What is the best commercial security product of the last decade?

I was thinking the other day, the majority of the chatter between security professionals and security vendors on the Internet is overly negative. I myself, have been guilty of giving vendors a hard time over the years. In my defense most of the time it’s been in response to overly aggressive sales tactics, or outrageous claims about their products.

Never, for example, should you slide an unsolicited calendar invite my way and expect that to end well.

So, to reverse the negativity and take a moment to reflect on the positives, I decided to come up with a list of the security vendors and their products that I genuinely believe have made the world a more secure place over the past decade. Then, I decided to pick one that I think has had or at least will have had the single greatest impact on information security during that period and into the future.

Some disclaimers:

  • No vendor has paid me to appear on this list. Quite the opposite in fact.
  • I’ve deployed each tool on this list multiple times, successfully, in different environments.
  • This list is focused on commercial products, not open-source.
  • Doesn’t have to be a security-focused product to have had a positive impact on security.
  • This is my own opinion, therefore, you may not agree, but I’m allowed to have one.

Honorable mentions:

Ok, so I narrowed it down to five companies/products. Then I picked the ‘winner’. These four, are the four who I believe were in with a shout of winning but didn’t quite make it.

The single biggest challenge with any security tool deployment is the time it takes to actually do the deploying. Most security tools get about 75% of the way there, and something happens to ensure they never get fully deployed (see: the security tool death cycle).

Cisco Umbrella, which I will forever call OpenDNS, is not one of those tools. You can go from zero coverage to good coverage at a global organization within a few clicks with zero disruption to users. You immediately start to tho reap the benefits, measurably. I’ve done it a couple of times, and I highly recommend OpenDNS as a good catch-all defensive layer.

OpenDNS allows you to block certain types of DNS-based malware traffic, as well as doing a reasonable job of good ol’ web filtering. You can deploy OpenDNS without using agents, and instead, just reconfigure your DNS servers to forward DNS traffic to their service. This approach, while not un-bypassable, is a very quick way of getting coverage on many many devices without having to do a long-drawn-out deployment. Also, go get it for free at home, and encourage your employees to do the same.

https://www.opendns.com/

A well-deployed vulnerability scanner that runs on a regular basis, whichever one it is, does wonders — but only if A) you actually look at the results, and B) you are able to do something with those results, such as, you know, patch the vulnerability.

But there is something more fundamental with vulnerability scanners that will greatly benefit the corporate information security team. It’s probably going to be the best asset management tool in a traditional, on-premises network environment. You see, in order to defend a thing, you must first know the thing exists. Many companies simply cannot tell you about their things, so, therefore, they cannot defend them.

Compare a vulnerability scan to the official ‘asset management’ record, and you’ll probably find more on the scan. So, why not use it to directly feed that record?

Quite honestly, I couldn’t differentiate between the three products listed above. I’ve used them all, the deployment goes about the same, the UX is about the same, and the results are about the same. I don’t have a favorite, so you’ll have to pick your own.

https://www.tenable.com/ | https://www.rapid7.com/ | https://www.qualys.com/

“But…but…the cloud is just someone else's computer! S3 buckets!? Google is evil!” I hear you scream. Why on Earth would I put all these IaaS platforms on this list? Quite simply, I’d rather trust my data to a cloud environment than a forgotten colocated physical server in a dusty data center behind the Walmart.

Also, we just talked about asset management. If you run your service from a cloud environment, asset management is pretty much done for you. You start a thing, and it appears on a list of things. You stop that thing, and it goes away. It’s always up to date. Then you can add monitoring and logging to those things and you’re in a really good spot.

Yes, you can screw up a cloud deployment. Yes, people are still learning how to do things properly. But, when they are done properly, and it’s getting easier and easier to do so, you cannot beat the security and visibility afforded by one of these providers. Comes at a cost of course, but so does your cyber insurance if you screw something else up.

Cost is another good driver of security hygiene. It benefits you to kill things that don’t need to run all the time, and the less something is running, the less likely it is to run into trouble. That’s why, in my opinion, IaaS providers, such as the big three, have done quite a considerable amount for overall worldwide information security.

Yes, Oracle, I’m sure you’re good as well, settle down.

https://aws.amazon.com https://azure.microsoft.com/ https://cloud.google.com/

I hate email. I hate checking emails. I hate getting emails. I hate filtering out the crap that comes via email. I hate phishing. I hate spam. I hate scams. Most of all, I hate running email infrastructure. I have zero, literally zero, business doing it. The mailbox databases, the replication, the transport rules, the policies. Blagh.

Public folders? Good lord.

So, the good news is, I don’t need to do any of it. Office 365 will take care of it. I’m cool with that, and I trust Microsoft to do a good job. I picked Office 365 rather than say, Google Workspaces, because of the volume of organisations that have made that transition from on-premises Exchange.

Email is such, if not the most, vulnerable entry/exit point into an organization. Therefore, it has to absolutely be managed correctly. Email dumps are highly sensitive and damaging. If you’re spending all your time keeping email up and running, you have zero time left over to spend looking for the highly specific events that would damage your business. With Office 365 hosting email, and the other stuff, the focus can be exclusively on email security rather than email operation — and that is huge.

The Winner:

Ok, so as you can tell, some huge names here, and probably not very many surprises. Ultimately I decided that this company and its product have had the single biggest impact on organizational security in the last decade, and I’ll explain my reasons why.

SaaS products in use at any given company can outnumber the number of employees, and therefore knowing who is accessing what, when, and where from is fundamentally important.

Okta solves this problem, and more.

Okta has done something that very few security products have done, in history. They’re a security tool that people A) like to use, and B) don’t even realize is a security tool. Okta makes life more convenient and more secure. That’s something that shouldn’t be possible, according to the textbooks.

Using Okta, I’ve rolled out multifactor authentication to well over a thousand people, around the world, in a few weeks. Twice.

Using Okta, I have a pause button I can use to freeze access to everything if an account appears to be behaving strangely. Provisioning and de-provisioning are simple and can be automated. People can get the access they need quickly, without having to bypass a process, which is just as important, in my opinion, as taking access away.

That’s why I think Okta is the single best commercial security product over the last decade.

Identity and Access Management projects are huge undertakings. I cannot begin to tell you how much time I’ve spent on them over the past 15 years. It’s a lot. Some are probably still going on. In places where I’ve had Okta, however, I’ve at least come very close to having finished them.

Is Okta perfect? No, there are still areas where it could be improved. It’s still not a complete replacement for a traditional Active Directory setup, for one. It would be good if it could be.

So there you go. An infosec person talking nicely about infosec vendors. Proof that it can happen.

Information security professional specializing in SecOps, IR and Digital Forensics. Author of the Digital Forensic Diaries, and now, the Pen Test Diaries.