1. Companies are getting comfortable with cloud-based security.
Organizations, including governments and large financial institutions, are getting comfortable moving many security functions to the cloud (email, web, and vulnerability management, for instance). The result is that it becomes more reliable and easier to maintain solutions with a lower total cost of ownership.
2. Appliances are bad for cloud-based infrastructure.
Quite a lot of infrastructure is moving to the cloud. Even Capital One has moved 60% of theirs already. FINRA, the Financial Industry Regulatory Authority, has moved ¾ of their infrastructure to Amazon Web Services. Organizations aren’t willing to pay traffic cost or latency to hairpin out to an appliance, and vendors will try to provide “virtual appliances” within the cloud, which is an unnecessary bottleneck.
3. Appliances won’t be able to view the data required to provide zero day attack detection
In the United States, Edward Snowden’s disclosures were a wake-up call to those who thought encrypting data across the Internet’s backbone wasn’t particularly important. Many people used to think it was unlikely that anyone would have the means and desire to listen. It turns out, they were wrong. (Note that, in many other countries, the Government is quite explicit about this kind of access to Internet traffic). The standards community, in protecting against nation state attacks, are making it impossible for security appliances to rely on what is essentially a decryption back door, meaning companies will have to incur huge expense to provide both data privacy and give security appliances visibility to do detection. This is already on the horizon, with the forthcoming version of TLS, which secures every HTTPS connection.
4. Appliances will make managing hybrid environments difficult.
Hybrid deployments (i.e., partially on premise and partially in the cloud) will undoubtedly be a fact of life in the enterprise for a long time to come. That means, security teams must provide solutions for both kinds of environments. Today, while we’re still early in the adoption curve, security organizations are willing to implement different solutions to protect their cloud infrastructure and their internal infrastructure. Yet, it will become a burden—more costly, and more cumbersome to manage, so people won’t do it forever.
5. Appliances can’t see containers.
The DevOps movement is pushing toward microservices and containerization quickly. When multiple containers live on the same machine and talk to each other (frequently currently), that communication doesn’t go over the network and can never be seen by an appliance — even a virtual appliance. In addition, it’s important to recognize that appliances rely on IP or host names for monitoring, but in a containerized world, containers tend to be short-lived and many containers can share an IP address. That lack of visibility means appliances are far less effective at detection for modern production environments.
6. “Detection” appliances don’t actually detect.
In most enterprises, security detection appliances are usually sitting off to the side, looking at a copy of network traffic, not the actual network traffic. Organizations do this for many reasons: so that appliances eliminate unnecessary latency to network traffic, and so that they don’t become a single point of failure, for instance if they get flooded or have a bug. Worst of all, since it’s so hard to get high quality signal from network traffic at scale, appliances generate many false positives, which are a huge disaster for automatic response. And while traffic in the cloud can still be split off, it isn’t easy and it can come at a price.
7. Appliances are easy to circumvent.
While old-school devices (e.g., traditional Intrusion Prevention Devices) obviously sacrificed accuracy for speed, today’s more sophisticated appliances do a lot of processing on the data they see, so that they can give vastly better results, with far fewer false positives. Because they rely on emulation, an attacker has many options to detect and circumvent the emulation. Eventually, detection will move to the systems being protected, where there is no need to emulate, and there’s a much greater ability for security software to thwart an attack.
8. Appliances can’t auto-scale.
Generally, the appliances with the best detection consume the most resources. Even with a high-speed appliance, it’s generally not difficult to overload them. Once an attacker manages that, they can sneak malicious traffic through undetected. As companies embrace infrastructure that can auto-scale their applications, they will want to auto-scale their protection to improve their zero day attack detection, instead of failing open.
9. Appliances are too much work for too little value.
Finally, perhaps the single biggest problem that IT Security organizations wrestle with is that they’re drowning in alerts. Generally, that’s the case even AFTER all the raw data coming from around the network goes through a best-of-breed correlation and analysis engine. This problem is due to the horrible signal-to-noise ratio in security appliances, which is going to get even worse. Instead of hiring more analysts or letting more and more drop through the cracks, companies will look for detection approaches that provide much lower noise, which again pushes detection away from an appliance solution.