In our sixth episode of "CISO Platform Security Show", our host and Founder of CISO Platform Bikash Barai spoke with Ryan Benson (Ex Gartner Analyst, Director @ Stratascale) on New Trends From Gartner Hype Cycle 2021 That You Can't Miss. 

Gartner Hype Cycle is the most important analyst document which helps to find out the key trends in our Industry. Listen to the podcast to find out which are the new technologies / trends in Gartner Hype Cycle; how to use insights for your security strategy and understating the future and emerging new shifts in the security landscape. 

If you like this episode, don't forget to share with your community and subscribe to the channel for more such discussions.

About FireCompass:

FireCompass is the leading SaaS platform for Autonomous Penetration Testing and Red Teaming and Attack Surface Management. 

About CISO Platform:

CISO Platform is the world’s first online community solely dedicated to information senior security executives (CISO/CIO/CSO/CTO/Directors etc). The vision of the platform is to enable the senior security executives to share, learn, and network with other peers.

Timeline: 

• [00:01:18] Understanding & Deconstructing Gartner Hype Cycle
• [00:07:42] What got dropped from the Gartner Hype Cycle?
• [00:11:03] Key Trends & Insights - Gartner Hype Cycle
• [00:37:14] Concluding Thoughts - Possible Future

----more----

Transcript

[00:01:18] Understanding & Deconstructing Gartner Hype Cycle

Bikash: Today, we will focus on the recently released Gartner hype cycle report for security operations.

Among all the reports, which comes out from any of the analysts, this is one which I kind of look forward to for specific reasons. I am a futurist and love looking into the future and building things for the future.

This report is very exciting because it kind of gives me a good peek into the future and the trends and how things are moving in the industry. I remember when I started my first company, I got to know from one of my mentors about this book called Crossing the Chasm.

It is considered as one of the classics. I find some kind of a similarity between that book and this hype cycle. These two are very interesting from two different perspectives. One is from the builder's perspective of when you are building a product, how does it kind of go through in the life cycle of.

And then the hype cycle gives you a good view of where we are in terms of the landscape. 

Bikash: So, Ryan, since you have been with Gartner for a long time, it'll be great to know your perspective about the hype cycle. So let's hear about what the hype cycle is about and how to use it? What are the benefits? And let's deconstruct the hype cycle a little bit. And once we deconstruct, then we're going to go deeper into it. Find out what's new this year and do a deeper dive. So let's start with your view on the hype cycle. 

Ryan: Yeah, it's a great way forward, and I liked the hype cycle as well. It's a great snapshot in time. The products and services that customers are starting to use. Like this one specifically for security operations, that are either being adopted now or are going to be adopted soon. Like we'll kind of look into the future, but I think that's great, especially since I've deployed a lot of these and helped customers to integrate them.

So I look at each one of these pieces on the cycle when I'm trying to implement them and looking for ideas of what's the next thing I need to do. To get better visibility to possess things faster to be able to respond. Like these are probably the things that I want to look at.

It helps me understand how hard is this going to be? Right. If I know I need threat intelligence, well, a lot of people right now, it's in the trough, right? Many people have a hard time making use of threat intelligence services. So it's going to help me understand going into. What are the things that I'm going to do when I buy a service and the things I should be focused on to make sure I can get some value out of it, or maybe it's not the right time to go through that one, because people aren't seeing the value in it yet.

So I think that it helps us look at that and get a holistic view so we can kind of attack what's the best next step for me as a customer or just to pick which projects go forward with. 

Bikash: I loved the way Gartner did this. I mean, there are five stages, right? Or phases, whatever you might call - the first is the innovation trigger where something new comes up and people kind of see this new star is born. There's a lot of limelight, a lot of enthusiasm. And then there is that height of expectations, right? So that's the peak of inflated expectations, which is the second phase.

