[HN Gopher] Why there are so many cybersecurity vendors and wher...
___________________________________________________________________
Why there are so many cybersecurity vendors and where do we go from
here
Author : jc_811
Score : 29 points
Date : 2023-07-06 21:13 UTC (1 hours ago)
(HTM) web link (ventureinsecurity.net)
(TXT) w3m dump (ventureinsecurity.net)
| duckhelmet wrote:
| > Why there are so many cybersecurity vendors ..
|
| Because the innovators still cannot deign a "computer" that can't
| be compromised by opening a malicious email attachment or
| clicking on a malicious URL.
| PaulWaldman wrote:
| Isn't this indicative of the cybersecurity market immaturity?
| Naturally with overlap there will be consolidation.
|
| HBR indicates it takes 25 years for markets to mature.[1]
|
| [1]https://hbr.org/2002/12/the-consolidation-curve
| sylens wrote:
| There is also another issue with cybersecurity vendors that this
| article doesn't touch on, and that's in the area of cloud
| security where many of them started targeting a specific use case
| or set of use cases, and have slowly expanded to overlap with
| other vendors who were not previously competitors. It's not good
| enough for a tool to just be used for Cloud Security Posture
| Management (CSPM) - it also has to do CI/CD security stuff and
| workload protection. And it happens from the other direction, too
| - previous image scanning and DevOps-y tools are now adding
| detection and alerting capabilities for your cloud provider's
| control plane.
|
| There is going to be a lot of tool consolidation at most
| organizations coming in the next few years.
| calvinmorrison wrote:
| Too many people do too much. I would rather pay 10 vendors a
| few K per year than get sucked into one vendor one tool suite.
| Let people focus dammit.
| mikewarot wrote:
| >Where do we go from here?
|
| Take a step back, and look at history. It should be unsurprising
| that the problem was encountered, studied[0] and solved, decades
| ago.
|
| During the Viet Nam conflict, the Air Force needed to plan
| missions with multiple levels of classified data. This couldn't
| be done with the systems of that era. This resulted in research
| and development of multi-level security, the Bell-LaPadula
| model[2], and capability based security[1].
|
| Conceptually, it's elegant, and requires almost no changes in
| user behavior while solving entire classes of problems with
| minimal code changes. It's a matter of changing the default from
| all access to no access, all the way down to the kernel.
|
| Life without it, is like trying to run a modern electrical grid
| without any circuit breakers, anywhere, ever.
|
| Getting rid of virus scanners alone should be worth the platform
| switching costs, at least in terms of performance for most users.
|
| [0] https://csrc.nist.rip/publications/history/ande72.pdf
|
| [1] https://en.wikipedia.org/wiki/Capability-based_security
|
| [2] https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
| alephnerd wrote:
| AV is a very small part of the Cybersecurity space.
| pwarner wrote:
| All these tools seem to have terrible quality as well. I am not
| even qualified to speak on their security features, but they all
| seem to feature poor, opaque performance. Maybe it's just a
| symptom of all enterprise software?
| hamandcheese wrote:
| My startup idea is cybersecurity software that does literally
| nothing. My competitive advantage would be speed, ease of use,
| low attack surface area, and perfect false positive rate.
| mindslight wrote:
| It would fail. Being too fast would preclude commitment via
| sunk costs required to run it. The ease of use would let users
| quickly determine that it did nothing. The low attack surface
| would fail at necessitating widespread organizational buy in.
| And the zero false positive rate would mean that it wouldn't
| move the needle on any metrics.
| marcus0x62 wrote:
| That's not far off from a pew pew map[0]. Maybe you could start
| the first pure-play, best-in-breed security visualization
| company with AI-enabled[1] executive dashboards[2]
|
| 0 - https://www.csoonline.com/article/562681/8-top-cyber-
| attack-...
|
| 1 - disclaimer: not actually AI enabled
|
| 2 - pew pew map
| alephnerd wrote:
| It's called Cyber Ranges.
|
| SafeBreach, SimSpace, and Cymulate do similar stuff.
|
| That said, there is value to this (testing security policies
| before pushing to enforcement)
| marcus0x62 wrote:
| No, not really. Cyber ranges are a very distinct
| concept/product category than threat visualization maps
| like you might see here: https://livethreatmap.radware.com/
| or here: https://isc.sans.edu/data/threatmap.html
|
| Cyber Ranges (and pew pew maps) are also very different
| than control validation tools like Cymulate or Safe
| Breach...
| pwarner wrote:
| I wonder if there is an in here for open source? At least parts
| of the solution?
|
| The problem seems very much to be a data problem, and a code
| quality problem. Maybe OSS could help with the latter at least?
| xnx wrote:
| Boom time for snake oil
| iamacyborg wrote:
| More like bust given what I'm hearing from folks working in the
| sector.
| johngalt wrote:
| The proliferation of security vendors is similar to the
| proliferation of weight loss clinics and gyms. There are plenty
| of fads, with new businesses popping up to either chase or create
| the interest. The people buying these services desperately want
| something which can plug into their existing habits without
| significant changes.
