💾 TCP Bytes #2: The Security Practitioner's Wish List: 14 Essential Characteristics of an Outstanding Security Product
Howdy! Welcome to The Cybersecurity Pulse 🖥️! It’s been a while since our last release but the gears are starting to turn and we will be back with our weekly programming very soon :) If you enjoy staying up to date on all the innovations occurring in the cybersecurity space, go ahead and click the subscribe button below and we’ll take care of the rest.
Table of Contents 📚
Security teams often find themselves drowning in security alerts and issues across a slew of products while struggling to identify what should be prioritized. We hear it all the time and many of us have experienced it. This often leads to serious risks going unaddressed for months until the inevitable breach happens. While factors like understaffing and burnout certainly contribute, I’d say that a significant amount of this thrash stems from security products that overpromise and underdeliver, failing to provide the robust support that teams critically need. In my opinion, the best security products not only tackle their designated challenges but also function as force multipliers, effectively serving as a crucial "Sixth man/woman" on the team.
In my journey as a security practitioner and consultant, I’ve been at the forefront of onboarding, fine-tuning, and operationalizing a variety of security tools across a broad spectrum of environments. From highly regulated environments to large-scale greenfield environments, I’ve worked with CSPMs, SIEMs, firewalls, container runtime, and K8s network security solutions. This has allowed me to develop a solid filter (hopefully) on what separates great security products from mediocre ones.
In this post, I'll highlight the top 14 features, capabilities, and characteristics that I consider crucial in security products. A few caveats before we kick off though, this isn’t a one-size-fits-all list. Security products serve diverse purposes; comparing a SIEM to a firewall is like comparing apples and oranges. Also, this list is filtered through my lens, shaped by my 6 years in the industry. These are the qualities that, in my experience, distinguish the security products that security practitioners love from the ones that they merely tolerate. My goal with this post is to provide founders, product managers, and others in the security product realm with insight into what security practitioners need from their products. Without further ado, let’s dive into the list!
Note: Security issues is a catch all term that includes alerts, vulnerabilities, findings, misconfigurations and more.
Intelligent Security Issue Management
Not all security issues are the same. Only a small fraction of them pose significant risks to production environments and/or sensitive data. The Datadog 2023 State of Application Security Report actually found that only 3% of critical vulnerabilities were worth prioritizing. Having a solution that does the leg work of deciphering what's worth prioritizing and actioning makes all the difference in the world. Not only does it save security teams an inordinate amount of time but it also enables them to zero in on and remediate actual risks and threats. A security product with an in-depth contextual understanding of an environment can be a force multiplier, enabling security teams to focus on keeping the organization out of the news.
Different security products aid in prioritization in various ways, depending on their nature. Examples include:
Asset relationship graphs
Ingesting key metadata from the cloud provider such as resource tags
I've dealt with products with great user experience (UX) and ones with horrendous UX. The latter often consists of clunky design that requires lots of clicking around to find the information that I'm looking for or even worse, it's hidden in plain sight amongst a cluttered dashboard.
Regardless of what kind of security product we're talking about, it's easy to know what information and functionality users need from a product. Whether it's a CSPM, DSPM, KSPM, ZTSPM, or LLMSPM, it doesn't matter, the product should aim to surface the most crucial details for a security issue in a simple fashion while providing options to resolve the issue.
Below are some considerations that I think about when assessing the UX of a security product:
Is it easy to action/remediate security issues? I.e., Can I click a hotlink that will bring me over to the cloud provider and show me the resource that is at risk?
Can I share alerts, findings, and issues with my teammates?
Integrations. How easy is it to create a Jira ticket or Slack message? Does it take 1-2 clicks or 7?
Is the product presenting irrelevant or excessive information or is it summarizing and surfacing the important details that I need to address the security issue?
A great filtering experience
This one is pretty straightforward. Can users assign the finding to a teammate within the app? Can notes and status updates be added to the living security issue? Can you mark the issue as remediated? What’s the security issue lifecycle look like?
Sure, many organizations use ticketing systems like Jira or ServiceNow to achieve much of this but that requires pivoting and maintaining status across to platforms which is inefficient. If you can provide some of this functionality in-app, you save users time, headaches and aid with the remediation phase of the lifecycle. I haven’t used Cortex XSOAR in 2-3 years but it’s one product I can think of that really nailed case management. I particularly loved the ChatOps feature.
The reason why I have this functionality so high on the list is that I can't tell you the number of times I've seen security issues unresolved for weeks because one team has to get approval from another stakeholder because the remediation may impact production and by the time the next meeting comes around, nothing has been resolved and there’s another fire to put out. This happens more than you think and if a security product can do even just a smidge to mitigate this then that's a big win.
I once had a very crappy on-boarding experience with a Kubernetes network security solution and it drove me crazy. The documentation was unformatted and outdated which led to me reaching out to the product manager every other day. To cut them some slack, the solution was recently ingested through an acquisition but there is no reason that the end user, me, should have felt the thrash.
While product demos are the first impression that users get, onboarding and implementation are where the rubber really meets the road. If there are significant issues in these first few steps then the product is taking away time that practitioners could be using focusing on true security efforts and this inevitably leaves a bad taste in the user’s mouth.
