Security Product Evaluations

Which product will solve my security problem?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Security Assessments.

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Clients sometimes ask on consulting calls, “Which product should I buy?” That is not my favorite question on a one-hour consulting call. Here’s why. There are too many products for one person to reasonably know everything about all of them. Additionally, the market is constantly evolving and changing. The best product today may be surpassed by a more innovative and effective product tomorrow. On top of that, the right product for one organization might not be the right product for another due to the cost, business and operational requirements, staff, and architectural considerations. I can answer these calls generally, but a better approach would be an in-depth analysis of the requirements and potential solutions.

When an organization requests a consulting call or a research report from me (mainly through IANS research) and has questions about a particular product or service, I generally know something about the topic, or I wouldn’t take the call or project in the first place. However, I often spend time reviewing the latest and most up to date information prior to a call, even if I am familiar with the topic. The industry and solutions are a moving target, and a vendor or a competitor might have added a feature yesterday that improves the effectiveness of their product.

At a high level, I understand how top security products and solutions fit into a security architecture. However, I may reach out to vendors for additional information related to a particular client objective or need. In some cases, if time allows, I try out products hands-on for clients to perform a proper evaluation. The ability to do so depends on how in-depth they want me to research a solution.

Based on experience as a system architect for years, I can attest that product purchasing decisions are not made in one hour or an off the cuff recommendation. That’s why I tend to prefer researching a solution in depth based on a specific client’s requirements instead of recommending a generic solution that everyone else is using. I also enjoy helping clients understand what to consider when choosing a security product or service.

Sometimes the product or service itself is only part of the equation. The company may also need to consider staff to support the new product or service or additional training to obtain new skills to manage the solution effectively. The product or service may need to integrate into existing architecture, impact performance, and cost considerations may play a part in the decision. A new vendor may require a security assessment prior to purchase approval.

Investment in a security solution is often significant, and the company wants their investment to last. The appropriate solution depends on a lot more than technical implementation alone. A generic answer as to “which product to buy” may not benefit every client. I also wrote about how the security solution most companies are using may not be the most effective. Sometimes it might be worthwhile to investigate a new approach. On almost every project I worked on as a developer or system architect, I worked with new technology. Asking people what they’ve done in the past may be leaving a new and better solution on the table.

Security Research vs. Referrals vs. Free Consulting

Many security vendors have offered me the chance to become a “partner” or to “resell” their products. They offer me commissions for speaking about their security solutions. I have avoided that to date because I don’t want to be a salesperson. That might cause me to recommend the products that I’m getting paid to speak about instead of honestly telling people which product I feel is best. If I recommend a product and not getting paid to do so, that’s a better recommendation than a suspect paid referral.

On the other hand, I can’t evaluate all the products in existence without compensation of some kind. As a consultant, time is money. Many companies ask me to evaluate their products for free. That would be fun, and I would love to spend all day trying out different security solutions, but I need to pay bills, and time is limited. How can I adequately recommend solutions to clients if I don’t have time to use and evaluate every product for free?

I do a lot of research and focus on a niche — cloud security — which encompasses network, identity, data, and application security, among other things. I turn that research into content in my cybersecurity book, cloud security classes, consulting, research reports, or sponsored cybersecurity blog posts. I also research methods to more effectively perform penetration tests and security assessments. Understanding shifts in technology helps me answer consulting calls more effectively. I watch for industry trends such as one I just wrote about — SASE.

I get asked a lot of questions, which I equate to free consulting, and I don’t have time or money to answer them all. Most of the time, I refer people to IANS who can schedule paid consulting calls with me. However, sometimes write about products I use personally to solve my own security problems to help those who don’t have large security budgets and can’t afford to hire me directly or attend classes. I also write about common security problems on this blog to address top security problems I frequently find on penetration tests and security assessments.

For example, I recommended Yubikey in a past post because I think it’s an easy way for startups and small business owners to improve the security of their accounts. I also recommend a simple DNS change offered by CloudFlare to help protect schools, homes, and small business networks. Security of individual systems affects us all, as I explain in the first chapter of my cybersecurity book. I do what I can in the time I have to provide simple solutions to those who are not as technical or have smaller budgets.

Although I don’t resell products, companies have paid me to evaluate and write about their products. When security vendors compensate me for the time to use and research their products, that’s fair. I like this option because it gives me a chance to use and do a deeper dive on a particular solution. I can provide feedback to the company as a written report and publish a blog about it if they like the results. I’ve also had companies sponsor blog posts, but I choose the topic and content, so it’s not a paid sales post or a topic that sounds like pure marketing.

If a product effectively solves a problem, why wouldn’t a company pay someone to try it out and write about it instead of asking someone with industry expertise to evaluate it for free? I’ve written previously about companies that won’t even give you a free trial for a product evaluation. If a vendor won’t let you compare the product apples to apples against competitive products, is it really that good? I don’t know because in some cases I couldn’t get hands-on, so I can’t tell you. That happened when I was evaluating SAST, DAST, and IAST products for a SANS research paper. I could only write effectively about the products I could actually test, and the rest was hearsay.

How do I research security products and services?

To determine trends in the industry, I read — a lot. I follow security researchers and professionals on Twitter. I research trends and topics in Google and notice new product categories or security gaps based on recent breaches. I listen to podcasts, watch videos, and in the past, I would see new products at conferences. I follow the new feature announcements for major cloud providers, especially related to cybersecurity.

I also get the opportunity to evaluate different security solutions and cloud architectures via cloud penetration tests. Industry reports and surveys like the OWASP Top 10 web application security threats and the top threats identified by the Cloud Security Alliance provide some indication of what to test. But I also monitor data breach and vulnerability trends to determine how attackers are infiltrating systems and stealing data because sometimes new threats are on the rise that is not on those lists. Sometimes these new threats and vulnerabilities bypass the way systems are typically secured. I’ve got a research report coming soon for IANS on one such cloud-related attack.

If a client pays me to research a particular product or service, I’ll dive deeper. I’ll get hands-on and try out the service if possible. I may perform a comparison of other products in the industry, talk to customers of products and services, and evaluate the effectiveness of the solution using industry reports. I’ll read the vendor web site, documentation, and blog posts, and questions related to issues people have with the product. I will look at the cost, architecture, and potential pitfalls. How deep I research a topic is related to how much time and compensation are involved.

My understanding and evaluation of products and trends is not only based on what I read on a particular day but also incorporates 25+ years of experience. My background includes software architecture and engineering, cybersecurity, performing technical due diligence venture capitalists, mergers and acquisitions for a security vendor, and running three companies. The combination of technology and business experience and a propensity for understanding trends helps me determine where gaps exist and the industry goes next. Those factors are important when considering a security solution so you don’t end up purchasing a “one-hit wonder” that solves addresses the security vulnerability du jour but won’t be able to pivot to protect you against future threats.

What products do I evaluate?

Realistically, I could research any security solution given time and money to do so. In the past, I evaluated identity products for a security vendor for an acquisition. Often my consulting engagements are related to products to secure cloud platforms, applications, data, and networking. I research tools that will help me perform a penetration test or security assessment more effectively. Lately, I’ve also been researching Wi-Fi devices, routers, and firewalls for my home network configuration. I hope to be writing more about that in the near future related to a thread I started for small businesses and startups called Connecting to Clouds.

My cloud security class includes research and comparison of top infrastructure as a service (IAAS) security offerings. I monitor feature and service changes and update the contents before each class. I’m working on a new 2-Day class for executives that I am hoping to hold quarterly in 2021. In my 5-day class that I teach to individual organizations, students dive deeper into different service offerings with more technical hands-on labs. Though the class includes a comparison of various cloud offerings, the focus is more on how to evaluate cloud security and make effective cloud security decisions.

In addition to the major IAAS cloud providers, I’ve evaluated software as a service (SAAS) security as Director of SAAS engineering for a security vendor and on audits and assessments. I’ve used and evaluated cloud access security brokers (CASBs) and architected security IOT solutions for security appliances connecting to the cloud. I’ve also learned about new startup security solutions, had them sponsor our Seattle AWS Architects and Engineers Meetup, recommended them to others, and later witnessed their acquisition by a larger security vendor.

Although I love researching security product and service solutions, doing it adequately requires investment. Simply regurgitating the solution everyone else is using to every other client is not necessarily the best answer. The complete evaluation would include an understanding of organization-specific requirements and a hands-on test of the product in a test environment similar to the target production environment. Speaking about products at a high level is useful, but a deep dive will provide a more valuable determination of the effectiveness of a product for a specific organization.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2020

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab