Posted by Kevin on November 24, 2014.
When Symantec recently separated into two companies, one to handle the anti-virus part of the business and the other to handle the Veritas information management side, I wrote a blog for High-Tech Bridge and spoke to its founder and CEO Ilia Kolochenko.
Ilia Kolochenko, CEO and founder of security firm High-Tech Bridge, is not surprised that even one of the world’s largest security firms is struggling in today’s market – which is perhaps surprising since most business research firms say that we are spending more, not less, on security. The problem, believes Kolochenko, is that there are too many security firms providing insufficient security.
Efficiency and effectiveness: the missing combination in a fragile security industry
More recently, the AccessData Group announced that it was also separating into two distinct companies: AccessData and Resolution1 Security. The obvious question is this: is the security market comprised of too many companies unable to keep up with security threats, and is it thus being forced to separate into smaller more agile and focused companies? Are we entering a new period: is consolidation being replaced by a period of separation?
I asked Craig Carpenter, the new President and COO at Resolution1 Security, if this was the underlying cause of the break-up – a defensive action in a fragile market? His answer was a complex ‘no’, but he doesn’t think that Kolochenko is completely wrong.
“There is some truth to what Kolochenko says,” he told me, “but he paints some things with too broad a brushstroke. The security market comprises many sub-markets, and many of them are behaving differently. Some of these areas are experiencing growth while others are contracting. I would agree with his comments on the anti-virus market – there are too many products chasing a shrinking pie.”
It is, of course, different for AccessData. “It,” said Carpenter, “popularised forensic software along with Guidance Software.” But that market, while not struggling, is pretty well saturated. It’s growing at less than 10% per annum. Contrast this, he suggested, with Resolution1’s area of attention: incident response (IR). The IR market has been growing over the last few years at between 2 and 300 percent.
Here’s the irony. Kolochenko is wrong because he is right. Traditional and long-standing security products are designed firstly to prevent and then to detect security breaches. Both are failing in their jobs. Prevention simply doesn’t work. Modern day thinking suggests that companies should consider that they probably are already compromised, or if not, they soon will be.
On prevention it is too simple for hackers to defeat anti-virus and hoodwink firewalls. Detection is more complex: modern products can detect anomalies but don’t know what to do with them. Consider Target. Its prevention didn’t work. Its detection worked, but did not provide the specific intelligence to enable Target to understand what was happening on the network. Most existing detection products, said Carpenter, “force the analyst to manually go into all of the alerts in order to figure out what is going on.” But when large companies are receiving thousands if not hundreds of thousands of non-specific alerts every day, this is no simple task.
Enter the new market to which Resolution1 belongs: incident response. IR starts where prevention and detection stop. “What we do,” said Carpenter, “is try to consolidate all the different information sources and validate what each system is trying to tell the analyst. The analyst now gets told, this is a problem, here’s where it is, this is its severity, here’s why and here’s the different choices you have.”
In short, incident response is growing fast because other areas of security are failing badly. The separation of the AcessData Group into AccessData and Resolution1 Security is no defensive reaction but an aggressive assertion. Market forces may well be behind both the Symantec and the AccessData moves – but they are entirely different market forces.
My own view combines these forces. The basic reality is that consolidation has failed. Attempts to bring multiple point products under a single roof haven’t worked. Buyers actually prefer best-of-breed products. The long term solution is not to try and amalgamate best of breed under a single umbrella because they cease to be best of breed. The solution is to concentrate on individual products provided with effective APIs. The buying IT departments can then use the APIs of the products of their choice to make them all work together seamlessly. In one sense, this is what Resolution1 is doing – it amalgamates alert data from multiple end-points to present seamless breach intelligence to the analyst.Submitted in: Expert Views, Kevin Townsend's opinions, News, News_vulnerabilities |