And then,I guess the expectation sometimes is slightly more than it deserves. And then there is a little bit of disillusionment because when you try to implement it, you see, well here, something is not working. Things might not match or it might not be perfect for your use case, etc. So, the disillusionment phase, which is the third phase.

And finally, the enlightenment phase where people become more pragmatic and understand what works well, what doesn't, and finally you hit the plateau, right? So, so kind of five phases, and not four. So these are the five phases through which any technology goes through in its life cycle.

And sometimes what happens is, technologies just disappear in between one of those - it's not necessary that everything has to go eventually to the plateau or the enlightenment phase. So there could be a few technologies which could become part of something else. Generally, it doesn't disappear completely.

It gets morphed into something else. It gets merged into something else. So that's the reason why the hype cycle also changes every year. So, these are the five phases. And to me, the most exciting phase is the first one - the innovation trigger - I love building new things.

I mean, that's more of a personal liking. So from this perspective this year, we have seen a few new entrants and also we have seen a few of the technologies, which are no longer there, from last year. 

[00:07:42] What got dropped from the Gartner Hype Cycle?

Bikash: So Ryan, let's get started with what vanished from last year? And then we'll get into the new entrants. And I think the new and emerging ones are going to be exciting to dive deeper. So Ryan quickly, do you want to touch upon the ones which vanished from the previous. 

Ryan: Yeah, I think the most notable one that went away was the endpoint protection. And obviously, you know, the endpoint detection response is still there and it's on the slope of enlightenment, but the endpoint protection has been around forever.

And again, we all are still using it. There's still a user base, but as far as an expectation or going forward, it's really those capabilities that have been wrapped into the EDR product. So it's not a standalone service anymore. Same with network sandbox and being able to get value out of looking at an event in a sandbox and, and doing some work that is now being integrated into existing tool sets, right.

That is listed there in the hype cycles. Yeah. I think we'll see this trend and we'll talk about this going forward in innovation triggers, or even the ones that have been around, there's eventually going to be a consolidation of tool sets.

And it's really because as the dynamics change with our environments, that has to be. So even like take for example, CASB was developed. Right? Cause we're moving and shifting and there wasn't a firewall, right? For the cloud. So that's becoming, to the point where we're able to really use it, now, that kind of next step I look at is, well, where does that integrate into firewalls?

And where you have more of a single dashboard, because we're all looking for better ways to get to a point where I can manage something from a singular platform, which is very hard to do. But that's like the next step - integration. I think the things that we've seen have more, just been integrated into the tool sets that are there now, as opposed to being things that people aren't doing anymore. I find that to be interesting. 

Bikash: So, Ryan, you mentioned endpoint protection platforms, which are now part of EDR. So it did not go away, but it got morphed and also now the network sandbox. It's now part of the secure web gateway. And it got kind of inserted into that.

And IOT security also came out, which was there last year. And this year it's not there. So these are the kind of three major changes, which we noticed, compared to last year and a few other things which I didn't notice earlier was that Gartner came up with this idea of cybersecurity mesh architecture.

So, I mean, that's new out there. But the concept, it's something which I, I guess, all of you guys would be familiar with. So there are just too many things out there in the form of a mesh, which doesn't really talk to each other.

And then there's a need for integration, which kind of combines everything, makes things, talk to each other and make that holy grail, right in, in cybersecurity, that consolidation, which we are looking for, which is not happening.  so that's one of the things which I noticed.

[00:11:03] Key Trends & Insights - Gartner Hype Cycle

Bikash: So let's get into what's new. What are the new things, which are the new entrants this year, which wasn't there last year!

Ryan: I think we'll start off with the External Attack Surface Management. I think that is one I've been looking at for a while now and I'm glad to see it in the innovation trigger.

It's interesting, because in previous MSPs that I ran a lot of times, I would just look at network traffic from the firewall and go over with the customer. You know, here's places where we're seeing traffic coming in from outside your boundaries.

