Vendors will engage in buzzword bingo at upcoming cybersecurity conferences and elsewhere throughout the year. Security professionals need to define these terms based on existing defenses, requirements and resources.
According to the “2023 Technology Spending Intentions Survey” conducted by TechTarget’s Enterprise Strategy Group (ESG), 65% of organizations will increase cybersecurity spending in 2023. This is due to the following undisputed facts:
- Security defenses are usually a step or two behind adversaries and evolving threats, so we are always playing catch-up; and
- Research from ESG and the Information Systems Security Association indicates that more than half of all organizations are affected by the cybersecurity skills shortage. Overcoming this deficit means investing in people, process automation, advanced analytics and security services.
CISOs will be a bit cautious due to economic uncertainty, postponing large projects in favor of tactical adjustments and maximizing the efficacy of existing tools. Nevertheless, organizations will be in the market for technologies that help them fill gaps or address emerging threats and challenges.
Given plans for tepid but consistent investments in 2023, I anticipate a lot of creative marketing from cybersecurity vendors. Here are some of the cybersecurity terms we’ll hear a lot at RSA Conference, Black Hat and Infosec Europe and strewn through vendor and analyst publications. Most are not new, and they will all become buzzwords.
1. Cyber resilience
NIST defines cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.”
This covers the whole cybersecurity enchilada — threat modeling, a cyberthreat intelligence program, defense in depth, fault tolerance, network segmentation, incident response, backup and recovery, etc.
In other words, cyber resilience is a full lifecycle process, including planning, preparation, workflows and a collective effort across multiple products. Based on this, no one product can deliver cyber resilience, but promotional wordsmiths will still embrace this term in their marketing messages. When confronted with this pitch, security professionals should push vendors on where their products fit in cyber-resilience lifecycle processes, how they complement other products and how security teams should measure their performance.
2. Collective defense
Imagine if numerous organizations within a single industry pooled their resources to establish a common fusion center — for example, threat intelligence analysis, security operations or incident response. This collaboration could be a rising tide that floats all boats, educating security teams while making them more proactive and productive. OmniSOC is a good example of collective defense. It supports multiple universities — including Clemson, Indiana University, Northwestern University and Rutgers — as well as a number of National Science Foundation facilities. Vendors such as CrowdStrike, Palo Alto Networks, Splunk and Trend Micro can act as collective defense hubs, analyzing threats at one customer to then distribute threat intelligence, detections and blocking rules to others. For other vendors, collective defense messaging may equate to little more than basic threat sharing. Security professionals should push vendors for details when this term comes up.
OK, I made this one up to encompass a whole family of terms: cloud detection and response (CDR), data detection and response (DDR), identity detection and response (IDTR), etc. These newish areas simply follow the detection and response (DR) trend.
Endpoint forensic software gained some real-time functionality to become endpoint detection and response (EDR); same with the transition from network traffic analysis to network detection and response (NDR). More recently, extended detection and response (XDR) emerged to consolidate diverse and isolated capabilities from point products.
This raises a potential security industry conundrum: Do we need more *DR technologies, or will this functionality be subsumed by XDR? I postulate that both situations are true. Large organizations with dynamic and complex applications and infrastructure will benefit from granular domain-based detection and response options, which make up about 20% of the market. The other 80% will get what they need from increased data collection, a greater effort around detection engineering, advanced analytics, process automation and existing tools and technologies. If this still seems too complex, managed services can be considered.
Allow me to sort through this alphabet soup. XDR is a product purchased from a single vendor. Managed detection and response, or MDR, is a service purchased from a service provider. With XDR, you care about what’s under the proverbial hood. With MDR, you care about outcomes, not the machinery and knobs that make it work.
This binary situation doesn’t always apply, however. Many security professionals are “gear heads” by nature — programmed by experience to want to kick the tires and evaluate the efficacy of individual security tools. Still, their organizations may not have the appropriate staff or skills to keep up with even the best XDR products available.
Managed XDR (MXDR) provides a “have your cake and eat it too” option. Organizations can choose the best XDR and then find a managed services dance partner to augment their internal team. MXDR may seem like a silly subtlety between XDR and MDR, but ESG research indicates it will be a popular option. When asked what type of MDR vendor they would choose, 34% of respondents said they would choose a vendor that is primarily focused on XDR.
5. Passwordless authentication
Passwordless authentication is “a verification process that determines whether someone is, in fact, who they say they are without requiring the person to manually enter a string of characters.” Most organizations will be instantly attracted to passwordless authentication because it promises to reduce end-user friction while improving security efficacy through zero trust.
The problem is that passwordless authentication depends upon a bevy of other things, such as directory synchronization, multifactor authentication technologies, biometrics, device types and identity standards including FIDO and OpenID. Since everyone wants to get rid of passwords, the term passwordless authentication will be passed around the industry like a joint at a Grateful Dead concert, but it’s meaningless without a more thorough perspective.
A software bill of materials (SBOM) is defined as “an inventory of all constituent components and software dependencies involved in the development and delivery of an application. It has become an increasingly common and critical component of software development lifecycle and DevSecOps processes.” The term gained popularity as a result of section 4 of the White House’s May 2021 executive order, enhancing software supply chain security. SBOMs will become part of conversations around attack surface management, application security, open source software and cloud-native application development.
Unfortunately, that’s the problem. When SBOM is part of everything related to application development, it will get coopted and watered down. Securing the software supply chain is something every organization should do, but with an agreed upon plan that aligns with their individual technical and cyber-risk management needs and capabilities.
My ESG colleagues have suggested some others to add to this list, and I’m sure we’ve missed some popular ones. Let me know.