In 2015 IT-Harvest took another stab at compiling a list of all the IT security vendors in the world. Some of the preliminary data I presented at RSA on their TV channel. The most difficult task in putting together such a list is deciding how to classify each vendor into a category. But once that arduous task is completed I can start digging into each category. I started to look at Threat Intelligence vendors last August, although I had been engaging with several of them for years.
Richard Stiennon Presents at RSAC 2016
The threat intelligence market has three primary segments: threat intelligence providers, threat intelligence platforms (TIP), and the modern defenses that consume threat intelligence to identify and block targeted attacks. Threat intelligence feeds consist of Indicators of Compromise (IoC), IP reputation, file finger prints, and components of malware. Several vendors, particularly iSIGHT Partners sells subscriptions to reports that outline threat actor Tactics, Techniques, and Procedures (TTP). Platforms aggregate and analyze feeds and make them available to security enforcement tools.
According to my research the threat feed segment accounted for $190 million in revenue in 2015 and is growing at 85 percent annually. The TIP space accounted for $61 million and is growing at 84% which is three and a half times the overall security space which is growing at 24 percent annually.
The threat intelligence industry is still in its early stages. It has grown rapidly so far and is already experiencing strong M&A activity. It also appears that the current decline in venture capital activity may be sparking some early exits, although investments are still being made and will continue throughout 2016.
Countering targeted attacks has become the most pressing requirement for cyber defense. Long the domain of firewalls, anti-virus, and access controls, the cybersecurity industry is in the midst of a re-invention. As always the industry is driven by threat actors: hackers, cyber criminals, hacktivists, and now nation states.
However, for years the industry's driving philosophy was to ignore the threat actors and focus on the actual attacks. Firewalls were deployed to limit access to corporate networks. Intrusion Prevention Systems (IPS) were deployed to block known worms and network exploits. Frequently updated anti-virus on the endpoint helped control the spread of malicious software such as Trojans, spyware, and worms. Defenders did not worry about who was attacking them, only the signature of the attack.
The rise of targeted attacks, specifically from nation state actors, can be traced to the 2003-4 Titan Rain incidents where a lone analyst at Sandia Labs, Shawn Carpenter, discovered widespread infiltration of many government research labs and military bases. While well known inside the defense industrial base (DIB) it was not until Mandiant published its APT1 report in 2013 that industry started to respond with new tools and services to the devastating impact of targeted attacks. That report, published the week before the RSA Conference in San Francisco, caused an entire industry to pivot.
Sign up for Computerworld eNewsletters.