Should we just allow this? You know, doing like, geoblocking and stuff like that on a firewall, then that was easier to do when your network was consolidated and confined to your ranges, where your data is set, but now with the cloud, we have almost, everyone's in a hybrid approach between their internal network and what they're using for public private cloud.

The attack surface has just ballooned, right? Data is just much easier to use and consume and put in different places and you just can't keep track of it. So. It's a necessity that has come out of it. Something we used to do with just the firewall, but now we have to look at it more holistically for where are you exposed?

Getting a snapshot of what that looks like from the outside in. Cause I think we're looking at a risk-based approach for how we address protecting your network. You really should start at what people are able to see? Right. Like it's like walking into a bank and I see it. I see the doors and I see the safe.

Those things are there and they're locked, right? Like I know that there's impediments in the way. Right. But if I don't know that the front door is open or the safe is open, you can walk right in as it is probably a big risk we should address. And I think that's what we're starting to see now.

With a lot of the cloud leaks and exposures out there that we really have to go back and start taking those snapshots and taking that part seriously. Just because we have these layers, sprawling networks across multiple hybrid environments and any other way to really control that with a tool set.

Bikash: So, Ryan, interestingly, this is very close to my heart because at FireCompass, we work on external attack, surface management. Of course, when we started, it had no name, I mean two, three years back. There was no name for this. I'll share a little bit on why we kind of got started. That'll also probably throw some light into the problem statement. Why, we believe this is something very interesting and I'm of course, very happy that Gartner also mentioned us in two of the new markets out of the four, which we have seen we'll deep dive into all the four new markets and also the other ones at the next phase.

So one interesting thing, which I noticed a few years back was that there were several major breaches, which looked apparently very weird, like one of the largest financial services companies, they got breached because they had an open MongoDB without any password. And we have very high respect for these guys.

We know the security team is awesome. They got great tools and great processes, et cetera. So we were very curious. And once we went a little bit deeper, we found out that this particular database was made online by their marketing team. 

And what we kind of realized was that there's kind of a big shift, which is happening in the industry that is 5 or 10 years back. Anything that had to go online, had to go through the IT team, right? Because you could not get access to public IP easily. That was like a treasured resource. But today the cloud guys can do things on their own, the marketing guys can do things on their own. The projects guys can spin out new applications and APIs and what not. And now, with remote working, all of a sudden... imagine the situation of the Head of HR, of an organization who doesn't know the list of the employees they have.

How do you manage that? So that's a very new kind of problem, which was not there five years back. Even though reconnaissance as a technique was there for the last 10 years, nobody really bothered about reconnaissance at a scale before, because it wasn't such a big problem. So, I remember that, at Defcon there was ReconVillage, et cetera, quite a few years back, but that problem wasn't really that big, but these are the drivers that shifted the landscape, all of a sudden, and today we need to do continuous reconnaissance and continuous attack surface discovery because that's what the bad guys are doing. That's what the ransomware guys are doing. That's what the nation state actors are doing. So doing it at a scale, doing it continuously, knowing our external attack surface this, I believe,  because of this particular reason that it's a, it's a must have, I mean, we can't survive five years down the line, or even a few years down the line without.

Gartner broke down asset discovery into two markets, one is the external attack surface management, and also something called CAASM, which is for the internal asset discovery, which is a different segment altogether. 

So, Ryan, you want to add something on the internal asset discovery or CAASM, which Gartner mentioned?

Ryan: Yeah, I think it's become extremely important, right? I mean, just because of sprawling assets, we can't just do discovery.

Like there's too many things out there, your networks aren't consolidated. So, you know, and being able to do it in a sense that you don't have to use like a scanning tool or something else to be able to find it, to be able to leverage. Other tools, use APIs to build. And with all these many assets, how do we get a consolidated view of all the stuff I actually have?

