Investing in Modern Cybersecurity: Network Security
19 September 2022
In this five-part series, we aim to explore the world of cybersecurity and its investment opportunities. In the previous issues, we looked at threat intelligence, application security, and endpoint security. Here, we continue to move down the chain and explore how to protect the heart of the digital world: the network.
Network security: navigating from its past to its future
Network Security deals with protecting users and resources within a trusted local network from untrusted external networks.
The infrastructure segment has historically relied on firewalls, which remain in use today at the cost of drastic evolutions.
VPNs have had their moment of glory, but are already on the verge of obsolescence due to their intrinsic limitations.
The fundamental question: who are you?
On top of the infrastructure side, users navigating the network need to be identified to prevent them from accessing private data.
IAM, PAM, and CIEM deal with segregating the different classes of connections, from the most basic to the most privileged one.
After years of siloed solutions, the market is progressively pushing for converging ones.
Looking beyond the hype
Networking architectures are today at the mercy of new threats that have emerged with the advent of mobility and cloud computing.
New frameworks and architectures have emerged to tackle the problem, the most popular being Zero Trust, on top of which are built SASE and SSE.
Built for the future, these solutions are attracting virtually every cybersecurity player, although not that many can claim to have an extensive and efficient solution.
Network security: navigating from its past to its future
Our previous issues introduced how application security and threat intelligence were foundational to cybersecurity and how endpoint security has evolved along its already old history. In this issue, we will cover the center of the web, i.e., network security; as shown on the map below (of which the whole one with contextual details can be found here), we split this segment between infrastructure and identity. A network should be understood as a series of computing devices (e.g., PCs, servers, smartphones, etc.) electronically linked together. The largest networks encompass several millions of devices (e.g., the internet). In addition, for the sake of simplicity, we will consider a computer network to be a single entity within an organization. In cybersecurity's traditional model, the securement of the network was ensured by a "castle-and-moat" model: what was important was ensuring that no threat could penetrate the outer layer of the network, similar to walls securing a medieval city; once allowed to enter the network, a connection would be considered as trusted. This model is today obsolete, something we will catch on to later in this article, but it was crucial in giving birth to one of the oldest cybersecurity solutions: the firewall.
Fundamentally, firewalls are barriers between two (or more) networks, e.g., between a company's internal network and the internet. They generally present themselves as a physical appliance similar to a small computer, although some firewalls only exist as software solutions. They offer in-and-out monitoring and filtering capabilities based on a programmable predetermined set of security rules, thus ensuring that no unapproved traffic from an untrusted network reaches a trusted network.
First generations of firewalls relied on packet filtering: the device would take a binary decision, i.e., would allow or discard traffic packets (i.e., the base unit of data transmission in computer networks) based on simple rules such as the destination address, the protocol or the port number, the latter enabling to distinguish the type of traffic (e.g., email transmission). Although primitive, this method allowed the first layer of defense and was not too computing-intensive, which went well with the limited processing power available at the time. Its main shortcoming was that it did not allow any contextual analysis.
The second generation was born in the late 1980s and is known as stateful firewalls. They added tracking and logging capabilities to address the previous generation's shortcomings. This dynamic packet filtering enabled them to determine if a connection was part of an existing one (therefore deemed as safe) or totally new (potentially being a threat), adding an additional level of security and flexibility. However, their tracking capabilities could be easily saturated or fooled, quickly rendering them useless.
The third generation of firewalls was therefore developed in the mid-1990s. Known as application firewalls, they are based on "understanding" the inner mechanisms of communication protocols (e.g., HTTP, DNS, FTP) and how applications use them. As a result, they can detect if attackers are using a protocol as an attack vector. Combining the capabilities of these three generations would prove broadly enough until the explosion of internet traffic in the 2000s and the rise of cloud and mobile applications.
The latest generation of firewalls, called Next-Generation Firewalls (NGFWs), largely relies on the foundations established by application firewalls but extend their reach with additional capabilities, technologies, and computing power. The main feature of NGFWs is called deep packet inspection: instead of looking superficially at transiting packets (their headers), these firewalls can examine packets' content directly. NGFWs combine this technology with acute data contextualization, additional features such as filtering and encryption, and advanced compatibility with endpoint security and identity management solutions.