Security products should support integration with an organization's existing tech stack. In a world where the average organization leverages 100+ SaaS solutions, the modern security team is forced to lock down and monitor a myriad of apps and infrastructure. The last thing a security practitioner wants is for a product to exist in a silo to the point where we have to build custom API solutions to get the data we need where we need it then properly format it and ensure that the data is getting there as comprehensively and quickly as possible. We expect out-of-the-box integrations and functionality that remove the need of having to engineer custom solutions. Supported integrations should include ticketing systems, data lakes, and best-of-breed security solutions.
Many solutions lack comprehensive coverage and support for the not-so-common or newly released cloud services. Examples include AI/ML, IoT, and data-focused services such Amazon Security Lake or the Azure OpenAI service. These services are being used in many production environments today but I would bet that a majority of security solutions are not providing coverage for them. This creates a blind spot that leaves security teams to have to come up with alternatives.
While comprehensive threat and risk coverage for critical services like computing, storage, and networking is essential, I believe there are several other service types that equally warrant in-depth protection.
Isn’t it lovely when you onboard a product on one AWS Account or Azure Subscription and everything is working fine and dandy but then you implement it across your entire multi-cloud estate and begin having latency issues? Or even better, the data displayed in the product is incomplete or inaccurate?
I’ve experienced this in the past and it led to a wild goose hunt with the product team which is the last thing security practitioners need. I can imagine that this has caused a number of issues for incident response teams in the past, specifically when they’re not able to find the logs for a certain timeframe. Please don’t be this vendor! Stress test your stuff in as many ways as possible to ensure that it is battle ready.
Another key factor that I look for from a security product, and am thrilled when I find it, is a thriving user community. This often looks like active public community forums with support and engagement from the product’s support team. These forums are often found on Reddit, GitHub, StackOverflow or are hosted on the company site.
I can’t tell you the amount of joy I get when I run into an issue and find a forum where someone else had the same issue, and the solution is made public for all to see. I also think this aspect is key for product managers because it allows them to identify where users’ biggest and most common pain points are.
This one goes hand in hand with the section above but goes beyond it. Ensuring that product-related documentation and instructions are always maintained up to date is crucial. Having product training materials and how-to videos is the cherry on top as it often removes the need for users to reach out to their point of contact within the vendor organization or from having to figure it out on their own.
Customizability is one of those characteristics that can make or break the product experience for a practitioner. Are users stuck with only out-of-the-box functionality or can we build our own dashboards, detection rules, data connectors, etc.?
Every environment is different and will have unique use cases that the product team may have not identified or solved for yet. If security practitioners aren’t able to solve for that edge case themselves, they will inevitably be pulled toward a product that will allow them to.
Lastly, having the capability to create our own dashboards and graphs based on our own parameters is crucial. If security leadership or an auditor wants to see how many issues we’ve remediated in the EU regions over the past 3 months, then we should be able to answer this via a customizable dashboard in minutes.
This should be a table-stakes feature for any security product looking to be successful in today’s saturated and hyper-competitive security landscape. Automation should be sprinkled across the user journey whether it’s automated threat response/containment, being able to auto-remediate a batch of security misconfigurations, or automagically detecting anomalous activity that deviates from a continuously auto-recorded baseline. Automation saves time and if a product requires tons of manual labor to get value from it then security practitioners will find another way to solve their challenges.
Some of the best security products that I’ve worked with enable collaboration between and across teams. For example, they allow users to save and securely share threat-hunting queries and their results with teammates. They also have great exporting and reporting options such as Excel spreadsheets with raw data, streaming data via API, or a prettified PDF that is presentable in meetings. The latter is key because it helps with reporting status and assigning security issues across teams that may not have access to the product. It also gives users the flexibility to work with the data programmatically.
Security and Privacy
Not so long ago it was commonplace for security products to require admin-level permissions to properly operate in an environment. After a few security incidents and tons of shaming from the security community, most vendors no longer require these excessive permissions that they didn’t need in the first place. However, there are still a few vendors out there that do and you’ll probably see them getting roasted on Twitter, BlueSky, Threads, or whatever the kids are using these days.
At the end of the day, a security product should be helping organizations become more secure, not less. This means they should have fine-grained access controls, require limited permissions, employ data encryption, provide audit logs, and should comply with required standards and regulations such as SOC 2, HIPAA, or whatever else is applicable.
This is especially important given the economic times we find ourselves in. Pricing should be clear and easy to find. I shouldn’t have to contact sales or go through an extensive Q&A just to get pricing. The pricing breakdown should also have a clear delineation of what features and levels of support are provided for each pricing tier.
In summary, today's security teams need products that act as force multipliers in their ever-evolving complex environments. The standout features of the best security products include intelligent issue management, a user-friendly interface, smooth onboarding, wide-ranging integrations, scalability, robust community support, customizability, automation, collaboration capabilities, strong security and privacy, and transparent pricing. These are necessities, not “nice to haves”. In conclusion, it's time to redefine our expectations of security products. We need to push for tools that are more than just features on a checklist, but rather smart, intuitive partners in defense that help bridge the security gap we’ve been experiencing for decades.