In the wake of the Crowdstrike incident, which took headlines in not just the traditional tech media but broader mainstream media and society, being dubbed “one of the largest IT outages in history” one hot topic is concentrated cyber risks.

Or in other words, placing all of our eggs in one, or few baskets (vendors).

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

The incident ended up impacting an estimated 8.5 million Windows devices around the world, impacting industries such as finance, airlines, medical and more, among the broader IT ecosystem.

The wild part about this “potentially largest IT outage in history” is that it impacted a mere 1 percent of Windows devices per Microsoft.

Despite this metric it still caused devastating impacts, with an estimated $5.4 billion in direct financial losses, although many speculate that to be very low.

The discussion around monoculture risks, or a single/handful of vendors dominating the market isn’t a new topic in cybersecurity and is something that has been discussed for decades, such as the notable “CyberInsecurity: The Cost of a Monopoly: How the Dominance of Microsoft’s Products Poses a Risk to Security”, written by security legends such as Dan Geer and Bruce Schneier among others.

Given the recent meltdown around the Crowdstrike impact and ripples it caused across society you would think this paper was written in the past week.

Ironically, it was authored 21 years ago.

Yet, here we are 21 years later with outlets such as MSN and The Washington Post running stories titled “Microsoft’s Global Sprawl Comes Under Fire After Historic Outage”.

You would never know the below quotes came from two pieces published 21 years apart:

Two quotes, 21 years apart, both are pertaining to Microsoft, which has only gotten arguably more dominant since the CyberInsecurity paper over two decades ago. 

In a recent Morgan Stanley 2Q 2024 CIO survey, several metrics show positive signs for Microsoft. These include:

•  Microsoft Azure being identified as hosting 42% of application workloads being hosted on the public cloud, with an estimated growth to 49% in three years. 

• A growth of CIO’s showing interest in Microsoft’s comprehensive E5 licensing, going from 28% to 46% of CIO’s expected to switch in the next two years

• 94% of CIO’s expecting to use Microsoft’s GenAI products over the next 12 months

These findings, interest and growth come shortly after, and despite several very public security missteps of Microsoft. These include several highly impactful and visible security incidents impacting not just commercial customers but also U.S. Federal agencies. 

This led to several calling Microsoft a “threat to national security”, and included a testimony by its President before the U.S. House Homeland Security Committee about Microsoft’s security failures as well as ties to China. Paradoxically, despite being called a threat to national security, Microsoft accounts for 3% of the entire U.S. Federal IT budget (which is estimated around $74 billion USD).

The testimony came on the heels of a damning report around Microsoft security incidents and lapses, published by the Cybersecurity Safety Review Board (CSRB), which cited systemic security issues at Microsoft and a lack of security culture. 

Microsoft also holds the top spot on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog, an inventory of known exploited vulnerabilities which must be prioritized for remediation by Federal agencies, with increasingly more commercial organizations also following a similar remediation approach as well.

Additionally, it recently came to light from a Microsoft whistleblower that Microsoft failed to address known security vulnerabilities and weaknesses that were later exploited by Russian hackers to access over 100 companies and U.S. Government agencies, including the department that maintains the U.S.’s nuclear weapons stockpile. It was said that Microsoft ignored the security concerns raised partly due to the fact that they were actively pursuing a multi-billion dollar cloud contract from the Department of Defense (DoD) at the time.

Yet, despite decades long calls from security professionals and regulators alike, Microsoft’s market dominance continues to grow, as demonstrated by the Morgan Stanley report mentioned above. Contrary to all of the claims of security being a competitive differentiator, an organization with systemic security challenges and potentially questionable ethical behavior continues to dominate the entire IT market and landscape.

This paradox speaks to the dilemma between security concerns contrasted against capabilities, innovation, cost-savings and convenience, all which contribute to technology leaders from organizations around the world continuing to rely on one of the software industries longest standing most prolific and arguably polarizing companies - Microsoft. 

