HG - The Commoditization of Security Solutions: Will You Be Replaced by a Small Script? - Nathan Swe

all right so when I saw this talk on our on our rfp's I kind of liked it a lot so you got one of my votes for sure so I'm with him in udders himself for sure but this is Nathan Sweeney's gonna talk about commoditization of security solutions and I'm just gonna leave it at that all right thanks a lot I gotta admit I got beard Envy it's close he's got the fullness though right right all right all right it's good to see everybody the commoditization of security solutions people look really tired is this nap time like everybody I see people walking in there like hot chair I can sit back please try not to fall asleep if you do

it'll be okay I'm just gonna kind of jump into this and get going my name is Nathan Sweeney I'm a senior security consultant for secure ideas I've been doing security for a little over a decade secure ideas we do pen tests training arc reviews consulting whatever a friend of mine calls us consultants will do whatever you pays for that's not quite true but you know whatever this talk is a little different for me I'm getting ahead of myself so I have the one of those unique names if you search me on Google if you can remember how to find mine or spell my name you'll find me I'm there was one other guy that had the name that died in

like the 1800s so he's got a like a gravestone somewhere as the only thing you'll find but and there's my my crew I'm proud to be one of the organizers for besides Oklahoma as well so if anybody ever happens to be in Oklahoma feel free to come check us out next April 11th through 13th I'll throw in that free plug so this talk was an idea I had in I had several friends that had lost their jobs they basically got downsized as your jobs not really that important anymore and then they had a hard time finding jobs and in talking with them and starting to see a similar thing at some of our clients I started

to recognize a pattern and and that's kind of what I wanted to talk about today is is this pattern of commoditization it's a big word and I'm gonna spend a little bit of time kind of explaining what that means and then how it affects you and what to do career-wise to prevent yourself from becoming one of those kind of casualties of war my goal is to talk about the the progression of technology and security solutions from from introduction to you know just a common everything everyday thing that everybody uses so just kind of an outline of what we're gonna be looking at I'm gonna walk through and talk about kind of the history of some security

technologies hopefully not too boring but I kind of want to set a groundwork for this pattern that I've noticed and then we're gonna talk about how InfoSec is different than other industries and why it affects us more than others and then specific things that we can do about it what to do to make yourself more marketable you know when you're talking to the recruiter that the folks before me we're talking about things that will help you be more more appealing to those potential employers so commoditization I got to get into a little bit about what this is as you may ever heard the word monetization awesome a good is anybody feel comfortable explaining it alright

so there's a legal definition of commoditization when I mean legal I mean defined by the courts and the government whatnot that tends to be focused around the there's a it's called the Commodity Exchange Act that was was passed by the Congress back in the 30s it's more focused on the legal definition of what is a commodity when it comes to trading and and financial investing and that sort of thing that's not at all what we're talking about I'm talking about more of a general definition of the process of commoditization with legal stuff it tends to be a 1 or a 0 it's a commodity or not it applies to the laws or it doesn't what I'm talking about is

a scale of commoditization and so we're gonna see several examples of different products and different technologies that are in different areas on that scale just because real life is a little bit more fuzzy I guess ultimately commoditization is when proprietary things become generic and what I mean by that is you know you have a new idea somebody comes up with a new technology it's it's the cool new hotness you know they get a booth at some other conference down the street and spend hundreds of thousands of dollars and get venture capital and all this stuff and it's a big thing over time it becomes built into an operating system it becomes just an everyday technology that everybody uses

so that's the process of commoditization there's a lot of steps in the middle we're talking about as we go here ultimately commodities I mean when something is completely all the way at the end of the scale at the commoditization scale the choice of decisions is based on price it's do I want this one or this one I don't care which one's cheaper that's a commoditized item the the quote from Wikipedia there is helpful it basically talked about taking the pricing power out of the hands of the manufacturer or the vendor and putting it in the hands of the buyer so they can't just choose to sell it for whatever they want to sell it for they

have to sell it for whatever the market and what people are willing to pay for it so we'll get into that a little bit more so some common examples of commoditization food sugar we beef mill I mean these are types of things when you go to the store you don't think about which brand do I want right you don't go to get a thing of sugar and say do I want this brand or that brand now there are some things people some people tend to buy the name-brand sugar instead of the store brand right that doesn't mean the product is any different that's more of a personal psychological thing right there are people who are always

