As 2020 comes to a close, I’ve had the chance to reflect on this year’s unprecedented changes and the downstream ripple effects they’ve had on security technology. This year, we’ve seen organizations who’ve historically dipped a toe into cloud and remote work, get thrown into the deep end without a full view of the security repercussions.
These shifts will require companies to fundamentally rethink how they secure data, applications, infrastructure and people. Three areas ripe for next generation solutions are: Cloud Security, Identity Governance and Administration (IGA), and Endpoint & Asset Management. The need to rethink legacy security paradigms in a cloud world, increased architectural/organizational scale and complexity, and the growing need to converge solutions to orchestrate/automate obsolete manual processes are all driving progress in these market segments.
The evolution of technology platforms underpins security innovation. With each new shift in infrastructure, connectivity/collaboration, and data use, we see an exponential growth in vulnerabilities and a growing complexity of tools needed to help mitigate risk. Additionally, the more the market learns to automate, the more the market converges on itself. It becomes increasingly difficult to manage security effectively at human scale, causing companies to optimize workflow and uplevel priority decision-making. To stay truly ahead in the security arms race, we need context from disparate systems and either technology or people to interpret the right action to take. Unfortunately, there’s a growing skills gap when it comes to the next-generation of cloud-native technologies. It’s great to have the latest and greatest tool, but if no one can wield it, it quickly becomes shelfware. For instance, a tool can help implement secure configurations when shifting to cloud, but if the security team doesn’t understand what or how to configure, then the impact is lost. Being opinionated matters now more than ever.
In speaking with security experts throughout this year, there’s a heightened sense of awareness around organizational complexity and the need to adapt to a distributed workforce and environment. Here are the top three trends from 2020 that have escalated our need to adapt:
1. Work From Anywhere
2. Digital Transformation
3. Cloud Adoption
What are the implications for security? Sensitive data and workloads are now moving to employees’ home networks or mobile devices. That means more vulnerable endpoints to track, while regulation is only getting tighter. In response to this shift, IT leaders are reallocating budgets previously dedicated to traditional VPNs, firewalls, and inspection equipment to the cloud to support a distributed workforce. Companies are continuing to reimagine legacy on-prem services and best practices to fit the cloud, with a greater need for adequate controls on SaaS and IaaS in particular. With increased scale and complexity, automation and orchestration becomes priority. Given these drivers, it’s not surprising to see the valuations of companies that protect the expanded security perimeter like Okta, Crowdstrike, and Zscaler soar over the course of this year.
It’s always difficult to predict the future, however, below are a few areas where Unusual sees opportunities to build category-defining companies for the next wave in security.
Cloud Security (CSPM + IaC + CDR):
Some of the first movers, now called Cloud Security Posture Management (CSPM) players, Evident.io, Dome9, and Redlock were able to provide the basic features to enable cloud infrastructure adoption, including alerts on configuration vulnerabilities and compliance risks, and some automation or recommendations to fix issues. However, with increased scale and complexity comes new challenges.
One of these new challenges comes from the rise of Infrastructure as Code (IaC). Historically, IT teams would have to manually configure servers to add to data centers (some automated scripts to do this, but still mostly manual). With IaC, infrastructure now takes the form of code templates, which creates more automation and control across your organization. Companies have the ability to create consistency and control when pushing new infrastructure. They can review in dev/test and expect consistency when pushed to production. This creates the opportunity to audit your infrastructure before it’s pushed to production and verify you’re in compliance. However, with great power comes great responsibility, and if something goes wrong in the infrastructure code template and there's an undetected exploit, you risk amplifying the problem as it’s pushed out to potentially thousands of servers. It’s also easier to exfiltrate data at a massive scale as there are limited manual steps to block an attacker from exploiting a single vulnerability on a large scale within a short timeframe.
The first step to solving for IaC advancement is shifting left to review infra code templates and catch vulnerabilities before they are pushed into production. Coupled with that should be the ability to automate much of the remediation once a problem is identified as you can similarly push out fixes to your cloud infrastructure. IaC is both a new security challenge as well as an opportunity to advance how we automate security and compliance across cloud infrastructure. Many companies haven’t adopted IaC or only partially, so there is value to an org that can build a more comprehensive tool to make design automation, IaC recommendations, and drift detection for IaC combined with the functionality to fix false alarms, do auto remediation, and drift detection covered by more traditional CSPM.
The next step is moving from prevention to detection and response as we’ve seen historically in many subsegments of security. CSPM + IaC allows for automation in prevention and fixing vulnerabilities, however, what happens in case of a breach? More is needed to detect malicious attacks, effectively manage the investigation process, and make recommendations (or orchestrate) response. Cloud Detection & Response (CDR) is being discussed more and more today. In my mind, CDR for IaaS fits well integrated tightly with a CSPM tool, which already has context on existing cloud infrastructure, the right hooks to remediate potential issues and higher efficacy anomaly detection. Organizations can leverage CDR to identify security posture weak points (e.g. poorly configured services and stale or unused privileges). Both CSPM and CDR can leverage IaC to better scale prevention, detection, and response across cloud infrastructure.
