Every year at RSA I try to spend time on the floor looking at the vendors. I do this not only because they might be able to help my customers, but also because I like finding the trends in InfoSec products overall.
And every year I write a post that captures some of my thoughts around the event, the products, and
The top trend this year
I think the main theme this year (or at least the one growing fastest), is analytics. Last year it was probably threat intelligence.
Analytics makes sense because we’re finally figuring out that we have too many products doing too many things, and it’s time to try to extract something useful from it all.
The top question to ask product vendors
Here’s a tweet of mine from earlier in the week:
The prime question for InfoSec products: what behavior do I change as a result of seeing your output? #RSAC2016— # Daniel Miessler (@DanielMiessler) March 3, 2016
Try asking companies this the next time you talk to them.
What do you do next?
I’m high on a rant right now that goes something like this:
If you don’t know what you should be working on next, and/or don’t have reasons for that decision, then you’re doing alchemy instead of chemistry.
Every project you’re working on should be rated in numerous areas:
- How much risk it will reduce
- How hard it is to implement
- How expensive it will be to implement
- How much easier it would be to implement if your people were better trained or if you had more people
If you don’t have this information then you aren’t really prepared to take in new information. How would you rank it?
Let’s take threat intelligence for example. If someone tells you that some attacker is hitting companies in your space using a specific attack, how do you know if you should pull people off a given set of projects or let them continue?
You can’t if you can’t place the new project (patch or reconfigure whatever) into a prioritized list of work.
Most interesting vendor
Ticto was the most interesting vendor I saw there this year. It is a company that makes badges for physical access. But when you swipe the badge it codes the background to a constantly rotating pattern that everyone in the area will share.
So with one look you can tell who’s supposed to be in the building and who is not.
My DAP prediction continues
As I said last year, I see an overarching long-term (10 years) trend for most InfoSec products that looks like this:
- There is a single data lake for a company (not one per product)
- The data lake will have faucets that can opened for specific event types
- Those specific streams of data will point to ALGORITHMS which become the main product and differentiator for security companies
- From the algorithms, the output will move to a unified visualization and metrics dashboard, using a standardized data format. There will only be a few companies making these
So the components of data, analysis, and presentation will be broken out into separate components, unlike today where most vendors are trying to do all three. It’ll be almost like MVC for InfoSec products.
Security product vendors (and increasingly any IT vendor) will be in three main areas:
- Data: which is the creation or storage of data that can be consumed and analyzed by vendors
- Analysis: the drinking from a specific faucet of the data lake that you then run your company’s magic algorithm on
- Presentation: giving the business a narrative based on the analysis performed on your data
- Savvy readers will notice that there will be often be another step where the output from product algorithms will also go back into the lake.
- There are some vendors that don’t fit this model as well, but most will.