General security

The Cybersecurity Market 2016 and future predictions: How to Deal with 100s of Solutions

Alexander Polyakov
December 14, 2016 by
Alexander Polyakov

I hope you haven't forgotten my previous article about the cyber security market and companies it consists of. Now we are going to pursue the topic.

So, we have the whole industry "pie" estimated at $75 billion. Among them, $25-30 billion belong to products. Who shares this amount and how? What are the most interesting trends? These questions are not as difficult as it may seem. Let's divide the market by region and product type.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In fact, market segmentation on the ground of region is a trite practice. At least half the money belongs to the USA, half of the rest is in Europe; Asia, Latin America, and Japan follow with nearly half the shares declined each time; something of minor importance is taken by Africa. Basic math. It looks like we have saved a couple of tens of thousand dollars on consultants!

So, this brings us to the most curious approach that is by product type. According to various types of research, there are about 80 categories. In my opinion, it is close to the truth, but in practice, we can meet about 40 of them. Additional 20 is just a hot topic to discuss so far. It is not yet clear which of the products will form new classes and which of them will merge with the existing ones.

Anyway, it's time to cut the second pie.

Pieces of the "pie."

Firewalls continue to account for the bulk of the market that is approximate $10 billion a year, or a good third; the Identity Management segment is the second largest and Endpoint protection is the third one. Then the long list of smaller markets follows.

In fact, we can conclude right there, as then relatively small categories proceed with the market estimated at $100-500 million a year that includes all known vulnerability scanners.

Exploring the market

Now let's see what products share the market. To make this separation more beneficial, we used the latest Gartners' Framework [1] [2] which divides security into several areas and put all existing security platforms there. It will help any security architect to choose the right solution and not to get lost in hundreds of proposals. The products are categorized according to the PPDR model that stands for Predict, Prevent, Detect, and Respond. Monitoring and Analytics can be added to it, so there are five major categories.

We'll go over each one in detail.

It is noteworthy that some products (especially big vendors' products) can fall under several categories. However, even these products consist of modules formerly existed as separate solutions and then combined together. It is a typical story when a big vendor buys a promising startup and adds its software to flagship products as a new component.

I hope the description of existing market areas will be topical by the time the article comes out, as everything is changing at a breakneck speed.

"Predict" segment

As the name implies, this area represents the class of systems that forecast attacks. In simple terms, it is hygiene. If you wash your hands, you won't have germs, won't get sick, and won't have to swallow pills. There are various tools for "washing hands" in information security:

  • Penetration Testing Solutions. Nowadays, there are almost no pure ones left as they were integrated into the vast class of Vulnerability Management;
  • Vulnerability Management refers to security scanners of different areas such as network, web, applications, ERP systems, mobile devices, ICS devices, etc.;
  • SCM (Security Configuration Management), in fact, has almost disappeared as a class and has merged with Vulnerability Management;
  • Access Governance for access control and Segregation of Duties;
  • SAST (Static Application Security Testing) refers to source code scanners;
  • DAST (Dynamic Application Security Testing). Now it is merging with Static Application Security Testing;
  • IAST (Interactive Application Security Testing) refers to interactive code analysis. It is also merging with static and dynamic security testing;
  • TI (Threat Intelligence) used to describe systems that collect data related to threats and attacks happened in the world, it helps to predict further attacks;
  • Security Awareness training including products that automate these tasks;
  • Anti-Phishing refers to automated products and platforms to analyze security against phishing attacks.

"Prevent" segment

This segment includes tools intended to avert attacks. This category represents the largest class:

  • Firewalls – first line of defense.
  • IPS (Intrusion Prevention System) – detection and prevention of network attacks mostly by signature methods.
  • Encryption/Masking – solutions that can prevent data from being stolen. There are different layers of encryption from a full disk to a particular column in the database, each of them prevents from different types of attacks.
  • VPN (Virtual Private Network) – a way to securely connect two peers, be it either client or server.
  • WAF (Web Application Firewall) – solutions that provide detection and protection from web application attacks mostly by signature methods.
  • Database Firewalls detect and prevent attacks on the Database layer.
  • Application Shielding/RASP (Real Time Application Security Protection). These solutions solve the same issues as WAF but analyze application behavior more deeply.
  • IAM (Identity and Access Management) –solutions that provide User Authentication and authorization functionality and protect from unauthorized access.
  • CASB (Cloud Access Security Brokers), systems carried out access control to cloud-based services. It is like IAM but cloud-based ones.
  • Antivirus/Endpoint Protection - protections for workstations against viruses and malware.
  • Anti-APT - advanced protection from unknown threats.
  • Isolation is all sorts of virtual sandbox limiting the work of components. Something like CITRIX.
  • DDoS Mitigation – specific appliances and services intended to protect from Denial of service attacks.
  • EMM (Enterprise Mobility Management).