going to buy the store brand there's people who are always going to buy the the name brand in fact in a lot of cases you have places where the manufacturer makes both they put two different wrappers on it and send it to the same place you see that a lot with pharmaceuticals so you have drug manufacturers that after there what is it like 30 year trademark runs out they continue to make the name brand you know like advil they continue to make advil but they take the exact same pills put them in a bottle and label it with the generic ibuprofen and they sell it for half the cost and the reason they do that comes back to the psychological

some people will buy one other than the other but that is still a commodity because the the the item hasn't changed when you go to buy ibuprofen you don't say I want this brand of ibuprofen over that one you don't care you get whichever wants the cheapest generally some other things like oil and natural gas gasoline these are examples of things that are legislated by the government what I was talking about legal commodities saying the same deal if you if you don't mind I'll guess if you're gonna go fill up your propane tank you don't care and I know this is really non-technical but you'll understand hopefully in a little bit while I'm why I'm going this route

gasoline does anybody ever like do you have a gas station that you go to to buy gas that you'll drive like two miles out of your way to go to that gas station instead of this one yeah what what's the name of it anybody got what's your favorite Liberty quick trip where is it quick trip are you from Oklahoma Atlanta alright yeah if you're from South Carolina Atlanta Tulsa quick trip is the one they're like you know they're always on the top list of companies to work for my favorite they're based in Tulsa by the way so but yeah that's a great example of the product itself is commoditized but they've added value onto that commodity there's a there's

cleanliness there's customer service there's other things that make it valuable so here in a few minutes we're gonna talk about some things like that you can do to make yourself more valuable even though maybe your job has become more commoditized and then lumber cotton lightbulbs these are all examples of things gold copper silver all types of things that you don't think about when you go to buy this thing you don't think about what brand do I want you just buy the cheapest one so some causes and effects of commoditization and I put cause slash effect because it's really kind of a chicken and egg thing the commoditization process this stuff happens it's just part of the process I

don't somebody smarter than me is probably done a study about which causes in which it affects and that sort of thing it doesn't matter standardization is one where you start to see you go from a lot of different features that they have different ways of working to kind of a standardization if you go to Lowe's and buy a 2x4 you can guarantee that it's gonna be about the same as a low 2x4 from Home Depot right it's who cares it's standardized we see less differentiation between products we have more suppliers of the products and then we also have lower prices the when we talk about jumps you hate that when you got like a thought and then you skip

on and then you come back to it it's not there anymore it's a brain fart thank you I appreciate that I just said fart onstage is that okay thanks all right so moving on we've talked about monetization and kind of what that is so what does this have to do with security I want to step back a little bit and go through some some kind of history of security technologies and things that we're all familiar with but maybe we haven't thought about from the perspective of commoditization security is hard I mean I'm hoping if I'm assuming if anybody if you have figured out security if you fixed it you wouldn't be in the higher ground track

looking for work or looking for you know how to improve yourself security is one of the things I don't think we're ever gonna fix right there's always going to be something new there's a lot of great ideas there's a lot of ideas and solutions that are out there you know a lot of conferences have you know somebody pitch in their next big thing that's going to fix everything I think if you walk around and talk to some of these guys out here that they could probably tell you why their product is the best it may be it may not be right for every good one there's probably 10 or 20 that aren't so good but there's a lot of a lot of supposedly

silver bullets out there trying to try to fix our problems with security there's also a lot of money involved right just because of the value of the things that we're trying to protect the potential risk and all that kind of stuff there's a lot of money being thrown at security so that kind of comes into play with with some of the products that we're gonna talk about there's a lifecycle and this is this is when I talked about you know I kind of started and noticed this trend with security products there's this lifecycle and security technologies it starts with a new idea usually at that point is really expensive think about like application whitelisting you know three four or five years ago or

whatever out maybe longer than that you know when when bit nine was the solution for application whitelisting it was incredibly expensive that price has come down now but there's usually a lot of hype in the beginning with the new idea right sometimes it's fun sometimes it's legitimately earned but there's usually a lot of hype and excitement about about a new product it's also tends to be complicated to integrate into your existing architecture your security posture you know hey we've got these security controls place now we need to come in here and roll out this new product and wow it's going to take all these extra resources and it's a lot of difficulty what ends up happening is you have people becoming

