[HN Gopher] Why there are so many cybersecurity vendors and wher... ___________________________________________________________________ Why there are so many cybersecurity vendors and where do we go from here Author : jc_811 Score : 29 points Date : 2023-07-06 21:13 UTC (1 hours ago) (HTM) web link (ventureinsecurity.net) (TXT) w3m dump (ventureinsecurity.net) | duckhelmet wrote: | > Why there are so many cybersecurity vendors .. | | Because the innovators still cannot deign a "computer" that can't | be compromised by opening a malicious email attachment or | clicking on a malicious URL. | PaulWaldman wrote: | Isn't this indicative of the cybersecurity market immaturity? | Naturally with overlap there will be consolidation. | | HBR indicates it takes 25 years for markets to mature.[1] | | [1]https://hbr.org/2002/12/the-consolidation-curve | sylens wrote: | There is also another issue with cybersecurity vendors that this | article doesn't touch on, and that's in the area of cloud | security where many of them started targeting a specific use case | or set of use cases, and have slowly expanded to overlap with | other vendors who were not previously competitors. It's not good | enough for a tool to just be used for Cloud Security Posture | Management (CSPM) - it also has to do CI/CD security stuff and | workload protection. And it happens from the other direction, too | - previous image scanning and DevOps-y tools are now adding | detection and alerting capabilities for your cloud provider's | control plane. | | There is going to be a lot of tool consolidation at most | organizations coming in the next few years. | calvinmorrison wrote: | Too many people do too much. I would rather pay 10 vendors a | few K per year than get sucked into one vendor one tool suite. | Let people focus dammit. | mikewarot wrote: | >Where do we go from here? | | Take a step back, and look at history. It should be unsurprising | that the problem was encountered, studied[0] and solved, decades | ago. | | During the Viet Nam conflict, the Air Force needed to plan | missions with multiple levels of classified data. This couldn't | be done with the systems of that era. This resulted in research | and development of multi-level security, the Bell-LaPadula | model[2], and capability based security[1]. | | Conceptually, it's elegant, and requires almost no changes in | user behavior while solving entire classes of problems with | minimal code changes. It's a matter of changing the default from | all access to no access, all the way down to the kernel. | | Life without it, is like trying to run a modern electrical grid | without any circuit breakers, anywhere, ever. | | Getting rid of virus scanners alone should be worth the platform | switching costs, at least in terms of performance for most users. | | [0] https://csrc.nist.rip/publications/history/ande72.pdf | | [1] https://en.wikipedia.org/wiki/Capability-based_security | | [2] https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model | alephnerd wrote: | AV is a very small part of the Cybersecurity space. | pwarner wrote: | All these tools seem to have terrible quality as well. I am not | even qualified to speak on their security features, but they all | seem to feature poor, opaque performance. Maybe it's just a | symptom of all enterprise software? | hamandcheese wrote: | My startup idea is cybersecurity software that does literally | nothing. My competitive advantage would be speed, ease of use, | low attack surface area, and perfect false positive rate. | mindslight wrote: | It would fail. Being too fast would preclude commitment via | sunk costs required to run it. The ease of use would let users | quickly determine that it did nothing. The low attack surface | would fail at necessitating widespread organizational buy in. | And the zero false positive rate would mean that it wouldn't | move the needle on any metrics. | marcus0x62 wrote: | That's not far off from a pew pew map[0]. Maybe you could start | the first pure-play, best-in-breed security visualization | company with AI-enabled[1] executive dashboards[2] | | 0 - https://www.csoonline.com/article/562681/8-top-cyber- | attack-... | | 1 - disclaimer: not actually AI enabled | | 2 - pew pew map | alephnerd wrote: | It's called Cyber Ranges. | | SafeBreach, SimSpace, and Cymulate do similar stuff. | | That said, there is value to this (testing security policies | before pushing to enforcement) | marcus0x62 wrote: | No, not really. Cyber ranges are a very distinct | concept/product category than threat visualization maps | like you might see here: https://livethreatmap.radware.com/ | or here: https://isc.sans.edu/data/threatmap.html | | Cyber Ranges (and pew pew maps) are also very different | than control validation tools like Cymulate or Safe | Breach... | pwarner wrote: | I wonder if there is an in here for open source? At least parts | of the solution? | | The problem seems very much to be a data problem, and a code | quality problem. Maybe OSS could help with the latter at least? | xnx wrote: | Boom time for snake oil | iamacyborg wrote: | More like bust given what I'm hearing from folks working in the | sector. | johngalt wrote: | The proliferation of security vendors is similar to the | proliferation of weight loss clinics and gyms. There are plenty | of fads, with new businesses popping up to either chase or create | the interest. The people buying these services desperately want | something which can plug into their existing habits without | significant changes. | | Similarly, the solutions for cybersecurity are simple but not | easy. It involves operational and administrative discipline. | Businesses which lack this discipline collide with security | problems and spend a great deal of money downstream of this | problem. Vendors sell what businesses want to buy, not | necessarily what is most effective. | alephnerd wrote: | It's all checkbox driven development. I'm a PM in the space and | it's all snake oil. At least we have amazing ACVs compared to | other B2B sectors and a captive market. | | F** Gartner and Forrester for forcing us to concentrate on this | instead of actually solving problems | calvinmorrison wrote: | Its not all snake oil, but box checking is snake oil. | alephnerd wrote: | Yep, and the sales cycles and personas we target force us | into incorporating features or messaging due to checkboxes. | PakG1 wrote: | Sure, but there are SOME that aren't selling snake oil. I'm | invested in one of them. But yeah, most are. I guess the | interesting question for me is how long does it take for the | real wheat to stand out from the chaff. | alephnerd wrote: | Honestly, I think the wheat becomes chaff. | | You might have an amazing product that solves a relevant | security issue but Enterprise sales cycles and checkbox | driven procurement force you to incorporate half baked | features in order to capture the next fad. | | Look at the XDR hype train 3 years ago, ZTNA 2 years ago, and | the whole CNAPP/CASB/CSPM buzzword BS | | Tbf, I am being a bit dramatic about it, but I feel the split | persona sales cycles we're forced to deal with incentivizes | checkbox driven development. | a2tech wrote: | It's a gross industry designed to milk big dollars out of | clueless customers. Listening to these 'security experts' talk | makes me roll my eyes roll so hard that I'm afraid they'll get | stuck in the back of my head. | sylens wrote: | Most times, you would get ten times the value by taking the | money you would spend on these tools, hiring a security | engineering department, and letting them build you tools backed | by open source software. | ChuckNorris89 wrote: | What logic did you use to come up with that statement? | | Tools like Nessus and Burpsuite Pro cost around 6-8k/year. | | Good luck hiring a security engineering department on a | 8k/year budget that will build and maintain you tools of | similar quality lol. | greenthrow wrote: | If those security engineers are even remotely qualified for | their jobs they will not build their own tools. | Ecstatify wrote: | GitHub Advanced Security is so expensive. I can't see the benefit | considering we have a SonarCloud instance which is 1/3 of the | cost. All our credentials are stored in vaults or IaC, so one of | their main selling features we don't need. | | When ever there's a sales team in front of a service it seems | like the service isn't worth the cost. | kyboren wrote: | Because the people with purchasing authority know nothing about | security, they are unable to distinguish real, good security | practices and products from defective, over-hyped, and/or | pointless "security" products constantly shilled at them. | | In other words, "cybersecurity" is a "Market for Lemons": | https://en.wikipedia.org/wiki/Market_for_lemons | A lemon market will be produced by the following: | 1. Asymmetry of information, in which no buyers can accurately | assess the value of a product through examination before sale is | made and all sellers can more accurately assess the value of a | product prior to sale 2. An incentive exists for the | seller to pass off a low-quality product as a higher-quality one | 3. Sellers have no credible disclosure technology (sellers | with a great car have no way to disclose this credibly to buyers) | 4. Either a continuum of seller qualities exists or the | average seller type is sufficiently low (buyers are sufficiently | pessimistic about the seller's quality) 5. Deficiency | of effective public quality assurances (by reputation or | regulation and/or of effective guarantees/warranties) | candiddevmike wrote: | I'm curious on what keeps the prices for these products so high. | You'd think with the kind of competition this industry has (all | providing the same type of functionality, kinda), you'd see more | of a race to the bottom. But when you go to quote, you start | seeing a really bizarre pattern where it's almost the same price | per feature across the board. I'm not saying it's price fixing, | but something's not right here. | bombcar wrote: | If you're selling snake oil you don't want your oil cheaper | than others' or it's obviously snake oil. | | So you end up all on a line (costing more would be ridiculous, | of course). | Canada wrote: | fear | passwordoops wrote: | My sense is "you get what you pay for" logic applies here and | naturally the vendors will exploit this. I also imagine the | internal negotiation between whoever wants to purchase the | software and the bean counters inevitably includes "sure it's a | lot, but how much would a data breach cost us?" | alephnerd wrote: | We prefer to target F1000/enterprise markets. The ACV is quite | high and VCs often require this. | | Channel sales/VARs is used to target much more price conscious | buyers ___________________________________________________________________ (page generated 2023-07-06 23:00 UTC)