|
| Similarly, the solutions for cybersecurity are simple but not
| easy. It involves operational and administrative discipline.
| Businesses which lack this discipline collide with security
| problems and spend a great deal of money downstream of this
| problem. Vendors sell what businesses want to buy, not
| necessarily what is most effective.
| alephnerd wrote:
| It's all checkbox driven development. I'm a PM in the space and
| it's all snake oil. At least we have amazing ACVs compared to
| other B2B sectors and a captive market.
|
| F** Gartner and Forrester for forcing us to concentrate on this
| instead of actually solving problems
| calvinmorrison wrote:
| Its not all snake oil, but box checking is snake oil.
| alephnerd wrote:
| Yep, and the sales cycles and personas we target force us
| into incorporating features or messaging due to checkboxes.
| PakG1 wrote:
| Sure, but there are SOME that aren't selling snake oil. I'm
| invested in one of them. But yeah, most are. I guess the
| interesting question for me is how long does it take for the
| real wheat to stand out from the chaff.
| alephnerd wrote:
| Honestly, I think the wheat becomes chaff.
|
| You might have an amazing product that solves a relevant
| security issue but Enterprise sales cycles and checkbox
| driven procurement force you to incorporate half baked
| features in order to capture the next fad.
|
| Look at the XDR hype train 3 years ago, ZTNA 2 years ago, and
| the whole CNAPP/CASB/CSPM buzzword BS
|
| Tbf, I am being a bit dramatic about it, but I feel the split
| persona sales cycles we're forced to deal with incentivizes
| checkbox driven development.
| a2tech wrote:
| It's a gross industry designed to milk big dollars out of
| clueless customers. Listening to these 'security experts' talk
| makes me roll my eyes roll so hard that I'm afraid they'll get
| stuck in the back of my head.
| sylens wrote:
| Most times, you would get ten times the value by taking the
| money you would spend on these tools, hiring a security
| engineering department, and letting them build you tools backed
| by open source software.
| ChuckNorris89 wrote:
| What logic did you use to come up with that statement?
|
| Tools like Nessus and Burpsuite Pro cost around 6-8k/year.
|
| Good luck hiring a security engineering department on a
| 8k/year budget that will build and maintain you tools of
| similar quality lol.
| greenthrow wrote:
| If those security engineers are even remotely qualified for
| their jobs they will not build their own tools.
| Ecstatify wrote:
| GitHub Advanced Security is so expensive. I can't see the benefit
| considering we have a SonarCloud instance which is 1/3 of the
| cost. All our credentials are stored in vaults or IaC, so one of
| their main selling features we don't need.
|
| When ever there's a sales team in front of a service it seems
| like the service isn't worth the cost.
| kyboren wrote:
| Because the people with purchasing authority know nothing about
| security, they are unable to distinguish real, good security
| practices and products from defective, over-hyped, and/or
| pointless "security" products constantly shilled at them.
|
| In other words, "cybersecurity" is a "Market for Lemons":
| https://en.wikipedia.org/wiki/Market_for_lemons
| A lemon market will be produced by the following:
| 1. Asymmetry of information, in which no buyers can accurately
| assess the value of a product through examination before sale is
| made and all sellers can more accurately assess the value of a
| product prior to sale 2. An incentive exists for the
| seller to pass off a low-quality product as a higher-quality one
| 3. Sellers have no credible disclosure technology (sellers
| with a great car have no way to disclose this credibly to buyers)
| 4. Either a continuum of seller qualities exists or the
| average seller type is sufficiently low (buyers are sufficiently
| pessimistic about the seller's quality) 5. Deficiency
| of effective public quality assurances (by reputation or
| regulation and/or of effective guarantees/warranties)
| candiddevmike wrote:
| I'm curious on what keeps the prices for these products so high.
| You'd think with the kind of competition this industry has (all
| providing the same type of functionality, kinda), you'd see more
| of a race to the bottom. But when you go to quote, you start
| seeing a really bizarre pattern where it's almost the same price
| per feature across the board. I'm not saying it's price fixing,
| but something's not right here.
| bombcar wrote:
| If you're selling snake oil you don't want your oil cheaper
| than others' or it's obviously snake oil.
|
| So you end up all on a line (costing more would be ridiculous,
| of course).
| Canada wrote:
| fear
| passwordoops wrote:
| My sense is "you get what you pay for" logic applies here and
| naturally the vendors will exploit this. I also imagine the
| internal negotiation between whoever wants to purchase the
| software and the bean counters inevitably includes "sure it's a
| lot, but how much would a data breach cost us?"
| alephnerd wrote:
| We prefer to target F1000/enterprise markets. The ACV is quite
| high and VCs often require this.
|
| Channel sales/VARs is used to target much more price conscious
| buyers
___________________________________________________________________
(page generated 2023-07-06 23:00 UTC)