Will 2015 Be The Year of Information Security Disruption?

Mark Robinson, president of Findlay, Ohio-basedCentraComm, is one of dozens of channel veterans who attends the RSA Conference every year and has watched the security industry's largest annual gathering grow substantially in recent years. Robinson and others recall having to sprint to meet colleagues from one side of the mammothMosconeConvention Center in San Francisco to the other. The trade show floor grew so large in 2014 that it was separated into two packed halls at the venue.

Understanding contextually how emerging security startups can fit into the portfolio has become an increasingly difficult job, Robinson toldCRNin a recent interview. Large, established security vendors are becoming more collaborative in their approach with the rest of the security industry, but there are no immediately clear technology relationships with some of the latest startups, he said.

"This space is so crowded and organizations have so much on their plates, that having someone partner with them on figuring this stuff out makes people appreciate what we do for them," Robinson said. "At the end of the day, we provide a strong and reliable service and they solve their problems the most efficient and cost-effective way."

Sponsored post

[Related: Top 10 Security Vendors To Watch In 2015]

The security market is moving in multiple directions with many startups adding detection and some form of automated response to their initial offerings. Emerging vendors with products designed to prevent system compromise are still proving their worth, said Rick Holland, principal analyst at Forrester Research. Startups that integrate security analytics with monitoring and alerting are adding containment and mitigation capabilities, Holland said. The integrated offerings span both networking and endpoint systems, he said.

"The prevention solutions must prove that they can run at scale without disrupting legitimate user activity. They are so new that they haven't built that level of credibility yet," Holland said. "In 2015, the solutions that only provide visibility only must add containment and response. It isn't enough to observe something bad; you have to do something about it."

Networking vendors are moving to the endpoint. Check Point already has endpoint security capabilities. Palo Alto Networks acquiredCyverato extend its reach into endpoint systems, introducing Traps Advanced Endpoint Protection in October.FireEyeis extending its threat prevention platform to the endpoint.

Meanwhile, the market includes dozens of startups. Confer,CounterTack,CybereasonandCylanceare competing to provide threat intelligence and advanced threat detection capabilities.Taniumis building out an IT management platform with capabilities that could appeal to system administrators and security incident responders.VectraNetworks sits on a network span port to identify signs of attack activity in progress.Cyphortaims at providing incident responders with alerts containing contextual intelligence for a speedier containment and removal of threats.

Solution providers in the channel need to determine if emerging security technologies would reduce operational friction within their clients' environments. An evaluation also must determine if the customer can use and maintain the technology with limited skills and IT staff, Holland said.

Next: Evaluating Emerging Security Technologies

"I would take a B-solution that easily integrates into my enterprise than a A+ solution that requires so much effort to orchestrate I need a systems integrator to deploy it," Holland said. "We need to stop investing in extra layers of protection, what I call expense-in-depth, that don't integrate with anything else."

Some of the emerging vendors have automated response capabilities that could be flipped on or off depending on the organization's security posture. Nearly all of them generate alerts that need to be managed, Holland said. It's an issue that has caused some solution providers to identify emerging security startups that aim at reducing and prioritizing alerts.

"Organizations are suffering from alert fatigue," said NickPeaster, managing director at Sussex, U.K.-based security systems integratorPreventiaLtd., an earlyCounterTackpartner.Peastersaid the company partnered withCounterTackbecause of its ability to provide incident responders with additional information about a detected threat.

"Response is based on the confidence you have in a particular data point so that security teams can beincentivizedto stop breaches before they happen,"Peastersaid. "These empty alerts are a problem that need addressing."

EnterHexisCyber Solutions, which has turned to the channel with itsHawkEyeG platform designed to detect advanced threats and also automate incident response. Overburdened organizations are looking for a product that can not only detect, but also stop, malware, saidDewayneAdams, chief technology officer at Patriot Technologies, a Frederick, Md.-based solution provider andHexispartner.

"Customers are talking about this and looking for solutions that trigger remediation," Adams said. "There's interest in automation and the way the data is presented."

Solution providers tellCRNthat other established industry names are attracting interest. Intel Security (formerly McAfee) introduced an Advanced Threat Defense appliance designed with automated threat mitigation capabilities. IBM acquiredTrusteer, which has moved beyond its core of providing fraud protection for the financial industry to protecting corporate endpoints from advanced malware.Bit9, which was once solely focused on application white-listing, merged withCarbonBlackto identify advanced threats and trace the full kill chain of an attack for incident responders. The combined platform provides root-cause analysis to identify the configuration weakness or software vulnerability that needs to be addressed to prevent future attacks.

Most security startups will have a direct sales force with a few strategic relationships with channel partners, said MikeBanic, a former system engineer, who is currently vice president of marketing atVectraNetworks.Banicalso previously served in global marketing roles at Hewlett-Packard and Juniper Networks.

Next: Startups Addressing A Need

Vectra came out of stealth mode in March and is on its way to meeting its revenue target for the year,Banicsaid. With most intrusion prevention systems and next-generation firewalls focused primarily on detecting the initial exploit,BanicsaidVectraNetworks takes the approach of uncovering reconnaissance activity, lateral movement within the network and brute-force attacks into systems and processes that could signal acquiring data and uploading it to a remote server. AtVectra,Banicsaid the company is focusing on a small number of partners capable of deploying emerging technology.

Security startups must solve a problem where there is a clear lack of good solutions available, saidFengminGong, a security industry veteran who was founder and chief scientist at Palo Alto Networks and chief security content officer atFireEye. Prior toFireEye, he was chief scientist and director of intrusion detection technologies at McAfee. Gong, an entrepreneur and angel investor, is currently founder and chief strategy officer at Santa Clara, Calif.-based security startupCyphort. He said startups must have a promising approach combined with a strong team that is agile and works well together.

All vendors are incorporatingsandboxingbehavior to analyze suspicious files and threat intelligence but the value they offer and the problem they are trying to solve vary greatly, Gong said. Platforms that have threat analytics at their core should be able to provide data that can be used by other security devices to protect other parts of the network, he said.

Organizations need to be realistic about the technology they are evaluating, the problem they are solving and the results that they anticipate, Gong said. Technology needs to be mixed with process improvements and platforms that are adopted and should be completely incorporated into the existing infrastructure, he said.

"It's unrealistic to think that all these security startups will understand the real problems facing customers and help them adopt a realistic approach," Gong said.

Very few organizations would implement a completely automated threat mitigation system, he said. Platforms that provide detection, containment and removal activities need to be flexible enough to enable IT teams to monitor and take action if necessary.

"Having a human in the loop is still the reality and will be for a long time," Gong said.

This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.