What'd We Learn at RSA? Security Automation Rules


By: R. Scott Raynovich

The cybersecurity boom continues, as enterprises and service providers search for automation tools to improve their capabilities to deal with an explosion of threats and security alerts.

A total of 45,000 professionals attended the RSA2020 Conference, the security conference that is one of the few technology conferences to squeeze itself through the great Coronavirus panic of 2020. That's up from 2019's attendance of 42,000, despite the concern over the COVID-19 virus that has resulted in the cancellation of other large conferences, such as Mobile World Congress (MWC).

Acronym Onslaught: XDR, SASE, and SOAR

With the backdrop of the stock market plummeting, RSA2020 featured thousands of security tools and a cornucopia of venture capital (VC) funding for startups, which continues to set records. There is also a building bubble in cybersecurity acronyms. In the world of EDR, CASB, SSL, and SIEMs, you now have to deal with XDR and SASE. More on that later.

One thing that appears to be happening is a migration from point security solutions to integrated platforms that can guide security automation. The security industry has an infamous shortage of talent, and professionals are currently overwhelmed responding to alerts and the many tools they already have. Automation is the strongest trend going forward in cloud security. What's needed is new software to automate the response to known threats. The new direction is to take artificial intelligence (AI) and machine learning (ML) and apply it to large amounts of data with the goal of automating remediation.

Enter XDR

XDR (which stands for X Detection and Response -- get it?) uses cybersecurity artificial intelligence and machine learning to run analytics across a broad range of collected data that can be correlated to improve automation of responses to known threats.

The best way to think of the XDR movement is that it's an attempt to integrate the broad silos of cybersecurity tools such as endpoint detection and response (EDR), network security and analysis, and security information and event management (SIEM). The goal is to increase automation and alleviate the alert bloat at Security Operations Centers (SOCs).

An interesting company to emerge in the XDR/SOAR market is little 35-person startup Stellar Cyber, which Futuriom wrote about here. Stellar won the Editor’s Choice award for Cybersecurity Artificial Intelligence from Cyber Defense Magazine (CDM) at RSA. Stellar is aiming at integrating security applications and using intuitive software to increase security analyst productivity by improving response.

The only question -- How is XDR different from SOAR (Security Orchestration, Automation and Response)? For now, let's put them in the same bucket and let the marketeers battle it out with keyword lobbying.

Netskope Scopes SASE

Want another acronym? Networking specialists are grabbing on to Secure Access Service Edge (SASE), a bucket invented by Gartner to describe the convergence of cloud and network security with the enterprise edge.

Netskope, which built a leadership position in the Cloud Access Service Broker (CASB) market, is now putting its stamp on SASE by extending its security functions to the enterprise edge. Netskope recently raised a whopping $340 million funding round, giving it a $3 billion valuation.

Netskope is positioned nicely as the secure edge gains steam and draws the attention of companies that have been riding the software-defined wide-area-networking (SD-WAN) market, which started as a way to improve the management of enterprise branch networks but is starting to become more about managing security. It makes sense to take CASB functionality, which scans and protects traffic going to cloud apps by setting up proxies, and tie that into protection of the edge. In short, you can expect CASB to merge with SASE. Or SD-WAN. However you want to think of it.

Tony Kros, Netskope's analyst relations manager, told me that Netskope's differentiation in the SD-WAN and SASE markets will come down to the build-out of robust network points of presence (POPs) that will sit in co-location centers at important peering points for cloud networks. Kros says that Netskope has 50 POPs today and expects to expand that substantially over the next few years.

Think of it as a security-focused Akamai Networks. That means Netskope will increasingly be competing with the likes of SD-WAN vendors such as VMware's VeloCloud, which is pushing security functionality into cloud gateways, as well as some of the SD-WAN managed service providers such as Aryaka Networks and Cato Networks, which also run their own network of POPs.

Automation of Cloud Security

So if SASE represents the hot network trend at the network edge, what about inside the cloud? Cloud-native security is another complicated area drawing a lot of interest from an automation angle.

Many of the new wave of security companies are taking similar approaches: Aggregate data collection and data scanning from a variety of sources, including the network, endpoints, or cloud APIs, and then apply machine learning and/or AI to detect anomalies or suspicious behavior. Then automatically shut it down.

Lacework is an interesting play on cloud security AI and automation with a deep bench of cloud security expertise, including Vikram Kapoor, former CTO of Bromium, and VP of Engineering Johnny Chen, former head of engineering at cloud data platform startup Cohesity. Lacework ingests large amounts of data using APIs and then analyzes the data to understand behaviors in the cloud. Most importantly, it can monitor container-based workloads such as those running in Kubernetes. It can then use this analysis to detect anomalous activity and protect workloads, hosts, and files in the cloud. The company is three years old and has already garnered a total of $70 million in funding.

The bottom line is: There are a lot of hot security companies drawing large amounts of funding. And I wouldn't expect it to slow down.

Momentum Cyber's Annual Cybersecurity Almanac, a report on cybersecurity trends, recently showed that security and identity and access management (IAM) vendors received the most investment funding in 2019. The cybersecurity space has raised more than $10B in 2019, according to CrunchBase News.

There are even cybersecurity-focused funds. ForgePoint Capital in February announced it has raised $450 million in its second fund to invest in early-stage and select growth companies in the cybersecurity sector, putting its total money under management at $750 million.

Bottom line: Security tech continues to trend as the largest area of VC investment as the cloud infrastructure expands and business professionals struggle to find a way to automate the protection of their resources.