and threats within them
Few vendors provide runtime security within containers: Aqua Security, Lacework, Sysdig, Chainguard
Sysdig: started as open source project that targets container monitoring in production, without need for agent or sidecar; expanded into threat detection and added Kubernetes security posture management
memo: will do a deepdive on chainguard/container stuff soon
API Security
Application programming interfaces (API) enable a controlled interaction between apps
Crucial to enterprises since they have many apps (CRM, accounting, etc.)
Challenges: unauthorized access to underlying data; multiple architectures → a lot of gateway for threat; frequency of API changes increases; “one and done” attacks to “low and slow” attacks - many attacks slowly chopping away data sources
A framework rather than a technology
Salt Security: emerging API security vendor
Leverages big data and AIML techniques to perform contextual analysis
Roadmap into particular APIs features vs common practice of manual cataloging
Can also detect “low and slow” attacks, for the entire API lifecycle
Noname Security: end-to-end API security platform, no need for agents or network modifications
Trends:
Agile CI/CD development → DevSecOps
Growing use of cloud infra
SCA as an increasingly important tool
Toolset consolidation will take time
AST vendors will broaden their solutions (thru M&A) and tap into container scanning
ARS vendors to shift left (earlier in the development process) and add AST tools
Traditional network security vendors and Application performance monitoring vendors (Datadog) are tapping into app security as well
Memo: move towards CNAPP
More and more workload in cloud and containers → faster runtime → impossible for security team to manually investigate
CNAPP combines entire app security, cloud workload protection, and posture management
AST (SCA, SAST, IAST) + Cloud Configuration (CSPM) + Runtime Protection (RASP, CWPP, WAF)
Takes a long time to consolidate into one platform (no vendor does it all today)
That’s it for Part 1; Part 2 will cover data security, IAM, endpoint security, and more….