It's funny coming from a military background, because you know, like in the, in the air force, if you were issued a weapon, like you held onto that, you didn't know, no one touched it. That was yours. It went from you back to the armory and back out, you know, it's interesting with computers and everything else we have nowadays.

We don't take it that seriously, and there's no way to know what's here and what's there. And, even to get an application that's even harder. Because those aren't physical things you can carry around existing physics that exists in other places. No, I think that's become a necessity.

The sprawl of our environments and putting those two things together where you can actually track that on an hourly or daily basis, right. To see what's going to happen now, especially really large companies that are issuing lots of different new hardware or new or push on your applications all the time.

Keeping track of those is very difficult. So I think. We're going to see a really sharp rise and fast movement in that one. And it can see being integrated in other tools as well. You already see that from EDR products and others that are adding those features in, because it's really important to understand what your devices are talking to.

And that's part of like the whole cyber kill chain, right? Like, Once I click, the attacker gets in through, I mean, especially with the external syntax surfers, expanding, they're getting in much easier, right? They're running lots of bots or finding their hooks in somewhere where they can just get a step in and then they can start moving.

They've let the automation take place and they can start to move in different directions. And if we don't know, what's there for them to move to, or protections are in place. We just don't have a good view on the risks that exist in our network or the hotspots in our network that we should be more concerned about and maybe build some more detections there.

I mean, Focus more attention on what that risk could be to our overarching security posture. Right? So it's really going to be an important part, not just this year, but moving forward the next, you know, four or five years for customers to really start getting a grasp on that so they can build better protection.

Bikash: Yeah, Ryan, this is very interesting. I remember a few years back, one of the artists, the sandbox winner was this asset management company or asset discovery company, but internal asset discovery. I mean, not the external - Gartner kind of divided these two markets. One is the external attack surface management, which continuously scans the entire internet.

We have the surface web and everything, and try to build out the attack surface from outside in perspective, CAASM or cyber asset attack surface management, which Gartner calls. I mean the name, it sounds like there's some overlap between these two, but this set of products sits inside the organization.

There would be a piece of hardware sitting inside, which kind of collects data from your various devices. Logs and various kinds of stuff. and then it builds the internal asset map. So these are the two kinds of tools and the vendors who are out there, the ones who do external attack surface management, like what we do at FireCompass.

I mean, they don't do the CAASM and the ones who do CAASM don't do the External Attack surface management. So these are like two very different kinds of solutions which have come up. And the new thing we could dive deeper into is autonomous red teaming and autonomous penetration testing, which Gartner came up with this name.

We, at FireCompass, were calling it continuous automated red teaming or CART. Philosophically it is the same thing. So Gartner terminology is autonomous red teaming. So what's your thoughts on autonomous red teaming? 

Ryan: Yeah. I think it's really going to continue to expand and grow because it's so important. So like when you look at the overall hype cycle, right, you look at vulnerability assessment, right. Being all the way at the point of like, we've found a way to do an assessment on vulnerability and, and know how to work with. As an organization like that, that's awesome that you tie that back into the innovation side, where now I take, you know, we have thousands of vulnerabilities in the networks.

How do I take the ability to deal with, to assess and know what to do with the vulnerability? And now do it at a continuous scale that we're able to, you know, see it, patch it, or build a work arounds and then test and ensure that what we've put in place is actually protecting us from that. And that's what's really driving.

This is that we were really good at identifying vulnerabilities. Putting patches in or putting workarounds in. Cause you guys, we both know that maybe 60% of all vulnerabilities have a patch and most of the stuff you have to segment our work, something else around or hide it from, from being exposed.

But to do this autonomous testing, we can put things in place and continuously look at them - I built a protection that is not working. Right. because we, as defenders, want to be able to know that the thing we put in place is actually working. We don't want to wait until the organization gets hit. And then, oh, it didn't.

We're going to see more and more companies adopting this kind of strategy going forward of building things, testing it, and making that kind of life cycle, where they observe, orient, decide and act right. And each one of those components, you're probably going to have to evolve something else to deal with the new, the new threat or what else came out that day.

