Security Buyer Beware: Breach Detection Market Contains Unproven Tech

The market for breach-detection technologies is growing rapidly, but an NSS Labs market study warns organizations that fledgling security startups bearing unproven platforms are flooding it.

Companies evaluating breach-detection platforms should tread carefully, because most systems have a short track record, according to the 2014 Breach Detection Systems Market Intelligence Brief, issued recently by NSS Labs. Few vendors have marketed breach-detection products for more than three years, the study found. The influx of security startups has confused organizations eager to add broader security controls to address cloud adoption and other security issues.

"Given the ongoing stream of high-profile breaches, the increased importance of breach detection is clear, but, thus far, breach-detection systems are expensive, complex and of questionable effectiveness," NSS Labs found. "A lack of mature solutions and inconsistent marketing is causing considerable confusion regarding the necessity, effectiveness and best practices for deployment of these products."

[Related: Prelert Aiming To Make Its Mark In Advanced Security Analytics]

Sponsored post

The breach-detection market is made up of a mixture of established security vendors and startups that attempt to detect malware on systems that successfully by-passed traditional network security appliances and antivirus software. In addition to Palo Alto Networks, Fortinet, Check Point Software Technologies, Intel Security and Trend Micro, NSS Labs identified Damballa, Fidelis, FireEye and Lastline as the vendors that comprise the biggest part of the breach-detection market.

It also includes startups that are acquisition targets. Palo Alto Networks acquired Morta and Cyvera to add breach-detection capabilities at the endpoint and strengthen its Wildfire advanced threat-detection service. Cisco Systems, which acquired Sourcefire last year, also bought ThreatGrid in May for cloud-based suspicious file analysis.

The new platforms are often complex and require skilled IT staff or systems integrators and other solution providers in the channel with a strong security practice, according to the report. A big inhibitor of the new technology is cost. The industrywide price for a stand-alone breach-detection system was more than $85,000 in 2013, according to the report. Annual subscription services often start at 60 percent to 70 percent of the initial price of the system.

For some organizations, the platforms have added to the "noise" level of unmanageable alerts, said Dewayne Adams, chief technology officer at Patriot Technologies, a Frederick, Md.-based solution provider and partner of Hexis Cyber Solutions, a Hanover, Md.-based breach- detection and automated response vendor.

"Customers don't necessarily want to put in more point solutions and make their environments even more complicated," Adams said. "They want these products tied together and function as a complete solution."

NEXT: Breach Detection Market To Consolidate, Experts Say

Security vendor products also are becoming more flexible, with software and appliances being sold as SaaS-based services and an on-premises option for businesses with regulatory needs or a hybrid model, according to NSS Labs. As advanced detection capabilities mature, the products become great complements to traditional security measures already in place in most environments, said Thomas Skybakmoen, a research director at Austin,Texas-based NSS Labs.

"Every organization is going to have an acceptable risk profile, and that will determine what their budget is and ultimately what technologies they can adopt and get the most value out of," Skybakmoen told CRN. "There are a lot of factors that go into buying decisions, but we find that taking a systematic approach with a thorough evaluation process has the biggest probability of having a successful outcome."

There are too many point security vendors today for the market to be sustainable, said Kris Lovejoy, general manager of IBM's security services division. Large vendors and managed security services providers will likely acquire some of the technologies to fit tactical gaps in their portfolios and meet customer demand, said Lovejoy in an interview with CRN. In addition to IBM, NSS Labs said Hewlett-Packard, Juniper Networks, Sophos and RSA could acquire breach-detection platform vendors and integrate them into their portfolios.

There are signs that the security market is on the verge of consolidation, Lovejoy said. Valuations for startups are coming back down to earth with the VC community being much more practical about the investments they make, she said.

"A year ago, these guys had five guys and a garage with a dog and they would want a billion dollars," Lovejoy said. "They were prerevenue and had an idea, but nothing even coded yet. Today they are coming back and everybody is more logical."

NSS Labs said the market drivers for the new breach-detection technologies appear to be the perception of an increasingly complex threat landscape and the desire for a single technology to detect advanced threats. Breach-detection systems can gain visibility in both network traffic and endpoint systems. They typically operate out of band in detection mode and can analyze and alert on files suspected as threats.

Organizations need to take a step back and assess their environments first before allocating dollars on new technologies, said Arlan McMillan, a security expert and chief information security officer at United Airlines. In an interview with CRN, McMillan said security continues to lose out to business interests at organizations, but, at its core, it is increasingly becoming one of the components essential in keeping valued customers and establishing their trust over time.

One of the biggest issues is that CISOs lack a way to accurately measure the effectiveness of the security program and ... address the organization's security risk profile, McMillan said.

"As a general profession, we are losing the battle because the bad guys are out innovating us," McMillan said. "Organizations need to adopt a pragmatic approach to allocate security resources to the areas that matter most."