Year in Review

 Introduction

I've put together some general observations and trends I've seen other the last year below. Overall I think the industry as a whole is in a transient or potentially post-shock stage where we are seeing some improvements but also a lot of firefighting against poor practice.

  • Identity is the new endpoint echoed across all major teams and vendors. Cloud identity-related attacks now overshadow endpoint incidents and vendors have followed suit with varying products and feature updates to include identity-related protection. At present detecting identity-related attacks is still poorly understood the technology put out by vendors needs a lot of work but lack of coverage has been an issue for a long time so its good to see movement in this area.

  • Buy Buy Buy. Most of the largest security vendors have brought up at least one organization this year. This trend sees more capabilities being available to customers at a faster rate but questions still exist about how much the capabilities suffer quality-wise. Some of the biggest purchases are VMWARE to Broadcom, Mandiant to Google Cloud, Attivo to SentinelOne and Datto to Kaseya,

  • The Endpoint Detection and Response industry seems to of settled with some clear favourites after strong challenges from the likes of Cortex and SentinelOne. Crowdstrike appears to of pulled ahead with rapid acquisitions and a heavy emphasis on building a platform tailored to SMBs with Defender for Endpoint and SentinelOne closely following behind. Although some recent licence decisions from Microsoft may upset this again.

  • Managed Detection and Response has exploded this year with all EDR vendors now having their own offerings. This is great for customers as the majority do not have the capability or expertise to manage their EDR tool. Vendor-agnostic MDR services have also seen more success with Expel, Binary Defence and Red Canary pulling ahead largely because of their custom proprietary platforms and the freedom associated with them.

  • Scale and Cloud are the two biggest words in the SIEM industry at the moment with Microsoft Sentinel becoming a large competitor for the traditional model SIEMs such as QRADAR and AlienVault. Splunk needs to work very hard to not lose its spot as the gold standard. Google Cloud has been pushing Chronicle very heavily and we can expect to see more success from the technology as Google is typically postured as the best at big data.

  • Threat Hunting is seeing more popularity partly driven by the success of MDR services already mentioned.

  • Low-sophistication techniques are increasingly being used in replacement of more advanced options as adversaries learn the poor state of the cyber security industry as a whole.

  • Working from home continues to shatter old perceptions of how cyber security should be done. Finally, after three years the industry is making a start on catching up.

  • Zero Trust has seen more talk with significant movements in politics and legislature particularly in the united states. Vendors are still poisoning the well and Zero Trust is still plagued with misconceptions (zero trust as a service lol) but some improvements have been noted.

  • Knowledge and Content sharing have seen big improvements this year lots of sharing and new free resources. Its been a good year for security conferences too Zombie/2022s Best Cons.txt at main · QueenSquishy/Zombie (github.com)

  • Burnout is a big topic now with mentions in both Google and Azure's yearly keynotes. Obviously very welcome

  • Lack of experienced staff has been a big conversation topic and there’s been some effort through college > direct-to-role pipelines but this will take a while to see fruition.

  • Automation continues to pick up pace and the above point is acting as an accelerant. Although the typical 5-6 playbooks then stuck format is still common.



Popular

Endpoint on Adrenaline : One

Brilliance in the Basics

Investigate

Endpoint on Adrenaline 3

Writing detections when stuck with EDR

Endpoint on Adrenaline Two

Investigate Two

Securing your estate: The First Step

Standardized Note Taking Format For Analysts

Attack Simulations for your SOC