In part 1 of our 2 part series on The Evolution of Cyber Security Tools, we discussed some of the major data breaches that have occurred over the past 5 years. In Part 2 we are going to take a look at some of the newer categories of security tools that have emerged over the past 2-3 years as a response to the ever changing threat landscape.
First, we will highlight some traditional tools that enterprises have deployed in the past. These tools have been around for at least a decade and are usually some of the first products that companies deploy when they build out their security program. While they aren't as flashy or new as some of the tools we will discuss later in the post, they are still key pieces of any enterprise's overall security capabilities.
Here are a few that you may already be familiar with:
Web Application Firewall
- Purpose: Used to reduce the risk of successful attacks such as cross-site scripting and SQL injections against a web application
- Pros: Great for blocking clearly automated, low effort attacks
- Cons: Not as good at protecting against distributed or slow attacks; usually use fairly static and simple rules that can be bypassed with some reasonable effort
- Notable Vendors: Cloudflare, Signal Sciences, Imperva, Akamai
Endpoint Detection and Response
- Purpose: Used to identify and eradicate malware
- Pros: Generally are able to detect and block most common types of viruses and other malicious files; many solutions available for a variety of budgets
- Cons: Can never be 100% accurate in detection; can sometimes cause performance issues
- Notable Vendors: CrowdStrike, SentinelOne, Carbon Black
- Purpose: Used to discover security vulnerabilities on devices in a network
- Pros: Can automatically identify several major high risk security misconfigurations and missing patches for a variety of common software and operating systems
- Cons: High minimum cost makes them very uncommon among small companies; can cause performance issues on scanned devices; usually is not able to detect vulnerabilities that require multiple steps to exploit
- Notable Vendors: Rapid7, Tenable, Qualys
Next Generation Security Products
Tools such as the ones mentioned above are by no means antiquated, but several new types of solutions have emerged in recent years that address different security issues based on customer requirements, emerging threats, and other industry trends.
Automated Pen Testing
Historically, penetration tests, which are tests done by white hat hackers who purposely simulate attackers in an attempt to discover security vulnerabilities, have been manually performed by humans with the assistance of various tools such as Metasploit and Burp Suite. In the past, it was fairly difficult to be able to write software that could conduct advanced attacks with techniques that required multiple steps.
We are now starting to see solutions that can go much further with exploitation than tools in the past have. While not a full replacement for human, manually conducted pen tests, these tools allow companies to continuously run assessments in their environments and identify issues more often than they can from annual pen tests. These tools are usually hosted on-premise within a network and focus on network pen tests, with external and application testing primed to arrive later this fall. As opposed to traditional vulnerability scanners, these platforms are able to chain multiple steps together when a potential vulnerability is discovered. Many of the tests conducted are based on techniques that human pen testers would use. While these platforms have not been widely adopted yet, I suspect that more and more companies will begin to explore them to supplement their current internal pen-testing programs. It should be noted that the vendors themselves acknowledge that these are not meant to be a replacement for human pen tests, but rather an additional option to help security teams improve their security postures.
- Notable Vendors: Pcysys, Horizon3
Zero Trust Platforms
Historically, many large enterprises have relied on on-premise networks designed for employees to work from a physical office. In some cases, employees could access the network remotely using their work computers and a traditional Virtual Private Network (VPN). Many older VPN clients are reviled by users for their poor user experience and tendency to have bugs.
The industry has begun shifting away from the traditional VPN model where users and devices that are already in the network are assumed to be trustworthy. Instead, companies have begun adopting what is known as a "Zero Trust" model for access, in which network resources do not automatically trust devices or users on the network, and usually require an additional layer of authentication. These platforms can also be used to add additional protection for common SaaS apps that do not have advanced native security options. This is becoming increasingly common as employees move towards remote work and SaaS begins to replace on-premise resources. The concept of "Zero Trust" isn't exactly standardized across the board, but vendors in this space generally offer some combination of the following features:
- Granular permissions defined at the application level
- Multi-factor authentication for applications and servers even inside the network
- Risk analysis based on signals such as time, user location, device type, etc.
- Microsegmentation of networks without having to redesign them
- Alerts for suspicious behavior
In summary, these platforms add additional layers of defense in existing networks and fit in quite well with the principle of defense in depth.
- Notable Vendors: Cloudflare, Banyan Security, Teleport, Perimeter 81, Pomerium
One of the major responses to the increasingly significant number of data breaches over the past 5 years has been the emergence of third-party risk management solutions. Most large enterprises, and even mid-sized companies, no longer procure third-party software without conducting an in-depth security assessment first. This review process usually involves the requirement of vendors to undergo a SOC 2 or ISO 27001 audit to provide prospects with the assurance that an independent party has verified that baseline security controls are in place. Traditionally, startups and other smaller organizations did not choose to undergo these potentially expensive and time-consuming audits. Times have changed, and now even startups with 3 or 4 team members are being asked to complete a SOC 2 audit before purchase agreements can be signed.
This new need has resulted in several startups arising to address the typically complex compliance preparation process via SaaS automation. These tools assist vendors with creating security policies, collecting evidence, and determining appropriate controls for an audit. They are becoming increasingly popular due to the lack of dedicated security and compliance personnel at many smaller companies. In addition, many CPA firms are now working directly with these companies to improve their own audit capabilities.
- Notable Vendors: Very Good Security, Vanta, Bytechek, Secureframe, Tugboat Logic
With the rise of cloud computing and increasingly sophisticated malware, it has become significantly easier for threat actors to mount attacks against websites with an enormous amount of computing power. Compared to years past, it is now fairly trivial to send massive, distributed attacks that can bypass IP address rate limits, simple firewall rules, and IP address blacklists. This has led to the emergence of bot detection tools.
Bot detection tools use a combination of machine learning, user signals such as speed of mouse movement, and threat intelligence to determine the likelihood of a request coming from a real human. Metadata about a request is sent to the solution's server for analysis, which then will respond with a bot likelihood score. A web application can then use this information to rate limit an IP address, present a CAPTCHA, or to outright block the request. In addition to protecting login pages from brute force attacks, bot detection has a variety of other use cases such as preventing online advertising click fraud and preventing scalpers from purchasing popular tickets during on sales.
Many security teams have increasingly started using these solutions to reduce the risk of account takeover from users who have poor password hygiene. Note that these solutions are generally priced based on volume of traffic inspected, and thus can be quite expensive for popular B2C websites.
- Notable Vendors: PerimeterX, Shape Security, Human Security, Akamai
As we saw in this post, there are several new types of security solutions out there that are addressing the increasingly complex attack patterns of threat actors online. Despite the security industry's best efforts, security incidents will continue to occur and evolve as the rest of the technology word changes. With new types of attacks will also come new types of products to deal with them.
Interested in recommendations for some next generation security products to help improve your organization's security posture? Contact us at email@example.com