Ultimately, firewall devices have become complex machinery, where software has taken the lead over hardware, which is almost commoditized. Thanks to these recent developments, firewalls remain at the core of the network infrastructure and are expected to remain so in the foreseeable future. They proved to be both inescapable and adaptable at the same time. With the growing importance of the software component, the next generation is expected to become wholly virtualized to fit perfectly within new cloud-centered infrastructures and be deployed in containers or on an "as-a-Service" basis (FWaaS). This would end the era of physical appliances and fully adapt to a new digital era demanding more flexibility, granularity, and efficiency: not that bad for a technology that was born before the PC!
As a side note, a new technology comes to complement firewalls: Secure Web Gateways (SWGs) are similar to firewalls but only filter outer traffic to protect users from compromised traffic according to predefined rules. Positioned before the firewall, they do not inspect packets but only applications (e.g., websites, programs) according to the organization's policy. They de facto act as a first line of defense and as a prefilter for the firewall, allowing it to focus on more specific tasks.
As it became blatant with the Covid-19 pandemic but was already more than an emerging trend, workers are increasingly required to be mobile. However, due to technical and security reasons, remotely accessing resources stored on the corporate network could prove complicated, if not impossible, taking a significant toll on corporate efficiency. The solution was Virtualized Private Networks (VPNs).
This technology establishes a direct (i.e., point-to-point) connection between the user and a trusted network, generally through the internet, preventing eavesdropping. They either allow remote access (i.e., one user connecting to a local network) or site-to-site (i.e., remotely "merging" two local networks together); they can be set up through a dedicated program or can be accessed through compatible web browsers. Technically, VPNs rely on tunneling protocols encapsulating and generally encrypting the transiting data: unauthenticated users intercepting the transmission would only see gibberish.
However, their main drawback is that they have a binary operating mode: they do not allow only specific parts of the networks or specific applications to be connected but work on an "all on or off" basis. This leads to fundamental limitations: they require a lot of bandwidth to "fit" the connection, and as bandwidth is not unlimited, they tend to be slow. Also, they are expensive to scale and give unlimited access to the whole network if the connecting device/network is compromised. VPN's limitations are acceptable when only a limited number of users rely on them but become rapidly unacceptable in the light of the new pandemic-induced corporate reality. Therefore, they will be replaced by Zero-Trust technologies (cf. section III).
As frequently in the history of technology, early innovators do not necessarily become market leaders. As far as firewalls are concerned, the two leaders (in terms of the combination of market share and innovation) are Palo Alto Networks and Fortinet, both founded in the 21st century and which successfully transitioned to NGFWs after establishing their superiority in legacy firewalls. They are followed by Check Point, an exception since the company was founded in 1993, representing one of the few legacy players that survived until today but clearly lags behind the other two. This group of established players faces the competition of serious challengers in the form of the network equipment makers, notably Cisco, Juniper, and Huawei, which benefit from a larger footprint and strong commercial synergies but are not considered as specialists. Ultimately, the biggest threat could originate from cloud providers such as Amazon and Microsoft , which have launched virtualized offerings: although they remain niche players for now, their powerful ecosystem, their sheer size, and the evolution of the market could favor them in the future.
On the VPN side, the market has largely been cannibalized as larger solutions providers have included them in their packages, as the technology is progressively becoming a legacy. Apart from Cisco, some notable players are F5, Citrix and Symantec, recently acquired by Broadcom .
The fundamental question: who are you?
Network security infrastructure is crucial but would be cumbersome or useless without user authentication. This is where Identity & Access Management (IAM) kicks in. The segment encompasses an extensive array of technologies and players but boils down to two critical features:
- Authenticating, i.e., identifying who/what the user is and checking if their identity match who they claim to be.
- Authorizing, i.e., allocating the right amount of resources to any given authenticated user.
IAM initially consisted of nothing more than logins and passwords, checked vs. a database of associated, authorized users and resources, which was good enough considering the limited number of users and the fact that these users generally belonged to a unique organization. However, the exponential increase in the number of people connected to networks and the fact that these people were increasingly coming from outside the organization (e.g., suppliers, customers) prompted the need for new solutions.