specialized in those areas and they become trained and you know your job is to do this thing as we move on going down you start to see more competition into the market you start to see a fight for distinguishing features and different companies are trying to say here's why mine is better than them or you know that sort of thing at that point you start to get a battle for pricing so they can no longer just charge hey here's our exorbitant prices we now have to compete with somebody and so the more competitors you have the end of the market the more pricing that comes down as that happens the products become easier to integrate there still

tends to be a lot of work in those early stages but you start to see the process of you know hey this is becoming simpler they're putting more effort into making it compatible with other products and that sort of thing and then as as we kind of move into the full commoditization process what we start to see is very few unique features it kind of the market has has spoken on here's the things that consumers want here's the things that consumers don't care about and so the different security solutions start to and and when I say security solutions I'm talking about tech in general but security specifically they start to become more and more similar during this time period

prices dropped considerably you know I remember when like antivirus you could sell an antivirus license for like 75 bucks a workstation you know now it's like Microsoft's giving it away as part of the operating system so you see this this trend of pricing dropping as the commoditization moves forward you also at this point you start to have lots of resellers because it's really easy to set up that's another thing I've noticed is that you know every value-added reseller out there is adding this product line to whatever it is they sell because there's not that much training we're required to get their people up and moving with it and then towards the very end of the line and this is

something I've seen more specifically with security solutions the tech tends to get built into other tech so you know sometimes it's a licensing model I think think IDs right you know you used to have to go through all this work to set an IDs system now like Zen Bay ever use like a SonicWALL or Ford a net or a stall Road I don't know if the stars are still around you know I mean like if you want to turn on IDs how hard is it yeah click the button like that's it right you may have to pay for it for a licensing fee or whatever but it's it's simple I mean yeah there's some tuning

that can be done and you can make exceptions and all that kind of stuff but the overall process is really really simplified it ends up having a very minimal technical knowledge to configure you also start to see a lot of acquisitions at this point and you know really throughout the commoditization process but but especially at the end you know you've got like cisco buying Sourcefire just so they can roll it into their their products that sort of thing so to walk through just some examples of what we're talking about here firewalls is a great example you know initially firewalls was a tech that it's here's this separate device you know you've got your gateways anybody remember when the

Gateway and the router were two separate devices you know and you've got your firewall over here I forgot you were Bank of America old-school yeah yeah how were just old I see this guy sit back guys like I know that guy but he said the Bank of America anyway so yeah you know you had this separate device and and and whatnot and then they started rolling it and now it's just part of every every router to some degree in fact I'm sold well enough I hate it when people called a like a link says they buy a cheap little link says and they call it a firewall I'm like there's no firewall it's a router

yes you have nat routing that is not a fire it's that poor man's firewall but sorry I'm ranting all right antivirus is a great example you know I mentioned before how you know Microsoft gives away antivirus as part of Windows 10 right they know they've they've been doing that for awhile even with security essentials back on when they released that 7 or Vista you know it was just it was a giveaway thing like that was a big thing we're used to it was a huge money-making thing I mean people still make money out of it but nowhere near as much as before I tell people a lot of times I use the example of firewalls light or out our antivirus

is like a seatbelt it's not gonna prevent most accidents and probably not even stop you from getting hurt in most accidents but it can help limit some damage so you know good to have IDs I mentioned that as an example log monitoring is one of those that I don't feel like as quite as far I'm along on the process but we're starting to see it more and more as people are recognizing the importance of monitoring and alerting and kit and keeping up with what's happening in your environment we're seeing log monitoring becoming more mature and technologies are beginning to become more integrated so that it's easier application whitelisting I've kind of talked about that two-factor authentication and

password vaults these are two that I feel like are just starting that process these are two technologies that I think are going to become very popular and they're gonna become used everywhere you know passwords are dead that we've been saying that for awhile passwords suck there's they're not good but we still have to deal with them and I think two-factor off and and password vaults are some technologies we're gonna start to see more integrated closely with other technologies does anybody I don't hold on I'm looking at the vendors cyber-ark snide in here are they alright I think cyber-ark is one of the they're awesome by the way if you run cyber-ark they're you know they're like the gold standard for

password vault I think eventually they're gonna get bought by somebody else and integrated into another solution I think it's just natural I had a client just last week send me an email hey what do you think about this two factor auth solution we're looking at we're thinking about going with them I don't I don't know they're like every other right there that we've gotten to the point where it's no longer here's the solution it's here's 30 solution picks the one that works for you and it's the cheapest and move along and just do it so I think we're gonna see some of those if if your job the reason I asked about cyber-ark is if your job

is monitoring and managing a cyber art installation because there are people that that's all they do you need to pay attention to the rest of this talk because that job is going to go away and then consulting services I think this is one of those interesting places as pen testers we've had we've started to see more and more commoditization in even the pen testing field there are more and more vendors out there offering cheaper and cheaper solutions and so being able to demonstrate the value add that we provide you know we don't just run this tool and give you a report we actually go through the manual process of validating findings and actually doing manual testing and

that sort of thing and company X over here says well their price is half as much as yours why is this stuff that much more valuable right that's becoming harder and harder to do especially as the tools get better at the automated solutions get better and so we've kind of seen the writing on the wall I don't think pen testing is ever gonna go away I think that's a religious argument we could have a root beer but I think the the number of pen testing companies out there is going to come fewer and fewer and I'm using pen testing as an example of consulting but those types of consulting services tend to become fewer and fewer and Hart and

and you may have fewer expert level people doing the jobs and a lot of people that are out of work saying hey weird my word my job yo so let's talk about the effects on security professionals how long do I have do I have to 325 or 330 330 okay good so the effects on security professionals you know you start out initially with lots of demand right there's if you have this particular technology this particular skill set you can get a job anywhere there's lots of options over eventually the demand is saturated and it's harder and harder to find that job initially it's easy to specialize later on specialization becomes kind of unnecessary you know it's easy to get

that training upfront it's easy to say hey this is my job and this is what I'm gonna do and this is what I'm good at over time that all becomes automated and and simplified so that yes sir I'm sorry I don't know what word leme app

okay huh no I haven't done that that's that's interesting idea yeah okay I off that out I appreciate that so and then obviously right you've got job security versus you start to become seen as unnecessary I mentioned at the beginning you know I've had several friends that they basically were downsized they lost their job because the company says what you're doing isn't important to us anymore we can we can automate that when I was talking about this with one of my co-workers she just started with us she used to work for an energy company and she laughed because she says I love to replace people like she she and her thing was I love scripting and I'm like

what do you mean you love script she's like I love to replace people you know if I can look and hey we've got these interns that are doing this we've got these student workers or you know even more senior level people that are doing certain jobs if I can automate their job it either one frees them up to do something more important or two frees up the money that we're paying them so that you know we can use that somewhere else so that kind of sucks if you're the guy be and you know let go but you know hopefully hopefully with this advice that I'm giving you can kind of help recognize that and find a better way to

go so why is InfoSec unique why are we a snowflake and this talk is worth talking about as opposed to every other industry it's really not to a complete degree you know if you is it may a ColdFusion developer no look those guys are out on the street right they're not even in here looking for work they're like they're gone you know I mean there's cold fusion jobs out there I suppose there's got to be some companies that still have that stuff out there but it's it's harder and harder to find the jobs because it's just not important the commoditization process doesn't just affect InfoSec it does happen everywhere there's some examples here this morning

I was talking to a gentleman I had to throw this in as an example he said when he started like years he was a consultant he did DHCP consulting for companies he would come in and help them roll out DHCP in their environment like I'm really I'm not I don't know how old this guy was like I mean that's always been pretty pretty you know click button for me maybe a larger environment I don't know but you know he said yeah that's how he made money for a while was he was able to just to do consultant helping people roll out DHCP he might have been telling me a story I don't know but you know the

there is a point where you know I talking earlier back in the day where you had the Gateway and the router and the firewall and the DHCP server and the DNS server and you know all these different devices now it's it's much more automated point-of-sale solutions POS point-of-sale not the other POS I I worked in in point-of-sale for quite a while and used to you could make a lot of money by being a value-added reseller and putting all these things together and helping young businesses figure out what they need and helping older businesses figure out how to automate stuff nowadays it's all just here roll out the solution click the buttons and move on and so those companies were

really having to retrain their employees and figure out how to maintain their business model ID management is another deal I was talking to a gentleman this morning you know how many places do you go through the verify your ID right you walk in the door I took my badge off but you know you hold up your your thing right there's a person right there verifying that you go through TSA and you showing them your ID you get it onto the airplane and you got to scan your boarding pass like there's so many places that we verify ID when the cops pull you over they want to check your driver's license that's all being automated a lot of it we don't see yet

it's starting to happen more and more this gentleman he was telling me this company works for and some of the stuff that they're doing in the next ten years that world is gonna change a lot like there's gonna be a lot of people out of work a lot of bouncers at bars that used to check IDs that they're not gonna be necessary anymore I don't know they may sit we've necessary because you got the jerks that you got to check their ID but anyway it's it's it's commoditization happens everywhere I'm gonna move on here but with information security it's a lot more a lot more powerful a lot more not efficient but what's the way I

can't think that I work it happens more quickly part of that is an efficacy I said shortened efficacy here that's what something´s ability to be effective right the the lifecycle of when something is effective happens changes more quickly with information security products we have this constant arms race between you got a new attack a new defense new attack new defense and this is happening combined with the money that we talked about earlier all this money that's being thrown into the industry that that speeds up that cycle so that these technologies are coming and going more quickly so it's hard to keep up but there's some things we can do continue in education every industry has some

level of continuing education right that's a requirement for everybody my wife is formally educated as a teacher a elementary school teacher and she has to do continuing education every year to maintain her her teaching license but the types of things you know when you're teaching second and third graders that doesn't change that much I mean yes there's new techniques there's new stuff compared to our job you know like if you keep up with stuff on on Twitter or you know whatever your your media choice is there's things that are happening all the time and keeping up is difficult which makes this process even happen more quickly it's also increasingly difficult to keep up with age right as

we get older it's harder and harder just to keep up with all that you know understand everything keep up with the new terminology as we become more specialized it's harder to keep up with with with where we need to go and there's fewer advancement opportunities this is just kind of the natural funnel of practicing professionals into management InfoSec I think that's magnified because InfoSec as a whole is a smaller portion of the organization and so there's fewer management level positions to move into you know when you're when you're at that point in your career and then we also have incredibly high level rates of burnout and there's been some several other the besides folks have talked about that over the

years the last five or six years there's been a lot of discussions and surveys on the levels of burnout for those like professionals so great we understand that what about what what do we do about now there's a couple specific things we need to do first is to recognize the pattern don't get caught unaware you know don't sit back and find out hey wow my job is really not important when the company lays you off you should be recognizing what can I do to make myself more effective for my employer what can I do to you know not just be a script that can be be written for any technology imagine potential development paths and plan accordingly

right what can I do here's what I'm working with here's what I'm working with where are areas that I need to improve and move on what what possibly could be replaced here think about you know parts of your job that are likely to be minimized in five years think about where you want to go it's also important to distinguish technologies from security concepts right the the concept of like least privilege right or identity and access management like those concepts aren't going to go away the specific technologies will so if your job is to manage a certain thing dive more into the concepts and how you do that more than you do the specific technologies and then self-assessment so

honestly assess assess yourself it's hard to say think about what you're good at where your skills are what you're not good at where you need to improve be prepared for that think about your strengths and your weaknesses that sort of thing think about you know what is valuable to my employer why are they keeping me here what am i providing that somebody else can't provide what am i providing that can't be written into a script and also and this is hard for me to do think about what might be enticing to your next employer because companies go away right people get laid off sometimes things that maybe you're just ready to move on always be thinking about what skills am

i developing right now that's going to make me more enticing to my employer in five years more than just keep learning education wise sorry I know I'm done I got one minute here put it in my timer get involved in a community one of the great things about InfoSec is there are so many ways that you can get involved in the community whether it's volunteering at conferences doing podcasts or blogs or YouTube videos there's so many ways that you can get involved in the community even if it's just being interactive on Twitter and discussing things with people and talking and you know pushing ideas for and that kind of stuff get involved in the industry don't just be a job there's

lots of ways to improve yourself we've kind of talked about that already so and then lastly just be proactive don't don't just sit back and wait for for something to happen so all right any questions I think I'm out of time anyway so catch me out whatever Oh anybody got any questions hands okay he says no all right all right thanks a lot everybody [Applause]