It’s no surprise that lots of pundits and cybersecurity industry insiders claim that 2017 will be a challenging year full of nation state attacks, ransomware, and a continuing wave of data breaches. I concur with this common wisdom, but I also believe that 2017 will be remembered as the year when cybersecurity analytics and operations encountered a wave of unprecedented scale.
Now I know that the need for security scalability is nothing new. Leading SIEM vendors can all talk about how they’ve had to rearchitect their products over the past few years to scale from thousands to millions of events per second (EPS) and somehow make sense of all this activity.
Yup, EPS growth will continue, but cybersecurity scale is about to hit an exponential curve, driven by things like:
- Cloud utilization. ESG research (and other sources) indicate that more and more workloads are moving to public and private clouds. What’s more, the use of agile development, DevOps, and cloud computing render all computing as a temporary activity. Workloads are spun up, spun down, and replaced on the fly as needs and whims dictate. Containers will also become more mainstream in 2017 and only accelerate these trends. Somehow security teams must be able to keep up (i.e., monitor, audit, investigate, etc.) with all this activity.
- IoT. Forecasts I’ve read suggest that there will be over 20 billion connected devices by 2020 and industries like energy, health care, manufacturing, and retail are actively deploying IoT applications. This means transient connections of thousands of sensors, actuators, gateways, and data collectors that need to be authenticated and monitored.
- Network growth. There are lots of angles here. Physical networks and network backbones are expanding from 10 Gb to 40/100 Gb. The transition from IPv4 to IPv6 continues. Cellular networks are being upgraded while IoT devices are driving greater Wi-Fi bandwidth and proliferation. Simply stated, there’s more traffic, sessions, packets, flows, and protocols to keep an eye on.
- Digital transformation applications. Beyond the technology alone, more organizations are using these technologies to revolutionize how they do business. Whether it's automated manufacturing, self-driving cars, or smart grids, we are using and trusting a cornucopia of technologies to a greater degree.
These and other parallel trends are driving massive growth in the amount of data we need to collect, process, analyze, and store for cybersecurity analysis and operations. Oh, and more data, analysis, and decision making also makes cybersecurity far more complex.
In my opinion, the need for massive cybersecurity scale has some serious repercussions on the industry:
- Cybersecurity meets distributed data management. Forget about centralizing all cybersecurity data as it is no longer feasible to do so. Enterprise cybersecurity professionals must learn all they can about distributed data management architecture and include cloud-based elements in all their planning. Enterprise customers have already placed SIEM vendors like AlienVault, IBM, LogRhythm, and Splunk on a data management treadmill to keep up with scale, but these vendors will be forced to innovate rapidly, tier their storage back-ends, and provide cloud-based services for non-critical and archival data. Cybersecurity professionals will need to understand an array of data management technologies—relational databases, NoSQL, Hadoop/HDFS, etc.—and figure out what goes where and how to keep track of it all. Finally, companies like Amazon, Facebook, Google, and Microsoft familiar with cloud-scale data challenges may play a role in new types of cybersecurity data management architectures.
- Cybersecurity scale drives SOAPA. I’ve written a lot about a new cybersecurity architecture called SOAPA (i.e., security operations and analytics platform architecture). Here’s a link to the original blog with more details. Since it becomes impossible to centralize all security data, enterprise organizations will rely on SOAPA software architecture to integrate distributed security data and analytics functions. In other words, some security analysis (i.e., threat intelligence research, EDR, malware analysis, etc.) will remain discrete but SOAPA will act as an overall bridge for visibility across all the data for all analytics regardless of the data’s location.
- Enterprise-class features matter. If you are old like me, you remember the classic feature/functionality requirements associated with mainframe computing and data centers—tiered administration, role-based access controls, separation of duties, data management/storage options, centralized/distributed configuration options, etc. Global distributed enterprises demanded these features so they could manage their systems and networks where they wanted, how they wanted, and with whom they wanted. This type of enterprise-class command-and-control functionality will become an RFI/RFP staple, giving a distinct advantage to the big boys.
- Product intelligence and services play a much bigger role. There aren’t enough skilled cybersecurity professionals around, so there are only two ways we can possibly address the oncoming avalanche of cybersecurity scale: 1) Products and services must be built with far greater automation and out-of-the-box smarts—think artificial intelligence, cognitive computing, machine learning, etc. Despite massive innovation in these areas, however, many organizations will still get buried by cybersecurity scale and scream for help. MSSPs like SecureWorks, Symantec, and Unisys should capitalize on this growing need.
- Cybersecurity analytics and operations become business and industry applications. Digital transformation (based upon cloud, IoT, mobile, etc.) and massive new scale takes traditionally horizontal cybersecurity analytics and operations disciplines and weaves in business process and industry-specific requirements. This will present a monumental challenge to the security industry used to selling endpoint security software, web gateways, and firewalls across industries.
In closing, I know that scalability is nothing new but I do believe we are about to enter a “perfect storm” where technology innovation drives revolutionary business processes, with cybersecurity scale dragged along for the ride. Only the strong will survive in this world. Stay tuned for more.
Jon Oltsik is a senior principal analyst at ESG, an integrated IT research, analyst, strategy and validation firm. Read more ESG blogs here.