So being able to do this at speed or at scale is going to be the challenge, but it's something we need to address. I think we're going to see them grow really fast and become much more adopted across.

Bikash: Yeah. So interestingly, Ryan, as you were talking, I was kind of remembering, a couple of decades back when application security testing was largely manual. I mean, I remember those days when people had to do it manually.

I mean, just a few classes could be automated. And today, I mean, most of application security testing apart from some of those, business logic testing and deeper testing is automated, right? So, it got largely automated. And I see a similar kind of trend happening for red teaming as well.

And the reason why I see that trend kind of happening is because, it's not because technologically, we did not, as an industry, have the capability to do that. We had the capability to do it earlier as well, but there was less of a need for it. But today the drivers are really prominent.

I mean, just like we are doing this digital transformation, all the bad guys, the fraud guys, they have also done the digital transformation. They're also not able to go out on the street and do their stuff. Right. So they are also going online. So today all the bad guys have great automation and they are doing these continuous attacks.

So if the bad guys are doing continuous attacks, We also need to do the same thing. Right? So that's very important. And the second challenge is that the usual vulnerability assessment tools just throw a lot of issues, theoretically. Yes. I mean, all those are important, but which one should I prioritize?

Right. Like the one with the problem of patching that you mentioned, how do I prioritize? So if I have to prioritize it right, I need to probably know which are the attacks, which are most, I mean, most likely and which of the ones. Which somebody could actually explore it and get into, right. So, better prioritization is very, very necessary and such kind of autonomous red teaming, which does the adversary emulation exactly like what an adversary would do is something which can help you to not just find those issues a lot faster.

That's definitely one. I mean, you get to know them a lot faster. And partly the usual ASM tools, attack surface management tools, throws a lot of findings. That's a lot of false positives. So when you go and do the attacks, you actually remove those knives. So it kind of stalls quite a few problems and does the best kind of adversity emulation from outside in.

So that's the reason I believe that this is something which as an industry, we must scale and do it. We must discover all our assets continuously. We must test all our assets continuously because of a simple reason that today the adversity is doing exactly the same thing. All the nation state actors have got this capability.

All the ransomware groups have got this capability. So we have no way out. We must do it. So I was quite happy to see this. In a couple of markets coming up, including CAASM. I mean, we don't operate it in the CAASM field. But I absolutely believe that's a big pain point because none of the large organizations would know how many assets they have, where the data is and stuff like that.

It's a very big challenge. And if you don't know all the assets that you have, you can't protect it. Right? I mean, if you think of the NIST framework, the first step is identify, right. You have to identify the assets. If you don't start with that, then the rest of it kind of becomes half hearted, right?

So these are the three new things, Ryan and there was another good thing, I guess, it is automated. 

Ryan: I think it's an interesting thing. I've started to see that come up over the last couple of years where we're using a mix of tools and humans, because I think in the mix of all these innovations triggered. There's still a human element. That's built into that, right? Like not everything that can be automated.

Automation has to be built by us. Right. We have to figure out what to do and build the steps into building the automation. But we also have to understand the business risk for drivers, right? So when we're looking at what things are risky for us, it's only a risk if it's a risk to the business and what the impact of that is.

It needs to be discerned by humans. I don't think computers can really help with some of the algorithms that we build into them, and run models for us. But we're still the ones that own the risk and have to classify it. So I think it depends on how the service has helped us to, to give us something that has more scale to it, right.

To be able to run more entertaining tests. Right. But, but get both the blend of. Well, we can gain from the computers and we can gain from the human, kind of mixed together in the same box. I think it's becoming more widely adopted and I think it will continue to become more widely adopted because it's going to get more scale.

We're moving past the point in time. Like I did a test on this one. There's one vulnerability that someone could use and then move on. We're going to move to the next one next year, right? That's it gives you very little value right now in today's environments to say that either you have a risky, you don't, you should be doing. Consistently. 

