Are SMBs driving the adoption of security automation by enterprises?

Get a copy of the upcoming book "Secure Operations Technology"

security automation adoptionIf you tracked the lifecycle of new security technologies, you’d likely see that most start as enterprise solutions and eventually trickle down to small and medium-sized businesses (SMBs). You could probably guess why new security technology flows in this direction.

For starters, enterprises typically have more financial and human resources, and can afford to develop and roll out untested security solutions. New security solutions are also often immature, and thus more complex. But, enterprises typically have dedicated security professionals that can decipher and monitor these emerging solutions. And finally, the industry still tends to suffer from the fallacy that sophisticated attackers primarily target bigger companies, and as a result enterprise customers usually get first crack at advance security services.

Over time these technologies mature and develop, and eventually transition into SMB solutions. However, right now the reverse is happening with regards to security automation. Enterprises are just now adopting more automated detection and prevention solution that have been common in SMBs for years. Let’s examine this issue in more detail and explain why automation seems to be moving in reverse.

You can probably recall a number of recent security technologies that fit the enterprise-to-SMB evolutionary profile. One that immediately comes to mind is advance malware detection. For decades, the security industry realized reactive, pattern or signature-based security solutions were losing efficacy. This was (and still is) because threat actors continued to evolve their attacks and refreshed their malware variants so regularly that signature-based solutions simply couldn’t keep up with the deluge of new threats introduced daily. The industry had to come up with more proactive ways to catch new threats. Thus, behavioral malware detection was born, which became popular about five to ten years ago.

However, the original advanced malware detection solutions were complex and expensive. They required both expensive hardware virtualization appliances to detonate malware and a mix of network and endpoint technology to capture suspicious files to inspect. Early on, these solutions easily cost six figures to purchase, and required trained security experts to understand and monitor the technology. When this tech emerged, there was no chance an SMB could use it. But much has changed in the last five years. Today, organizations can offload expensive processing tasks to public clouds.

Expensive virtualization servers are no longer needed to detonate malware, which has made the technology both cheaper and easier to use. As a result, today SMBs can find advanced malware protection services as a checkmark feature in most unified threat management (UTM) solutions or next-generation firewalls (NGFW).

Many, if not most security technologies seem to follow this evolutionary example; starting as innovative but expensive and immature enterprise technology, and eventually developing into a more user-friendly, commoditized product that SMBs can afford. However, we’re starting to see a new trickle-up trend developing in information security technology. Some of the attributes that make security consumable for SMBs are becoming just as attractive to bigger enterprises.

Besides price, the largest barrier to SMBs using newer security technology comes down to ease-of-use. One key differentiator is the ability of enterprises to employ dedicated security professionals versus an SMB that’s often just lucky to have an IT guy that knows security. SMBs don’t have incident handlers that can monitor security dashboards all day and interpret security events. Not only do they need solutions than can consolidate many security controls into one pane-of-glass, but they also need these services to automate prevention, detection and remediation. Simply put, if the security solution requires a human to monitor threat intelligence and to make prevention or remediation decisions, the solution will likely not work for SMBs.

For a long time, enterprises turned their noses up at consolidation and even automation. Why consolidate security in one solution when they could pick and choose what they thought were the best-in-class services? Furthermore, since they’re big enough to divide their security into dedicated teams for network, endpoint and application protection, it seemed to make sense to have individual controls for each of those teams. They also didn’t always trust security solutions to make decisions for their business. Rather than automate detection and prevention with things like intrusion prevention solutions, they’d elect to stick with intrusion detection paired with their SOC, and let incident handlers make the decision to block things or not.

However, the latest emerging security technologies suggest that enterprises have started rounding a corner and are adopting technologies that consolidate and automate security—something the SMB has been doing for years. On the consolidation side, security information and event management (SIEM) and orchestration technologies are now taking all the logs and management of many individual security systems and putting them under one pane-of-glass.

Meanwhile, on the automation side of things, enterprise incident handlers are failing under the huge deluge of security incidents they see from endpoint detection and response (EDR) and threat intelligence solutions. Even if they have security professionals to man these solutions, those handlers find themselves buried under an overflow of real and false incidents. As a result, they’re turning to security automation solutions that correlate events using machine learning or other intelligence technologies.

Guess what enterprises? You’re using technologies SMBs have relied on for a while now. The whole point of consolidating security services into multifunction solutions like UTM and NGFW was to ease management. Furthermore, when all the technologies log information in one place, these solutions can automatically start to correlate and remediate events. Let me give you a specific example.

Some UTMs have threat detection and response solutions to help identify breaches in your network. Similar to EDR, these solutions can identify and remediate infected computers in your organization by correlating host and network-based security indicators. However, unlike the enterprise EDR solutions, SMBs can’t rely on incident handlers to decide what incidents to remediate. Instead, SMB solutions must automate the event correlation and figure out if an incident really is a threat on its own. To do this, many solutions rely on machine learning to score the various indicators together or help polarize the score by automatically sending files to cloud sandboxes to monitor their behaviors. In the end, existing UTM threat detection and response services are already doing some of the things security automation systems are trying to do for enterprises.

SMBs have long known they could learn about information security from enterprises. While they can’t always afford or manage the latest security technology, they can watch as it proves out in the enterprise market and adopt the more mature and effective solutions that come out the other end. However, it’s time enterprises also realize they can learn from SMBs. They may have bigger budgets and more dedicated security staff, but even they can’t keep up with the acceleration of threats coming from today’s ecosystem. Consolidation and automation have helped SMBs survive the modern threat landscape so far, and it looks like both are tricking up to the large enterprise.