Operationalizing a tool is equally as important as the technology itself today. Many CSPM solutions have been bought and deployed, but are sitting as shelfware, because people don’t know how to use them. Existing CSPM tools have become noisy and I continue to hear feedback that people receive too many alerts and don’t know how to prioritize them or what actions to take. The opportunity I see is to help leverage IaC to bring people to the forefront and go after the developer mindset that’s better adapted to AWS and other cloud platforms (which are built for developers). If you tie that with detection and response capabilities—CSPM + IaC + CDR, I believe you have the right solution to protect the next-gen of cloud infrastructure adoption.
IGA (Centralized Authorization):
The shift from on-prem to cloud has many repercussions, one being the move away from centralized management. Instead of having authentication, authorization, identity, and directory tied to AD and LDAP, we now have many disparate systems across multiple identity providers and cloud platforms. SSO vendors (e.g. Okta and others) handle the authentication piece, but authorization is something that’s lagged behind. SAML was a step in the right direction, but has compatibility issues and OAuth is limited in scope. What’s needed now is a new centralized AD with a standardized protocol for the cloud.
IGA tooling today lacks enterprise visibility across clouds and it’s almost impossible to do self-serve and manage at scale (and hopefully avoid consulting and customized management). For many widely used applications like Salesforce and platforms like AWS, the level of permissioning gets incredibly complex. To return to centralized management, we need a tool to do resource modeling for all these systems and a generic way to manage it. Applications need to be aware of their authentication model and which ACLs to expose (e.g. MongoDB, Datadog, SQL Server all have different ACLs). Mapping and standardization on arbitrary group names is needed. If applications could publish their ACL model to a centralized place, team’s could design and manage ACLs as a group of policies assigned consistently across an organization. Then they could create a generalized policy that could be pushed down to everything else (every application can be a resource).
Another key is figuring out how to build an entitlements catalogs and reconcile the drift for authorization (audit and translate to standardize in one catalog and then you can leverage IaC to shift all applications to fit a single framework). The future of AD is more management of entitlements and hooking into OKTA as the IDP, but there’s a need to have a solution to be the orchestration agent into these different apps (start with least privilege at a high level and let that translate down to what people need). With this centralized source of truth, an organization could layer on privilege access, add ephemeral access policies, audit alerting, see drift in policy changes, and eventually perform anomaly detection. Generalizing a system would make it easier to create broad automation and orchestration across all resources with a core resource graph and mapping. (I know what you’re thinking, this is impossible, but a guy can dream.)
Endpoint & Asset Management (Converged Security):
Companies are running an increasing number of critical workloads in hybrid environments, which makes it harder for security teams to do more basic inventory of servers and endpoints. Meanwhile, existing solutions don’t work for ephemeral resources and can’t scale to large clusters. On top of that, there are more unknown unknowns than ever and the regulatory landscape is getting more complex. More customized data gathering is needed, which is exacerbated by the rise of hybrid environments, growth in number of endpoints, external attack surface evolution, IoT, and more secure data traveling to remote endpoints as people continue working from home. As the perimeter continues to expand, visibility becomes paramount. Given that, endpoint and asset management technologies are bound to converge.
As we’ve seen historically with Endpoints, Network, and now Cloud, there’s a natural evolution of moving from prevention to detection and response. I see a similar trend for broader asset management and visibility tools moving to taking actions and enforcing policies. However, the sheer scale of assets and more closed systems (like many IoT devices) means traditional agents from incumbent vendors won’t be sufficient. Instead, onboard OS agents or agentless techniques combined with more comprehensive data gathering could drive innovation to solve these challenges in the future. EDR will fundamentally look different as tooling will seek to leverage what’s already embedded or analyze external connections vs. adding something new. This will also have downstream effects on the next generation of vulnerability management solutions. Solutions touting XDR capabilities from the usual suspects (Microsoft, Palo Alto, etc.) is one step in the converged evolution, however, not directly solving this core problem and don’t have the scope to be effective enough or cover ephemeral and immutable server workloads. As a friend of mine puts it, “I want Axonius as my starting point, with Microsoft ATP defending and Carbon Black EDR on every platform, zipped back to an intelligent data lake with ML pulling sh*t together for me”.
These are just a few of the areas where we’re spending more time at Unusual. The security market is noisier than ever, and success for startups depends on tying product innovation to accessible UI/UX and GTM innovation. Across the product parity we see in security tooling, the key is extracting value easily and lowering barriers to operationalize. I look forward to seeing what the next generation of entrepreneurs come up with to solve these increasingly acute pains and excited to partner with people on the journey along the way.
If you’re building in one of these areas, I’d love to share perspectives. You can reach me at email@example.com.
Follow Unusual_VC for more unusual opportunities.