On the authentication side, the use of biometrics represented a significant step. These technologies rely on physical features to authenticate a user, e.g., fingerprints, iris scanning, or facial recognition. An alternative materialized in the form of hardware keys, similar to sim cards and attached to a single person, although they can be lost or stolen. On top of this, a second layer has been generalized under the form of multi-factor authentication, which combines several methods to offset the risk of one method being compromised. On the non-user side, credit-scoring-like and Machine Learning solutions (similar to those found in endpoint security) have been implemented to detect suspicious behaviors and cross-check authentication factors.
On the access side, most advanced solutions today rely on Single Sign-On (SSO). As indicated by its name, this technology enables users only to use their credentials once, generating an authentication token that is stored and reused to avoid having to log in again in other applications. An example of this is a Gmail login enabling access to newspaper websites. On top of this, more granular control can be exerted through directory stores (centralized records of credentials, authorizations, and preferences) and API access management, which extends the control over external APIs.
As in the real world, not every user is born equal. Some are granted minimal visibility and permissions on the network, e.g., a customer or a subcontractor. In contrast, others are godlike entities and can create or destroy large parts of the networks: the system administrators. The latter are the priority targets of hackers, as compromising these accounts opens all the doors within the network, something called lateral movement attacks. A dedicated subsegment of Identity, Privileged Access Management (PAM), has therefore emerged to protect them from internal and external threats.
Fundamentally, PAM tools rely on the same building blocks as IAM but with the capability to discriminate against privileged users and subject them to beefed-up security protocols. PAM tools enable mapping the actual extent of privileges granted to these super users, giving complete visibility to IT teams about setup policies or assessing the impact of potential breaches. They also enable tracking of these users and managing their access, something called Privileged Account & Session Management (PASM). Second in name but not in importance, they enable restricting the use of privileged credentials to the bare minimum, i.e., on a need-to-have basis, aka least privilege: the best chance not to have a super user credential compromised is the credential not to exist in the first place, something called Privileged Elevation and Delegation Management (PEDM). Finally, a separate secure credential management system allows rotating credentials frequently.
The overall picture has become more complicated with the advent of cloud applications, which have grown exponentially in number and demand access to vast amounts of critical resources to unfold their potential fully. Consequently, organizations may be tempted to adopt a "by default" privilege policy, a recipe for catastrophe. Cloud Infrastructure Entitlement Management (CIEM) tools have been developed to tackle this problem. Conceptually, a CIEM platform is a transversal IAM/PAM management platform that enables mapping the cloud workloads and associated needs for resources. Administrators are then allowed to set up a granular policy with the help of automation tools that calculate risk profiles and flag potential anomalies in real-time.
Initially marked by strong differences between suppliers, the identity market tends to witness its various subsegments converging into common offerings. Leaders in IAM include Okta, which has built a broad platform both organically and through acquisitions, Microsoft , Ping Identity, and Sailpoint (the last two were both recently acquired by PE player Thoma Bravo). In PAM, the undisputed leader is Cyberark, followed by BeyondTrust. Generally, M&A is focused on acquiring technological bricks which will allow expansion into adjacent markets.
However, all these identity security players may be threatened by the entry of more comprehensive network infrastructure security players such as Palo Alto Networks, as synergies are obvious.
Looking beyond the hype
As we mentioned above, VPNs are today facing difficulties in scaling. More broadly, current cyberdefenses appear obsolete and torn by two contradictory needs: restrict connections to ensure optimal security, and increase their number to enable mobility and cloud workloads. Therefore, a new quasi-miraculous framework is needed to save the day and recently appeared under the name Zero-Trust (ZT), also known as Zero Trust Network Access (ZTNA). The concept has generated so much interest of late that it has become a buzzword in itself, with every cybersecurity player claiming to have a ZT solution.
Fundamentally, ZT is not a technology but several ones working together under the supervision of a (generally) cloud-based central controller. Schematically, the system will authenticate a given connection (either a user or an application), then establish a secure encrypted tunnel toward the necessary resource and nothing more, unlike VPNs which encrypt the whole network traffic. Any network node is considered suspicious by default, even after crossing the barrier of the firewall, and is therefore only granted access on a least privilege basis to avoid lateral movement attacks. Underlying technological bricks include dynamic IAM/PAM enforced by a central broker, encryption, and micro-segmentation to isolate resources on an application basis within a given network node.