So having a service built around that is going to help actually address that moving forward so they can do more of these over an entire year, as opposed to just one at a time and thinking that's going to help them, you know, with any sort of integrated risk management and moving from.

Bikash: Yeah. So interestingly, most of what we see is more like a product or technology. So as you highlighted as the component of both product and service. And interestingly, Gartner also put this bug bounty platform as a part of it. So the bug bounty platforms are part of pen test as a service.

And also there are some new setups. The vendors who are also doing the product plus services approach together. So that's the new market which has come up. So these are the four, four new things which we have seen this year, autonomous pen testing and red teaming and the external attack surface management and CAS and test as a service.

So these are broadly the kind of new stuff, which we saw this year. So Ryan, let's see. Look into some of the other technologies which are out there. Do you want to highlight anything else? Because we can see, like, for example, the XDR DRP is moving up, right? It's going to the peak of inflated expectations and we have multiple other technologies, including BASS, IRM etc.

Anything that I know there are too many of them, any specific thing you want to talk about? 

Ryan: I thought the one that I found really interesting was managed detection and response services, right. That is moving down. And I find it interesting because having worked in those companies before, and then also just being an analyst in the space, like this is the part where nomenclature and like describing what your product or service actually does is so important in helping consumer confidence.

So we manage and detect threats and they respond to threats. Right. Or that's what I get as a consumer. I say, I expect that to be happening. And the problem is, there's varying arrays of detection and response that are out there for the different providers. Right?

So some of their response is just going to be, I sent you an alert. I found something, right? You do something with it. Some of them can be like, I'm going to go ahead and isolate those for you. Cause I found something bad. But those two responses are very different and a customer expectation between those two could be varying as well.

So, you know, for almost all of these products or services, having well-defined outcomes is an important piece to it. So I think we've seen just from that example, that customers don't always build good, but this is what I expect from you. Can you do this right? I think a lot of technology companies and services also hype what they can do right.

And then the two don't mix. So I think you're going to start seeing that continue to drop more and more until like, and I'm starting to see this more now, but the response services become more mature and customers can start to adapt to them more into their environments.

You know, interestingly enough, you know, three or four years ago, if I asked the customer if I could respond to a threat for them, usually it was just on the firewall and blocking an IP space or something like that to keep an attack out. But if you did that, you'd probably break a lot of stuff in the process and customers wouldn't touch me.

Tell me what's wrong and I'll go fix it. But now with the sprawl and, and you know, computers, being isolated by themselves have access to things. You know, I think customers are becoming much more open to allowing, you know, a service or a company or a tool to respond to something. Right. Go ahead and isolate.

Keep that thing from running on my computer. Cause I don't want to get hit with ransomware. Right. Go ahead and do that. Tell me it happened, but keep it from occurring. That's kind of the next phase going forward. So some things like that, I think. But it continues to evolve with the new arc textures and with the cloud.

So seeing that customers are now able to find it, I think we're now at the point now where we understand that it would have some use cases, right? We've been talking about it for so many years now. We understand this is what I can use a tool to do something for, and people are starting to do it. So like that, that I find in, um, you know, hardening,  going forward that we're able to start addressing those with a tool set and then wrapping teams around them.

I've been in the threat intelligence space for a long time. You know, it's really hard to get value from threat intelligence.

It's traditionally very noisy. It's a lot of extra things to look at for an analyst who really needs little. I love some enrichments, this alert to tell me, like, what are the things that this actor is known to do? What does this alert mean for me in general?

And it's really hard to get that data, you know, from a service or from just the two platforms itself. I don't know where to go. Even with a network detection response, it's a very important solution, right? It's solving for a specific problem where it's adding extra value to, into your SIEM or something else where it may be as an additional level of information you can look at as part of an analysis, but as a standalone product, how much value is actually added.

I think you'll see their customers. Aren't seeing the full value that it could be there. So some of those, I think you'll start seeing. Moving off, either integrating into other products. I mean, almost any security product nowadays has some sort of threat intelligence feed or integration that they consume.

So a service doesn't may not make as much sense for that. But even like the network side, you could probably integrate that platform into another tool and get what you're looking for out of it, as opposed to buying a separate tool to do it. So, um, so yeah, some interesting things that I think we S we see in there as they're evolving,  over the last couple of years, 

Bikash: Yeah, you made some very interesting points and I fully agree with you, like, the bottom of the disillusionment, right?

So, as you have rightly mentioned, one of the big challenges and you, you, you are there as an operator. You are more on the ground. And locking on these things, but what I have observed as well is that people find it very hard because there's just too much staff, right. Which is the thing which relates to me precisely.

So many of these things might eventually become part of something bigger. Right? That's one, another thing, which I just wanted to highlight along with what you mentioned. So I believe that deception is also probably going to go farther down the disillusionment and then get integrated with certain other things.

And I personally, by the way, just loved deception because it's very, very creative. I was part of the advisory board for one of the deception companies they got acquired recently. 

And interestingly, I'm a big lover of deception as an idea, but then the challenge, which I guess people are facing is that it's not a standalone thing, which kind of does not solve the complete problem. For our customer. So if you look at any of the major problems of a customer, definitely detecting the attacks and stuff like that is very important, right?

Detection is very important, but deception doesn't really do it completely. So the eventual winner is going to be somebody who kind of builds into a mini platform and adds all this capability together. And we saw that exactly happening in the case of CASB. Now, very interestingly CASB is in the scope of enlightenment, but I have a belief that Kasby, as a standalone thing, is not going to be there in the industry.

It's a great thing. I, again, love CASB as a technology. Very cool set of technologies. I have some friends who are founders of some of those companies etc. But the challenge is that it again doesn't solve the entire problem. And as a result, what is happening is CASB is becoming part of either these ATS solutions, zero trust, gateways, or something like that.

So it's becoming part of that or the CPR, web gateway and stuff like that. So again, CASB is becoming part of something. Now, interestingly, there are some companies that, instead of becoming part of something bigger, they themselves become bigger. So one of the companies in CASB, they broadened themselves into their company.

So we may see some of these companies themselves emerging as a mini platform, but CASB as a standalone technology I believe is going to be there in the long run, just like deception as a standalone Technology is not going to be there in the long run. So,  in the future, we will see some of these things changing.

I mean, I don't believe any of these things are going to vanish. They are going to morph and become part of something else and stuff like that. So, I find this kind of gazing into the future - very, very exciting. So, Ryan, any other kind of concluding thoughts, which you have in terms of, what do you think the future is going to be like?

[00:37:14] Concluding Thoughts - Possible Future

Bikash: So let's end it with, what do you think the future is going to be? 

Ryan: Yeah, I think the future trend is again, consolidating capabilities for an analyst again. So XDR as an example, I would pull together if something that's starting to rise and the innovation trough, you know, I think things like CASB, deception, all those things will be integrated into a platform of the future.

Right. But getting there is going to take five years or so. You know, companies like Palo Alto, like Microsoft and Cisco, they're all making those investments. Now we're going to see more of that driving forward. It's not ready in my opinion, not ready for showtime. I think we’re still going to get a lot more use from using point products to get real value from the data and the words that are coming in.

But ultimately, the thing we should care about is the sanity of our analysts. Like, we need to give them tools that work and give them less dashboards. Right? Less things. Have you ever sat down with security analysts before they probably have 12, 13, 14 tabs open in their browser looking at different things at any given time.

So the idea is that the more we can pull into, into a single platform and combine capabilities and build better interoperability, I think one of the things that I have mentioned was the release of more IPI APIs, more integration. We have to work together to move forward.

