If you went up to a pharmacist and said, “Hi, I need something to cure a case of the APTs,” what do you think she would recommend?
A big issue with the security industry has to deal with the way we market and describe security technology. It used to be that products were described by functionality, with point features that were well understood: firewall, anti-virus, anti-spam, web filter, log management, and so on. Things became one layer removed when marketing trotted out the term "next-generation." Exactly what makes a next-generation firewall different from a first-generation firewall? This led to a longer conversation between the vendor and the buyer (and to be honest, the confusion never really got cleared up; our survey data at 451 Research shows that enterprises are still conflating application-aware firewalls with web application firewalls).
Now the technology has become so multi-faceted and complicated that it’s being described in terms of use cases rather than functionality. If you want to understand what “advanced threat detection” is, you have to look at each example of a product claiming to do it, and understand not only what it does, but what it doesn’t do, and figure out what gaps you might need to fill if you want to detect ALL the threats. Does it mean that the product doesn’t bother detecting “simple threats”? (“No, we leave that for your antivirus.”) Once you detect whatever it claims to be looking for, does it help you take action, or does it just pass an alert to your SIEM?
The difference between “what does this do?” and “what could you use this for?” can be large or small, depending on how well you understand both the problem and the ways to address it. (We won’t talk about solving it; nobody is that bold.) But the big stumbling block for CISOs is that the more abstracted the product description becomes, the more time they need to dig into it and the more technically educated they have to be just to evaluate the claims. By the time they get to dissecting “threat intelligence,” “analytics,” “machine learning” and the like, they may need a data scientist or two just to translate.
There’s no one answer to this problem; technology developments tend to breed complexity, especially in a field as challenging as security. But vendors can help cut through the confusion by diversifying their messages and clarifying them. From a technical, functional standpoint, what does the product do? What techniques does it use? What data does it ingest and output, what assumptions does it work with, and what processes does it support? Then, on the other side, what can you use the product for, and how is it not intended to be used?
And one more thing that vendors can do is to address the question head-on as to where their products are truly complementary and where they compete or replace. We see very few new vendors these days who are willing to say that they can replace anything else, particularly an older technology. At some point, CISOs are going to balk at buying multiples of tools and building more layers of security, because they can’t tell when they’ve gotten everything covered.
CISOs should be able to wander into their security pharmacy and know that they only need a pain reliever, a decongestant, an antihistamine and a cough suppressant to deal with their APT cold, instead of wandering the aisles and ending up with a cart full of bottles, pills, toothbrushes, and sparkly flip-flops.