"Detect" segment

The aim is to identify potential attacks or potentially dangerous statistical anomalies in data collected by the system. This category is rather new. At some point, it became clear that it was impossible to protect a company from every threat and to fix all the vulnerabilities, so the focus had shifted to the systems, which allowed at least detecting some attacks or malicious behavior. This is what the category looks like:

  • Log Management --systems intended to collect and analyze logs. Currently, very few systems only collect logs. Now they are being merged with vulnerability management (as it was with penetration testing tools). The same is with log management tools – they became SIEMs.
  • SIEM-- systems intended to collect and analyze security events, these tools can do advanced analysis and alert based on log collection.
  • Security Intelligence/Threat Analytics, or RTSI (Real Time Security Intelligence) – systems that can detect threats. In fact, it is a kind of SEIM "on steroids" with machine learning and plenty of additional features; the difference is that it analyzes fewer events but reacts faster to the most important ones.
  • Flow Visibility - systems of monitoring net or inter-component traffic.
  • DLP (Data Leakage Prevention) - in simple words, information leak detection.
  • UEBA (User and Entity Behavior Analytics) – solutions that are common now – allow detecting abnormal user behavior. They create a typical user profile based on his or her activity and then monitors it for changes.
  • EDR (Endpoint Detection and Response) – solutions that are implemented on a workstation for advanced attacks detection. It is like non-signature anti-viruses, which mostly use a machine learning technology.
  • Fraud/Transaction Monitoring refers to solutions used to monitor financial transactions, fraud, etc.
  • Deception Tools. Deception is a relatively new area; these products use the old idea of honeypots for attacks detection but do it in a new way, which is easier to manage.

"Monitor and Analyze" segment

This segment involves all systems related to security monitoring, risk analysis, compliance with standards, etc. In fact, these systems objectives are confined to the sole aim that is to choose from numerous issues the most serious ones.

  • GRC (or Governance, risk, and compliance) - probably the most diverse and common area in this section; the solutions have now separated into a number of areas such as enterprise GRC, which is culpable for all company's risks as well as IT GRC which are responsible for IT Risks and Vendor Risk Management.
  • ITRM – IT Risk Management, as it is said earlier, is a narrower area, which is closely interrelated with GRC but focused on IT risks. The difference is that ITRM systems have close integration with vulnerability management solutions and easily afford risks and compliance dashboards based on identified issues, while Enterprise GRC solutions mostly provide a risk analysis and risk management.
  • TVM (Threat and Vulnerability Management), solutions that accumulate data from different security scanners and Threat Intelligence systems to correlate the results and indicate the vulnerabilities necessary to be closed as a matter of priority. There is a fine line between these solutions and ITRM. However, TVM isn't capable of Risk Management but collects data from different vulnerability scanners.
  • Security Orchestration is a new area of solutions that incorporate all existing protection measures in one management console; these tools automate an integration process between security tools. If you want to detect malware in a system automatically, analyze this malware in another system and create a task in the incident response system. Security Orchestration solutions will help you with the task by using API of all required solutions.
  • Network Security policy management. The solutions are products such as Firewall management;
  • SOAR (Security Operations, Analytics, Reporting), a completely new area, in fact, it is a mismanaged assortment of ITRM operations that additionally allows working with big data.

"Respond" segment

It is the last and the least explored area, which is responsible for measures after an incident happened. Eventually, our aim is not to detect vulnerabilities or attacks, but to react. For that to come about, we need certain incident management services. These solutions are like Case-Management or ITSM systems to some extent but have their nuances.

  • Incident Management/Response. These solutions are purely focused on managing incidents, according to the regulations.
  • ITSM (IT Service Management) – tools that are commonly used by IT department to manage tasks, be it either particular tasks to improve system or incidents that need to be solved. Security teams usually use ITSM solutions to manage incidents or to create tasks for IT department.
  • Forensic tools are required to analyze an incident in detail, find out who was a victim, who was an attacker, what kind of information was stolen, etc.

That's it. We've got to know 43 different classes of systems that are the main solutions in the cyber security market nowadays. Some of these categories can be classified into smaller ones but, in general, this information is enough to realize how to protect a company and what are the latest trends in the cyber security market.

Now don't close a tab but get a bonus. Take time and look at the current state of the market and its predictable state in the future.

The future of the cybersecurity market: from spare parts to a vehicle

The cyber security market is highly diversified in contrast to, say, vehicle production. There are core leaders in automotive industry and hardly anyone else. There are also leaders in cybersecurity, but they are at the top of the game because they share the largest areas. In analogy with vehicle production, there could be companies producing engines, bodies, and insides. One might argue that such companies exist in reality, but the point is, there are no companies producing a whole "automobile"! No vendors could only implement their own products in a company to cover all the key security requirements. Whatever you might say, one has to combine the services of two or three providers.

Take any big endpoint protection vendor. It provides security of workstations and perimeter, probably, anti-spam appliances, but that's all. Thus, we need to purchase firewalls, monitoring and scanning systems, and event log analysis from a second vendor. Never hurts to have a couple of any sophisticated novelty. Therefore it turns out we make our own car from scratch.

That means the market are not developed though it enlarged at dozens of times in the last ten years. I believe several companies, which will sell whole "automobiles" as the whole turnkey security, one day will definitely appear. However, dozens of companies producing and distributing components and hundreds dealing with accessories in our automobile analogy won't go away.

Any feedback? Contact me by email or any social network (Twitter, LinkedIn, Facebook). Happy to hear your thoughts.


[1] Gartner's PPDR (Paid access only)

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

[2] 360 degree approach to Cybersecurity

Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.