So I think in the future, we're going to see a lot more of that. We'll see a lot more consolidation, but I wouldn't look at this and say, you're going to see a whole lot of change from these. I think you'll see some shifts, a few things will disappear and integrate with other things, but in five years, we're still going to be dealing with a lot of the same issues.

It's not going to get any easier. It will just continue to be. And the thing that keeps it from moving faster is this training. The knowledge base - as people are delivering services. There's just so much to learn to keep up with how you take even a more experienced person and keep building more of those, that training pipeline has to really accelerate. If we want to really address more of these issues. 

Bikash: So, Ryan, I mean, you mentioned about this consolidation and things integrating with each other, talking to each other better and kind of solving that big problem. Right? So that's something which is really great and I'm a big believer of that. And I, I believe that's the future because without that imagine the medium sized businesses - they can't exist, right.

Large organizations can still kind of hire talent and do those engineering and build it, but medium-sized guys, they just can't. Right. So there is such a strong need that there will be people who will come out and solve this problem. It's not going to be easy for sure, because we have an adversity in cybersecurity, unlike in e-commerce and other places.

I mean, you have your usual competition as adversity. It's not a game where you have to defeat somebody. Here. It's a very different kind of game. So that's why the landscape is continuously changing. It is super complex, super hard. These products don't talk to each other. So there has to be a solution around consolidation.

That's one, another thing which I wanted to highlight is another movement, which I'm kind of noticing and observing. And I'm a big believer of that movement as a broad-based movement in cyber security, just like we saw the XDR movement a few years back. And it's still continuing. Right. And that's a very important thing.

Combining detection and response. So the second kind of movement, which I want to highlight Ryan, is continuous things getting continuous as a part of a movement. And if you look at zero trust, I mean, I consider zero trust as a kind of misnomer because zero trust is not really about Zero trust - what it essentially says is continuous trust evaluation, right?

It doesn't say I'm in zero trust. It says, okay, I might trust you right now, but in the next moment, I'm going to evaluate the trust once again. Right. And it builds an architecture and framework to have that underlying philosophy. So zero trust is continuous trust evaluation. If you look at external attack surface management, it is continuous external attack surface discovery.

Look at autonomous red teaming. It is continuous red teaming, right? Look at penetration testing, which Gartner brought up as a service. It's again, continuous. So there's a lot of continuous kind of drive, even though the word continuous is not there. That's an underlying movement, which is happening in the cybersecurity industry for a very simple reason - the bad guys are doing the same. So these are broadly two big movements, which I'm noticing right now. One is the consolidation moment and the other is the continuous movement. Is there any other big scale movement, which you are observing? I 

Ryan: Think of a broad movement we're going to see moving forward.

I hope I start seeing more and more of it, and it's really hard to do so it's going to be hard to adopt, but I think micro-segmentation got to be on the roadmap for everyone. Because if you're thinking about it, like if I want to continue to see tasks or I want to build better - like you really got to lock down who has access to the doors, right?

Like, and that's the thing we don't have lots of doors that limit access in there. We just, once you get in, you can get into stuff. But what micro-segmentation is saying, like only these IPs only these user identities can access this segment. And it makes it a lot easier for me to build a detection and response.

So all of a sudden something got in that's on the list, right? It's like having a bouncer at every door. I want to have that moving forward, but it's really hard to get there and do that. Not many companies are moving in that direction. So. If we start seeing more of that, it's going to make it easier to adopt a lot of these things to do more continuous testing.

And even if it's a phased approach that really is our step forward to uplift what we can do from defending networks, as opposed to just trying to look at everything all at once. Cause you just really can't. 

Bikash: Wonderful. So, Ryan, that was a great conversation - we discussed these new things, which we observed in the Gartner Hype Cycle and also what we believe the future is like.

So I would like to thank you for joining us today. Thanks a lot, Ryan. 

Ryan: I really appreciate the time today and look forward to doing this again.