Plugging the infosec holes before the bad guys can sneak in

Security posture management gets its due at RSA

RSA Conference When talking about the idea behind security posture management in today's enterprises, Yotam Segev looks a few hundred years into the past.

"You had your castle [and] you put guards at the entrance of the castle trying to catch the thieves as they steal your treasure," Segev, co-founder and CEO of cloudy security startup Cyera told The Register.

"The whole [security] posture management approach essentially says, 'That's not enough. You've got to inspect the castle walls. You've got to inspect the castle defenses, and you've got to continuously identify the vulnerabilities, the exposures in those defenses, and patch them, improve them, fix them.'

"It's very nice that you have those guards at the entrance to the castle, but that's not how the thief is going to come in. He's going to come in through a window or a door that's left unlocked. Let's go find that before they come in."

It's a forward-looking approach in a security industry that in many ways continues to be far too reactive, Segev claimed. Instead of just detecting as they happen or mitigating them after, security posture management is about doing as much as possible to keep those miscreants out before they can cause problems.

The subject was getting its share of attention at a busy RSA Conference 2023 this week in San Francisco. Besides Segev and executives from other companies spreading the message among the tens of thousands of attendees, there also were sessions featuring vendors like LimaCharlie, Armis Security, and BigID, with the latter company and others like Concentric AI and CardinalOps touting awards from Cyber Defense Magazine.

Coming to RSA with a message

Segev – who with Cyera co-founder and CTO Tamar Bar-Ilan founded the cloud security division within the Israeli military's Unit 8200 intelligence group – brought a key message to Las Vegas: the need to go on the offensive in cybersecurity.

"How can we continuously, every day improve security posture, reduce the risk of being hacked?" he said. "It doesn't mean we never get hacked. Hackers are going to continue to try to find that one vulnerability we didn't patch, that one exposure we didn't identify and remediate. But we are reducing the likelihood of that now."

The idea of posture management isn't new. Products a decade ago checked the security of user devices before giving them network access and cloud security posture management (CSPM) became mainstream after Netflix open sourced its Security Monkey tool in 2014, according to Claude Mandy, chief evangelist at data security firm Symmetry Systems.

Nine years later, there is no shortage of CSPM tools and services from vendors ranging from Microsoft and Palo Alto Networks to Check Point, Tenable, Wiz, and Orca Security. It's already a market in the $4 billion range and growing at about 15 percent a year.

"Posture management continues to accelerate," Maor Bin, CEO of Adaptive Shield and another Unit 8200 veteran, told The Register. "Linking directly to the move from on-prem to SaaS and IaaS, this shift has been a long time coming as technological advances have occurred. And of course, the COVID-19 pandemic, which forced many hesitant organizations to the cloud. It started from the need to secure IaaS and now many security professionals understand they need to have a similar process in SaaS."

A growing menu of choices

In recent years, as data and infrastructure sprawl grown and spread from datacenters to the cloud and out to the edge, the security posture management space has likewise splintered into other market categories beyond the cloud, such as data (DSPM, where Cyera, BigID, and Concentric AI fit), SaaS (SSPM, like Adaptive Shield and ArmorCode), and applications (ASPM, including Bionic). CardinalOps said it falls in the continuous detection posture management space.

DSPM went mainstream last year after Gartner broke it out as its own category and there are more than a dozen vendors that have attached their products to this term, said Mandy, once a Gartner analyst himself.

Whatever the name, the goal is the same: plug the holes before the bad guys can slip in through them. Today's products are taking a slightly different tack than earlier offerings that essentially blocked users and activities, which is good for protection but bad for the user experience. The newer ones focus more on changing configurations, permissions, and access – still preventative, but with less user friction.

Security posture management has to do more than give security pros more visibility into their environments, Segev said, equating the idea of greater visibility to a cat bringing home a dead mouse. The cat may be proud, but what's the owner supposed to do with it?

"'I don't want visibility'," he said security teams tell him. "'I want you to solve problems. I don't want something that finds more problems for me. I want something that solves problems for me.' … It's not just detection. We can't stop there. If we stop there, we're not doing justice. We're not helping customers with what they really need."

Simplification and consolidation

The trend in the market is also towards simplifying the tools available to them. Segev said enterprises tell him they need a "uniform language for posture management." Cyera is doing this through a "data lens," given that data is a common denominator in on-premises, cloud, and edge environments.

"That is one of the things I've been seeing that customers are very excited about, is seeing these capabilities in the data lens, because when you look at that asset, that data, what do you care if it lives in AWS or Office 365?" he said. "You care about its value. If you can find it in all of those places, prioritize the highest value targets, and make sure that they're protected across all of that, then you're solving a big problem for customers."

That said, the expectation is that all these various – and increasing number of – categories eventually will begin to fold into each other to create fewer but more comprehensive products and services. Adaptive Shield's Bin noted the evolving SSPM space.

"Most organizations appreciate a comprehensive and robust solution that simplifies use of resources covering many areas," he said. "In SaaS security, we see a shift in providing not only posture management, but also third-party app discovery and control, identity and access governance, data protection, activity monitoring and threat detection, and device-to-SaaS security."

"The importance of this inclusion and consolidation is not to dilute the crux of an SSPM but rather expand the level of effectiveness and expertise provided by the solution."

Mandy said that Gartner in 2022 predicted a "convergence of CSPM and DSPM and the collapse of adjacent capabilities into these platforms. We are also seeing the emergence of identity security posture management capabilities. We expect the convergence of these capabilities will ultimately end up in a single platform."

Security posture management – in its many flavors – is showing business value, Segev said. However, his worry is that some enterprises might be slow to adopt it because of a "it's not the way we've done it the past" streak in some executives, an attitude that could make it easier for threat groups to cause trouble.

"As many organizations are looking at this, they're seeing the value proposition, but they're also wary," he said. "'It's not something we did yesterday. It's not something we had yesterday. Are you sure we need to be doing this? Are you sure this is the way people protect data in the cloud?' That's a journey that if it takes too long, it could have very, very damaging and harmful results for our society." ®

More about

TIP US OFF

Send us news


Other stories you might like