At last week’s Splunk.conf, I sat down with Atif Ghauri, CTO of Splunk partner and cybersecurity provider Herjavec Group, to talk challenges and opportunities for channel partners.
Ghauri, who spent four years as CISO for Comcast’s advanced engineering group and did stints at IBM and Unisys, warned at last year’s conference that we’re losing the cybersecurity arms race. That assessment hasn’t changed.
“The temperature is still going up,” Ghauri says. “It’s hotter than ever.”
Still, the news isn’t all bad. Machine learning is reducing false positives and alleviating the skills shortage, and cyberwarfare being raised in the presidential debate illustrates growing awareness.
Ghauri says perhaps the biggest problem now is noise — from more and more devices, IoT initiatives and data sources. When a provider is rated on the number of escalations to a customer’s IT team, false alarms are costly.
“You’ve got to get rid of the false positives and find the true positives,” he says. “We’re judged on that every day, every week, every month.”
For solutions providers, spotting true threats is about people and technology.
“We’re addressing the cybersecurity shortage through our analytics bot, with Splunk powering our analytics platform,” he says. “We’re able to do more with the technology before a human being looks at [an alert]. That means that we can hire not-as-skilled security professionals because, face it, there are not that many out there.”
The second part of minimizing false positives is integrating security solutions. Ghauri says that Herjavek’s Fortune 500 customers deal with, on average, 110 separate IT vendors, about 42 of them selling security.
“So with 42 different places to go get an update or get a patch or something, it’s complicated,” he said. “Customers are asking for integration. You want one throat to choke.”
He says a range of apps and add-ons from Splunk, its partners and the user community provide that capability to Herjavek.
“Among the 1,200 apps out there for Splunk, about 450 of them are security apps — so as a customer, that’s fantastic, because you’re buying a platform that gets apps already built by past customers, versus the competition, where you get the platform,” Ghauri says. “We’re an agnostic security services provider, and so we happen to be partnering with Splunk because it’s the best-of-breed product, but we can recommend whatever app is going to fit our customer use case.”
For smaller MSSPs, he says to remember that customers not only don’t want noise, they don’t care about rules and fancy correlations — they’re paying for an outcome.
“They want an escalation that is notable, that they can actually do something with,” he says. “They want to know the output: ‘How is this going to affect my risk?'”
Finally, there is innovation happening that partners should watch. Ghauri cites the threat-intelligence space, both in terms of raw data and individualized insights, and says to watch for technologies that correlate commercial and open-source thread feeds. That’s important because intelligence from commercial sources shows only shards of the big picture.
“It’s like saying, ‘I have the FBI’s Top 100 list, so I know all the criminals in the U.S.'” he says. “I see innovation happening to bridge that gap.”
His advice for partners looking to launch security services: Find a niche where your company can excel, and then develop a platform or a piece of software or a competency, a procedure. It’s about intellectual property, going after a specialized play.
On a more somber note, Ghauri predicts that in the next couple of years, there will be fatalities from malware, and that will change the game completely.
“‘Security’ will become ‘safety,’” he says. “And once ‘safety’ happens, it’s just like the FDA. Safety is like, there’s no question, you better have the budget, you better have the will. The challenge I have, to all of us — do we really need to go there? Can we just start to buy into security without there being the fatality, without seeing the news of the plane that got taken over?”
It’s the dark side of IoT.
“Everything’s connected,” he said. “And the bad guys are ahead.”
Speaking of IoT, the code behind the Mirai IoT botnet that launched a massive DDoS attack against security journalist Brian Krebs is now in the wild. Sophos has a good explainer here. The botnet took advantage of weak firmware security in IoT devices (a phenomenon we discuss in this report.)
Sophos says the attack on Krebs’ site generated over 600 gigabits per second of traffic, equivalent to about 60,000 fast home networks turning their entire bandwidth onto Krebs at the same time. And now, the source code of the malware used in the attack is widely available. If you have not talked to customers – especially those who might draw the attention of cybercriminals – about a DDoS protection service, now is the time. Once a site is under attack is no time to go looking for help.
In addition, Flashpoint researchers say more than 500,000 devices on public IP networks appear susceptible to the vulnerability. Any DVR, NVR or camera running the web software “uc-httpd,” especially version 1.0.0, is potentially vulnerable. Flashpoint says the primary manufacturer of the devices, XiongMai Technologies, uses the default username and password combination root and xc3511.
Tom Barsi, SVP of business development at Carbon Black, told Channel Partners that the new global agreement will benefit both companies’ channels.
“Any joint partners of IBM Security and Carbon Black will benefit from the partnership, including joint resellers who can offer the solution to their customers,” said Barsi.
The integrated offering correlates Carbon Black’s endpoint activity data with IBM BigFix endpoint security tools and public Common Vulnerabilities and Exposures databases to deliver a prioritized list of active vulnerabilities tailored to each organization — essentially what Ghauri says to look for.
The bundle also includes IBM’s QRadar SIEM.
There’s no doubt customers need better endpoint security. A new and well-worth-the-download report on the topic by Trace3 says 97 percent of malware is unique to a specific endpoint. That report breaks down the endpoint security product landscape, with comprehensive features checklists, and lays out a comprehensive set of best practices.
Partners deciding between endpoint protection systems from vendors including Carbon Black, Cisco, CrowdStrike, Cylance, Kaspersky, McAfee, Microsoft, SentinelOne, Sophos, Symantec, Trend Micro and Webroot should take a look.
IHS Markit just released its latest quarterly assessment of the network security appliances and software market, which it pegs at $10.8 billion globally by 2020, up from $2.2 billion this year. The consultancy cites Fortinet and Palo Alto Networks as posting solid year-over-year growth and says hardware sales are still healthy, with revenue for data-center and carrier appliances – those $30,000 and up – and virtual security appliances of $2.4 billion in 2015.
Still, security software-as-a-service (SaaS) and hosted security services are outgrowing product markets, and in a statement, IHS’ Jeff Wilson, senior research director, cybersecurity technology, said a significant portion of future revenue growth will be driven by carrier rollouts of virtual customer premises equipment (vCPE) and the use of mainstream virtual integrated appliances in large data-center and cloud environments.
That’s driving network security vendors to hedge their bets and offer a bit of everything, said Wilson, from standalone appliances and software to integrated products, virtualized offerings and even full cloud services.
Channel-focused security provider Arcserve unveiled this week a new release in its line of unified data protection appliances, which are integrated with the company’s UDP software for disaster recovery.
The Arcserve 8000 has storage capacity up to 240 TBs, support for various public cloud services and the Arcserve Cloud for offsite backup and disaster recovery; and built-in data deduplication, on-appliance virtual standby, instant failover and bare-metal recovery, and multi-site WAN-optimized replication.
The new Arcserve 8000 will be widely available in early November, with field expansion capabilities coming in 2017. Pricing for the appliance series starts at $11,995.
Follow editor in chief @LornaGarey on Twitter.