Move over XDR, it’s time for security observability, prioritization, and validation (SOPV)

All the ‘formulas’ used to calculate risk management tend to have 5 components to them: 1) The likelihood of an incident, 2) The impact of an incident, 3) The value of an entity/asset, 4) The vulnerability of an entity/asset, and 4) Threats to that entity/asset.  Information about these 5 inputs is used to decide where (and how) organizations approach risk mitigation.

These considerations are factored into cybersecurity planning and strategy.  Business managers help decide the value of entities/assets and the impact if these entities/assets were degraded, stolen, or unavailable.  Security, IT, and risk teams collaborate on the likelihood of an event that takes entities/assets offline.  Finally, security teams work with IT operations on threat and vulnerability management.

Over the past few years, security technology has seen massive changes on the threat management side with eXtended detection and response (XDR), driven by the need to improve security efficacy and operational efficiency.  As a technology architecture, XDR is intended to unify data sources, visibility, and analytics for threat prevention, detection, and response. 

With the move toward XDR, the industry recognized the need for data and tools integration for threat management.  Unfortunately, this same type of integration and consolidation hasn’t been nearly as active on the vulnerability management (or security hygiene and posture management) side.  To be clear, I’m not just talking about traditional vulnerability management tools.  Rather, I’m referring to a much bigger picture—the ability to discover all entities/assets (i.e., users, accounts, applications, systems, sensitive data), view the relationships between all entities/assets, and understand the security posture of all entities/assets (i.e., software profile, configuration status, integrity, compliance with corporate policies, etc.).  Think CIS Critical Security Controls at scale. 

This information is the basis for cybersecurity decision making—risk mitigation, what needs protecting, how we spend budget dollars, etc.  Without comprehensive visibility, we are making critical security decisions based on guesswork.

Toward security observability, prioritization, and validation

What’s needed?  The same thing that’s happening on the threat management side with XDR—massive efforts toward technology integration and consolidation.  Over the next few years, I believe several independent security technology categories will come together as an architecture I’m calling security observability and validation (SOPV).  The technologies involved include:

• Vulnerability management. Qualys, Rapid7, and Tanium dominate this category and it’s where most of the money is spent today.  Vulnerability management technology is somewhat limited today but it is well established and will remain a staple service of SOPV.
• Security asset management. This emerging category gathers information from multiple systems like configuration management databases (CMDBs), vulnerability management, endpoint management tools, etc. via APIs.  The goal is to present a more comprehensive inventory of entities/assets and their posture.  Vendors like Axonius, Balbix, JupiterOne, and Sevco play here. 
• Attack surface management (ASM). Vulnerability management and asset management systems can’t scan or gather information about assets they’re unaware of, and this problem has become more acute regarding the growing internet-facing attack surface (i.e., web domains, IP addresses, SSL certificates, user credentials, etc.).  ASM vendors include CyCognito, Expanse (Palo Alto), Randori, and RiskIQ, and third-party risk management players like BitSight and SecurityScorecard. 
• Cloud security posture management (CSPM). CSPM vendors provide deep visibility into cloud workloads and thus needs to be an input into more enterprise SOPV architectures.  This emerging market is made up of vendors like Aqua Security, Rapid7 (DivvyCloud), PANW (Evident.IO and Redlock), Trend Cloud One (CloudConformity), and newbies Accurics, Orca, and Wiz.io.
• Risk scoring systems. While it’s important to have full visibility about all entities/assets, no one wants to bury security teams under more data.  Rather, the goal here is data analysis to help organizations make the right risk mitigation decisions.  To facilitate this, SOPV must be instrumented with advanced analytics that considers the 4 risk management factors defined above.  In other words, risk scoring systems must have deep knowledge about the assets themselves and the tactics, techniques, and procedures (TTPs) an adversary would use to compromise them.  Kenna Security is the poster child here but others like RiskSense and Tenable Lumen also do risk scoring. 
• Continuous automated penetration and attack testing (CAPAT). My friends at Gartner call this category breach and attack simulation (BAS).  Regardless of what you call it, these tools take an adversary perspective and can help answer the multi-million-dollar question: Are the organization’s entities/assets protected or not?  For example, a risk scoring system may issue a high-risk score about a vulnerable entity/asset that is really protected by compensating controls that the risk scoring system can’t see.  Alternatively, an entity/asset categorized with a low-risk vulnerability may be an attractive gateway an adversary will use to compromise business-critical systems.  CAPAT tools can also point out things like misconfigured security controls or missing data sources.  Vendors like AttackIQ, Cymulate, Randori, SafeBreach, and XM Cyber play here.

Like XDR, SOPV evolution is inevitable as existing security hygiene and posture management tools and processes are complex, incomplete, expensive, and ineffective. 

A few final thoughts about SOPV for now:

1. Like XDR, SOPV is an architecture and not a monolithic product. Thus, SOPV success will depend upon things like standard data formats, open APIs, and industry cooperation.
2. Aside from the technologies highlighted above, SOPV will also need access to identity and access management systems to understand users, accounts, access privileges, etc. SOPV will also need some capabilities for data discovery and classification. 
3. Tools must understand the relationships between entities/assets to be truly effective at understanding what’s vulnerable or how an adversary might exploit one entity/asset to attack another.
4. SOPV also needs visibility and a deep understanding about security controls. This is a major reason why CAPAT technology is a requirement. 
5. A few security technology vendors are already moving in a SOPV direction. Cisco bought risk scoring leader Kenna Security, Microsoft grabbed RiskIQ, Palo Alto acquired ASM vendor Expanse, and FireEye picked up CAPAT player Verodin.  The 3 vulnerability management amigos (Qualys, Rapid7, and Tenable) are also moving in this direction.
6. For enterprise security, SOPV and XDR must interoperate as a closed-loop system. Furthermore, SOPV and XDR success depends upon more and more process automation.