As an aside, it seems the more things change in cybersecurity, the more they stay the same. Much like how I pointed out in my article “Cybersecurity First Principles & Shouting Into the Void” the recent concept of “Secure-by-Design” being championed by CISA and others is actually more than 50 years old, tracing origins back to the “Ware Report”.

Prudent concerns from some of the brightest minds in cybersecurity historically go unheard unfortunately.

That said, thankfully these leaders continue to press on, continuing to serve the cybersecurity community - a lesson for some of us younger cybersecurity practitioners to take heed in, in terms of passion, grit and unwavering commitment.

Concentrated Risks - How bad is it?

Now, we may still be asking, what is so bad about having dominant vendors in the IT and Security market with organizations have critical dependencies on them?

That’s where I stumbled across an excellent report from the team at SecurityScorecard titled “Redefining Resilient: Concentrated Cyber Risk in a Global Economy” and the findings are quite damning.

In a world where vendor leaders are seeking market share, dominance, "platformization" and revenue (ironically the same things cited by CISA and leaders like Jen Easterly as routinely being prioritized ahead of competing priorities such as security) - there's a correlation to dependencies and systemic risks for consumers and society.

• 150 companies account for 90% of the technology products and services across the global attack surface 🌍

• 41% of those companies had evidence of at least one compromised device in the past year

• Insanely, just 15 companies account for 62% of ALL products and services 🤯

The report is rich in additional data, such as the cost to remediate third-party breaches being 40% higher than internal cybersecurity breaches and 75% of third-party breaches targeting software and technology supply chain vendors. As we see tightening security budgets and a push for "tool consolidation", these dependencies, single points of failure, lack of resilience and systemic risks will only be exacerbated, especially in when coupled with the explosive growth in software supply chain attacks, something I’ve spoke and written about extensively, including in my book “Software Transparency: Supply Chain Security in an Era of a Software-Driven Society”.

Monocultures and Resilience Don't Go Hand-in-Hand ❌

Density, Diversity and Dichotomies

That said, the topic of density among a handful of vendors, contrasted with diversity of vendors and striving towards resilience is nuanced.

Let’s dive into it a bit below.

Density

So on one hand we have the realization that monocultures, or market dominance and dependencies on a single or handful of vendors can represent outsized risks and critical centralized points of failure.

We see this in the seminal paper CyberInsecurity cited above, as well as recent impacts related to Crowdstrike and Microsoft.

In Francis Odum’s “Public Cybersecurity Market Review & Commentary for H1 2024” he discusses Crowdstrikes path to $100B, and how it was on the path to reaching the milestone in a few months. Ironically, as reported by Barrons and others, the organizations stock dropped over 20% since the incident.

That said, many suspect the stock price will rebound, as many others have post-incident and is discussed in great detail in pieces such as Kelly Shortridge’s “Markets DGAF About Cybersecurity”.

However, no doubt the incident represents a setback for Crowdstrike, even if temporary.

In their recent Q1FY2025 report Crowdstrike touted the consolidation potential of their Falcon Platform, ironically the same platform involved in the recent incident. They cite market categories to be consolidated across spaces such as Endpoint, Cloud, Identity, SIEM and more.

For organizations drowning in sprawl and fatigue of juggling security tools it is undoubtedly a compelling narrative.

Crowdstrike is far from the only security leader making the platformization push, as Palo Alto is telling a similar story. Their website has pages branded evangelizing how “cybersecurity consolidation is the future” and claiming organizations receive “203% three year ROI” when rally around a platform.

They highlight figures claiming platformization aids in not just ROI but also faster remediation and response to cyber attacks.

That said, as discussed above in the SecurityScorecard report, and highlighted by the Cyber Insecurity and recent Crowdstrike incident, density has its downfalls.

Inversely, on the other end of density in terms of products, vendors and platforms comes distribution. This has its own unique challenges and considerations which we will take a look at below.

Diversity

On the other end of monocultures and market dominance is diversity.

This means having a diverse distribution of vendors, a distributed supply chain and no critical dependencies on a single product, vendor or tool.