To make an analogy with the real world, the traditional castle-and-moat cybersecurity model would be the equivalent of a country with well-guarded borders and uncontrolled highways within these borders. In contrast, ZT would establish regular toll booths in underground tunnels to check car plates, create one road for each destination without any exchanger, and build walls between each house/parking spot once arrived at the final destination.
Similarly to ZT becoming a buzzword, additional acronyms have emerged since 2019. But in the case of Secure Access Service Edge (SASE) and Security Service Edge (SSE), the abstruse abbreviation and the buzzing hype are dissimulating attractive emerging cybersecurity architectures. Both share much in common, with SSE being a subset of SASE. These two architectures encapsulate several technologies to establish a bridge between local networks and the cloud.
SASE fundamentally merges advanced networking and security capabilities within a single unified cloud-based service, greatly simplifying the rollout of cloud-compatible networking architectures. On the networking side, the service relies on Software-Defined Wide Area Networking (SD-WAN), which enables centrally and dynamically allocating of networking resources, even if several technologies are combined (e.g., 5G and broadband internet). In addition to a positive performance gap vs. traditional WANs, SD-WAN paves the way for better security thanks to unified and complete visibility into the network. On the security side, SASE relies on a package combining Firewall-as-a-Service (FWaaS) and SWG for traffic filtering and monitoring, ZTNA to connect users, and a cloud-native technology called Cloud Access Security Broker (CASB) which acts as a security checkpoint between users and cloud-based applications.
SSE represents an intermediary step, as it boils down to SASE without the SD-WAN component. Therefore, it is easier for a corporation to transition to it due to network and security teams not having to merge while keeping open the possibility to upgrade at a later stage easily.
ZTNA and SASE/SSE represent the place to be for cybersecurity players, as these solutions are clearly the future of networking cybersecurity, hence a strategic opportunity. It is, therefore, no surprise that anyone with one technological brick belonging to any of these architectures claims to be a supplier. However, managing to deliver this complex solution is not within everyone's reach. Major network security players have an edge, as they have a long history with many of the building blocks. Palo Alto Networks, Fortinet, Check Point, and Cisco are significant players in the segment, albeit with varying successes when it comes to growth rates. However, one younger player has managed to climb up the market ladder at a rapid pace and has become one of the leaders: Zscaler. Cloudflare is also leveraging its extensive infrastructure to successfully provide such services.
Adapt or die (painfully). Networks still represent the core IT infrastructure of virtually every single company. Those not wanting to collapse under the pressure of new cyber threats will have no choice but to upgrade their infrastructure.
Concerned regulators. Governments have understood what is at stake. The U.S. government is thus forcing through law the upgrade towards ZT-based solutions. Many others will likely follow.
Increasing deployment simplicity. Network Security solutions used to rely on physical appliances and intricate software. Thanks to the convergence with cloud applications, newer solutions tend to be virtualized and much simpler to deploy.
Intense competition. The sector has huge growth potential, as it is still at the beginning of a super cycle. This potential is attracting important players, such as cloud service providers, which may completely shuffle the deck.
Full transition toward the cloud. Although unlikely, a complete transition toward a cloud-centric model would seriously diminish market opportunities.
Loss of credibility. Trust in suppliers' solutions is primordial. A breach would annihilate this trust and cause serious damage to the implied OEMs.
Companies mentioned in this article
Amazon (AMZN); BeyondTrust (Not listed); Broadcom (AVGO); Check Point (CHKP); Cisco (CSCO); Citrix (CTXS); Cloudflare (NET); Cyberark (CYBR); F5 (FFIV); Fortinet (FTNT); Huawei (Not listed); Juniper (JNPR); Microsoft (MSFT); Okta (OKTA); Palo Alto Networks (PANW); Ping Identity (PING); Sailpoint (Not listed); Zscaler (ZS)
This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.
As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.
The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.
Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.
It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.
Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.