Tuesday, May 13, 2014

Enterprise Security Tools Vendors' Big Problem

I’ve spent a substantial amount of time helping organizations justify enterprise security software purchases, specifically software security testing tools, in my career. Over that time it was common to run up against the question of “Why buy an enterprise tool when we can use open source?” The answer at the time, which was almost 5 years ago at this point, was that the maturity of the open-source tools wasn’t there. That argument, in recent years, has all but vanished, and enterprise security vendors which have open-source or inexpensive alternatives are in trouble.

The most immediate effect I’m seeing is in the testing tools space. Penetration testing tools are the natural target for erosion of market-share by open source simply because these type of tools are generated in large volumes by testers as they work through engagements and it’s natural for people to want to share. Take for example the most popular penetration testing platform hands-down right now – Metasploit. HD Moore’s community-sourced platform has grown into a monster, with code commits in volumes that would make even the most diligent enterprise security software shop blush. Now – not all this code is clean and brilliantly functional, but it does the job and most of all it’s on the leading edge of innovation as ideas can quickly be pushed to the code base, and taken up and built upon by members of the community. A brilliant approach that a closed-source enterprise software shop will struggle to match. Tools in this space that have price tags north of $10k, $20k are struggling for the very simple reason that even though the open-source equivalent isn't necessarily as polished and pretty – in many cases technically it’s more advanced, more up-to-date, and as a result of being community driven ... more innovative.

I don’t think this means certain death for the big closed-source enterprise security vendors though. It would appear that there is still a customer demand for the tools that these shops release – but it’s a matter of understanding your target market. As I see it there are at least three classes of users: specialist, expert, and master ranked by the person’s abilities.

At the specialist level you’re typically not getting someone who can write their own complex scripts, or exploit code. In fact they’re generally just looking for a blunt implement to do the job…with no requirement to do it exceptionally well. In software security these people manifested as an analyst who was tasked with a series of tasks and one of them just happened to be testing the organization’s web applications. These people weren't testers by skill or trade, nor were they particularly knowledgeable about penetration testing, or even coding web applications. They needed to do a job and that job was to test the app with the least amount of pain. They would look at low-cost or open-source alternatives which weren't particularly polished, required lots of manual work/scripting, and buckets of knowledge and (generally) understood that this wasn't going to be a relationship for them. They sought out the enterprise software which gave them push-button results, and did some of the thinking for them. No assembly required, batteries included.

The next rung up the ladder was always tricky – because the expert class was just smart enough to be dangerous to themselves. What I mean by that is these people knew a little bit about software development, they knew the basics of security and were willing to tinker. They still had a job to get done, and the enterprise software path would have been more productive in many of these cases, but either because they had a passion and desire to learn, or because they simply wanted to see if they could do it – they would compare open-source to closed-source tools (apples and pumpkins) and not fully understand that these were different. This user was tricky because they often times felt that the open-source alternatives were “good enough” even though their skills wouldn't be good enough to produce value from the tools they were using. This as you can guess produced scary results.

The third category was the master class. I met only a handful of these types in my time in that supporting role. These people had no desire or need for enterprise-built security testing tools… they were too constraining, too slow-moving, and just not good enough. They could do run into a problem the enterprise software couldn't tackle and effectively code their own way around it… which allowed them to move faster, be more agile and adapt to the changing nature of the target better. I stress that there were very few of these people out there…and most fell into the expert class. Master class is typically achieved after years of experience immersed in technology and focused work. Generalists rarely get to this level of skill – and it’s really the enterprise’s fault for pushing people to perform 3-4 different roles on average … only 1-2 of them really fall into the person’s wheelhouse.

“Horses for courses” one of my colleagues would say. Make sure you’re advising intelligently so that the right person has the right tool in their hand for their skill set, and the job at hand.

The interesting thing, I think, is that as more security professionals flood the market there dynamics are being skewed. I believe that the distribution between specialist, expert and master is dramatically dramatically changing. A few years ago I would have said that we had 50% specialist, 40% expert, and 10% master class out there. Today’s security industry is becoming more community-enabled and driving that distribution to the right more. So now I think we’re closer to 30% specialist, 50% expert, 20% master and continuing to shift towards master at a good pace. This is both good for the overall state of security, and bad for enterprise security software companies which relied on the specialist and expert classes as a target buyer.

The good news is that enterprise security software isn't dead, it’s just being forced to re-evaluate its value propositions. Enterprise software shops need to re-focus their efforts to engage the community more, make their tools more open (one of the biggest gripes ever is proprietary closed formats of data) and extensible and start to think about lowering their costs… or maybe shift their licensing models to the as-a-Service model. I’m not saying I have the answers, but these shifts are happening and they’re not asking for permission. Enterprise security software shops, if they wish to stay relevant, need to address the shifting sands of skills, needs, and community. Or they can become irrelevant …

No comments: