Four Days of Gartner Security and Risk Management Summit in Four Minutes

After four days in Washington D.C. — which is typically muggy in June, but this year it was smoky, too, due to the wildfires burning in Canada — I would like to share with you some of the highlights from the 2023 Gartner Security and Risk Management Summit.

This year’s conference boasted:

• 4,300 participants — double last year’s attendance
• 71 Gartner analysts
• 281 sessions
• 247 exhibitors

As in previous years, a few themes emerged. Here’s what people had on their minds:

• AI for security
• Platforms versus separate vendor tools
• Tool integration
• Vendor consolidation
• Shrinking budgets and “good enough” syndrome
• Identity Threat Detection and Response (ITDR)

AI for security

For novices and experts alike, it seemed that all discussions inevitably landed on the future of AI for cybersecurity. Everybody was able to dream of a day where AI would do (some of) the dirty security work for us. It is amazing how quickly generative AI became the topic du jour and went straight to the peak of inflated expectations in just a few months. Let’s see how quickly we get to the trough of disillusionment. (See Figure 1 below.) The goal is to get to the plateau of productivity with minimum breakage, and we have lots of work before we can get there.

Right on cue, some of the largest vendors’ marketing machines were in full swing on AI. You probably know who I’m talking about: the companies that have been investing lots of money in ChatGPT. Some of their demos had compelling elements, but not surprisingly, these vendors were vague on what was in production, versus what was on the roadmap, versus what was simply wishes and dreams. There was much hand waving and hype at work, for sure.

While the broader industry is figuring out what issues exist with generative AI and how to deal with them, there is a tried-and-true ML/AI technology that has been around for a decade and has been proven effective to solve complex security operations challenges — user and entity behavior analytics (UEBA), which was pioneered by Exabeam in 2013. It is still as effective and useful as ever, with almost none of the issues of generative AI.

Platforms versus separate vendor tools

Day two’s keynote, confirmed by many conversations with CISOs and Gartner analysts, stressed that CISOs are looking to consolidate their set of vendors and adopt platforms. The problem is that almost all of these “platforms” (I’m looking at you, portfolio vendors that spent so much on marketing during this event) were developed many years ago and are today bursting at the seams. They were not designed to power all the complex use cases that are requisite given the expanding attack surface. I know what problems legacy platforms bring, and what it took to develop the Exabeam Security Operations Platform. It was a significant investment for Exabeam, and certainly not for the faint of heart. For emerging vendors, the question is how to secure the resources and investments to build such a platform. For legacy vendors, an additional question is how to migrate their massive customer base with minimal disruption. 

Tool integration

In theory, it should be easier to integrate tools from a single vendor than from disparate vendors, but this is a dangerous assumption. Many large vendors have built their portfolios through acquisitions, and a large vendor’s portfolio is often a hodge-podge of disparate solutions with overlapping feature sets and gaps in coverage. Management consoles also suffer from disjointed workflows and user experience, and there is no guarantee of improved integration at this point from these vendors. The main reasons are:

1. The acquired tools were not designed to be integrated together as part of this vendor’s portfolio
2. The platform that all of these tools integrate into has the issues and shortcomings that we discussed above

Vendor consolidation

It seems appealing to minimize the number of security solution providers. Again, this assumes that fewer vendors means easier management and more purchasing power, with each of them negotiating larger discounts. Even better is the promise of portfolio-wide licenses. A bunch of tools included or even “free” in an all-you-can-eat license might be tempting for organizations. Once again, there is often a difference between perception and reality. On my own, in my spare time, I did a fun exercise where I asked ChatGPT how much Microsoft Sentinel really cost for an E5 license customer requiring a pretty average volume of logs. It’s eye opening; Sentinel is far from free.

Shrinking budgets and “good enough” syndrome

Organizations are getting reluctant to buy yet another point product. We reached stack saturation and diminishing returns. Now the focus is on stack rationalization. Organizations start realizing that a good-enough stack that is well integrated could perform more efficiently than a set of disparate, best-of-breed tools. The value is in connecting the dots, and this aligns with having to do more with less budget. In fact, we are moving from tool integration to tool collaboration. At Exabeam, we fully agree and are excited to be at the right place at the right time with our offerings. Cloud-native New-Scale SIEM^TM is based on a modern security operations platform that can scale to new levels of performance. The Exabeam Security Operations Platform features machine learning-powered UEBA, allowing your security stack to collaborate efficiently.

Identity threat detection and response (ITDR)

Lastly, there were many debates on whether ITDR should be a separate discipline. This is a valid question. Security information and event management (SIEM) and threat detection, investigation, and response (TDIR) have been handling threat detection and response use cases for more than a decade, and many of these use cases are identity-centric. They use identity to detect threats, and they offer threat detection coverage for identity use cases. Almost all discussions landed on the conclusion that it is a subset. Which gives us this gem in the acronym soup heard at the Summit: “ITDR is a subset of TDIR.” This kind of sounds like a SIEM use case, doesn’t it?

Conclusion

Once again thank you Gartner for putting together this event — a special shout to Patrick Hevesi, who chairs this event. There were lots of great sessions, great people, and great conversations. It was well worth the time. See you next year!

Learn more about cloud-native SIEM

Discover the benefits of cloud-native SIEM and learn how to transition SIEM to the cloud in our comprehensive eBook, The Ultimate Guide to cloud-native SIEM.

Today’s security teams face increasing challenges in managing and responding to threats effectively. Cloud-native SIEM presents a powerful solution to simplify and streamline your security operations.

You’ll gain insights into:

• The evolution of SIEM and the emergence of cloud-native SIEM
• The advantages and potential drawbacks of cloud-native SIEM versus traditional SIEM
• Various hosting models for cloud-native SIEM solutions
• Real-world use cases for cloud-native SIEM deployments
• A step-by-step guide for migrating from an on-premises to cloud-native SIEM