Directions Of The Cybersecurity Industry

This blog post previously appeared on The Pan-Net Blog.

Covid crisis and the forced work-from-home comes with the rapid transformation of a traditional established company to an online only business with most of the work force working remote. Even the software houses struggle to keep up with this rapid transformation. Lots of companies are finding out that they don’t have control over the digital assets they are owning or managing. Security teams, when there is any, struggle how to inventarize all the assets that are exposed to the internet and have to be protected from the outside threats. Asset discovery, inventarization and vulnerability management became a lucrative business and we see even the first acquisitions as the attack surface management company Expanse Inc. was acquired by the Palo Alto Networks. Complete inventarization of all digital assets is a critical first step before doing a risk management. When in place, up-to-date inventory with an initial evaluation can reveal the true attack surface of an organization. It can answer questions like what part of an infrastructure is unmaintained? What is vulnerable? Which system does not have a clear ownership?

The toxicity of personal data

With the widening use of the Internet, personal information became handled by more and more parties ranging from the e-commerce to a government departments and healthcare providers. So much aspect of one’s life now depends on a personal information that were not considered critical until very recently. Unique identification mechanisms introduced by the governments in an analog era are now used for unimagined purposes like parcel tracking. That, together with the “innovations” criminals introduced to their modus-operandi by using the Internet, leads to an alarming rate of personal information misuse for nefarious purposes. Personal information has became a toxic asset only companies benefiting from the surveillance capitalism consider worthy to be stored. Privacy is becoming an imperative and luxury good. The developed world is introducing strict regulations on how to handle personal information. It became a liability. Companies are searching for a way on how to manage the risk of handling sensitive data. One possibility is to outsource them to a third party with a better security in place. But there is a risk that business know-how will be leaked. Legal regulation of cross border flows of personal data applies as well. As more regulations are established for the handling of personal data, compliance is becoming a nightmare for small companies that can’t afford to dedicate teams just for dealing with all the implications. Outsourcing of data privacy roles to a third party specializing in the space is already happening, but the level of outsourcing can be blurred and we will see what is the best model once the market consolidates.

Secure multiparty computation sneaks into a space with the promise to deliver aggregated statistics over the encrypted data, creating new market where the big cloud players can leverage their computing power without accessing clients data directly. However, the ultimate disruptive use case of the secure multiparty computation is still unknown. There is not much that can be computed over the personal information directly. It only starts to be interesting with a huge amount of data that can be correlated. Google is burning money on designing homomorphic encryption schemes with a hope, that they will be prepared with all the algorithms and schemes once an ideal business case comes their way. The most recent example of the secure multiparty computation is the Prio Service by the Internet Security Research Group (ISRG). Prio Service is a privacy-preserving system for the collection of aggregate statistics. ISRG Prio deployment leverage a research from the Stanford university based on an open-source implementation. The other example is the Oblivious DNS over HTTPS service announced by Cloudflare that separates IP addresses from queries, prohibiting DNS server from learning who is the customer.

Privacy is becoming a luxury good.

Bug bounty

The idea of paying for a vulnerability report to strangers dates back to 90s with one of the first program implemented by the Netscape Communications Corporation in October 1995. However, the advent of a bug bounty program started a few years ago, when the 21. century FAANG like megacorporations started implementing their own version of the program. Cash incentive motivates people with a dream of making money on the Internet. Lots of IT students try to find low hanging bugs in web applications, which is often easy as they are already working in the given space. Shortly after the concept was validated by the pioneering corporations, various bug bounty platforms appeared on the scene, most notable being HackerOne, Bugcrowd or HackTrophy based in Slovakia. By now, there are hackers that made more than million dollars in the bug bounty programs already. Bounty reporting also came with a risk as the bug bounty platforms can be leveraged to silence researchers or steal from the them. In some cases, platform employees close bug findings and reopen them with the affected company by themselves or via sock puppets.

The bug bounty market can expect consolidation, as the established norms and processes are already in place and it cannot grow forever. There are always missed opportunities and any serious engineer has to reason how to spend his time, and whether a regular well paying job is not a more stable. For some developing countries, bug bounty platforms provide an access to a better paid jobs that are not available locally.
Finally, lots of current bug bounty platforms work like a lottery, so to make payments more predictable, regular grants from a corporation towards researchers can be a good starting point, which some companies like Google are already doing. The other problem is that bounties for the vulnerabilities between the vendors vary significantly. And then, there is an obvious elephant in the room, companies like Zerodium, that are buying vulnerabilities to exploit them, not to make an internet a more secure place. Exploit brokers are reselling to a highest bidder, which can be nation state or groups specializing in the industrial espionage. Besides the morale and the ethics of the whole thing, from the market perspective, it’s a viable alternative providing big money, but only for a very specific subset of the best bugs found in a widely used products.

Cyber insurance

Another narrative which is silently going forward is the cybersecurity insurance. That is, insurance against the cyber attacks. Insurance companies are starting to catch up with the problems of the industry, mainly damages on operations and reputation caused by the ransomware. According to a Coalition, Inc. around 41% of the cyber insurance claims filed in the first six months of 2020 were due to a ransomware incidents.
Insurance is about calculating the risk and deciding what is the good equilibrium between the price and the probability of an event happening. What is an unheard of is if, and how deeply are the cybersecurity companies cooperating with the insurers. If not already happening, we can expect cybersecurity companies to start partnering with the insurers, as it can be beneficial and attract new customers from both sides. Once there are deals in place it can quickly become a problem for the companies without a partnership. What if insurer mandates its corporate clients to install the specific security product, like antivirus, in order to earn all the insurance benefits? It can tip off the power balance in the cybersecurity industry as a whole, throw more money, customers and secure better market position for an early bird cybersecurity companies that negotiated deals with an insurer.

Reputation brokering

Once a full blown security product, nowadays antivirus software represents only a small part of a growing ecosystem. Vendor branded endpoint protection software can in the near future become only one of a plenty possible services backed by an antivirus company. It’s possible that antivirus vendors liberate their knowledge base and make it available to other software vendors for a fee.
Various inter-company integrations are already happening. Google started consuming antivirus services by acquiring VirusTotal service years ago. But it doesn’t stop there, they are now integrating antivirus vendors like ESET to their Google Chrome browser to make users more secure. Either knowingly or unknowingly, antivirus companies have to expand to a data broker model. All antivirus companies are reputation systems now. Their software collects telemetry data about the prevalence of specific applications and their usage from the client machines.

All antivirus companies are reputation systems now.

Big players like Google or Microsoft try to commoditize the complements of their products to make their ecosystem as accessible and easy to integrate as possible. They have done it with an Android once it was clear that iPhone will eat the market. Antivirus is one of such complement as well. There is no money in it directly to make them a fortune, but they need it to look good and have customers better protected. That’s why Microsoft offers Defender for free and makes it invisible to a user. Security make news only with the negative story and it can cannibalize the platform badly. For operating system vendors, antivirus is an important component, but not for a customer.
On the other side, new opportunities appear with the cloudification and so called DevOps culture. Runtime observability, whether it’s container orchestrator like Kubernetes or virtual machine based cloud, binary and operation system image scanning when at rest in the artifact storage, these are all opportunities that are grabbed by new cybersecurity companies. After a time, we can expect that they will be explored by the established players as well.

Blurring corporate perimeter

Remote access software tools went a long way from the classic virtual private networks (VPN) towards a more intelligent solution. As the customer facing services and internal company systems becomes the same system - paradigm famously adopted by the Amazon in the early days of internally used cloud solutions that powered their book store, differentiating between the customer and employee becomes a challenge.

The same goes for an access to a company’s resources. Bridging security based on a corporate perimeter protection behind a VPN with a world of services open to the internet is not a trivial task. It requires modification of all internal systems to be on a common ground when it comes to authentication and authorization.

Google pioneered a hybrid approach to a remote access with their BeyondCorp solution since 2014. A de facto blueprint for a new way of handling access to a corporate resources. They put together multi-factor authentication, endpoint monitoring with the powerful traffic analysis so they can assign a risk on-the-fly. As remote friendly companies like Gitlab became prevalent, more and more companies shifted to an internet-facing solutions for day-to-day business operations. Of course, most of the businesses does not have scale of Google nor Amazon so they can’t leverage vast resources to create an access system from the ground up. That creates a business opportunity to turn it into a yet another product.

The same goes for an access to a company’s resources. Bridging security based on a corporate perimeter protection behind a VPN with a world of services open to the internet is not a trivial task.

Universal 2nd Factor and FIDO2 strong authentication became a norm for accessing critical business infrastructure. New industry is created, supplying various components like hardware keys used as a smartcards, whether it’s open-source Solo, Yubikey or Google own Titan security key.

End

In the end, security is about making the infrastructure and resources more secure. About making colleagues do their work without being worried. About making our client or employer task of providing business value as easy and safe as possible. About protecting value, if not even producing it with the services we build as a security engineers.