There are plenty of pros to a diverse vendor ecosystem. It arguably fosters innovation, mitigates complacency by market leaders, due to the constant threat of new entrants and disruptors and avoids fears such as vendor lock-in, abusive pricing, over-reliance, single points of failure (SPoF) and more.

That said, there are also several risks to consider. We have a thriving ecosystem, with thousands of suppliers and vendors, often with duplicative or similar capabilities, features and products within a single market category.

Each of these vendors exists on a spectrum when it comes to security maturity. While some may be more mature or security-centric with existing policies, processes and effective security programs, others may be earlier in their maturity lifecycle, have not made the appropriate investments or may struggling due to a weakness in any or all of the people, process and technology triad.

This struggle may be exacerbated among younger, newer organizations who are often bootstrapped, raising capital, looking to appease investors (e.g. growth, ARR, ROI etc.), fighting to gain early customers, revenue, market share and simply to survive.

The ability to focus on security may be limited due to the above, and the inability to have the resources and bandwidth to focus on cybersecurity maturity and rigor.

However, due to their lack of market penetration, prevalence and success, they also may not be as of a compelling target for malicious actors. Software supply chain attacks often focus on targets with potential for broad reach and impacts, which is why we often see large widely consumed vendors and OSS projects targeted by attackers.

Going back to the SecurityScorecard report, a handful of vendors represent an outsized portion of the risk in the entire landscape, due to their massive pervasive presence. This means not only are they targeted more, but they also have the potential for more systemic risks when impacted due to their size and reach.

There’s a reason Microsoft, one of the most successful software companies in the world is a longstanding leader on the CISA Known Exploited Vulnerability (KEV) catalog.

We see this play out in the open source space as well, where widely used heavily relied upon projects and packages are ripe targets due to the high ROI they offer attackers if compromised.

On the flip side however, much like a younger, less mature product vendor is potentially more vulnerable due to the factors discussed above, obscure, less widely used and lightly maintained open source projects also suffer from their own obvious vulnerability.

As they say, under enough eyeballs, all bugs are shallow, but I’ve often stated we simply don’t have enough eyeballs.

As I discuss in my article the “Open Source Security Landscape 2024”, 25% of ALL open source projects have a single maintainer, and 94% of ALL open source projects have fewer than 10 maintainers actively contributing code.

We all know the classic xkcd comic image below:

Ironically, the massive outsized market dominating vendors (and open source projects) represent a much bigger piece of the puzzle, and when compromised can bring much of the entire digital landscape crumbling down along with them.

Even if we try and make the case that platforms are more robust and secure (ignoring their potential for an outsized impact if compromised), there is the reality, as pointed out by Ross Haleliuk of Venture in Security that “Every Successful Security Platform Started as a Point Solution”.

This is the due to the fact of product and organizational lifecycles, with companies beginning as point products, addressing a specific market pain point, growing and then expanding their capabilities either through organic in-house development or M&A of upcoming disruptive point companies that are then integrated into their platform portfolio - and the cycle repeats.

Another challenge for the diverse vendor approach is what we commonly refer to as cybersecurity “tool sprawl”.

This is when you have arguably too many security tools, many of which aren’t properly deployed, implemented, configured, tuned and optimized. This means the tools aren’t actually effectively reducing organizational risk, and worse, may be amplifying it for factors such as security tools being part of your attack surface (they have misconfigurations and vulnerabilities too), as well as the cognitive toll they take on beleaguered security teams trying to juggle the mess.

As I’ve written in articles such as “Cybersecurity Tool Sprawl Can Lead to Team Overload and Lower Impact”, studies show the average organization has 40+ security tools, with some studies citing figures as high as 75~.

The industry is increasingly waking up to the challenges of security tool sprawl, which coupled with budget and talent constraints and more scrutiny around security spend and ROI are contributing to the prior approach we discussed, which is density over diversity, leaning into security “platforms” over point products and rationalization of security tool portfolios among security leaders.

Dichotomies

Now that we’ve individually discussed Density vs. Diversity of vendors, lets take a look at the dichotomies between the two, why neither one will ever reign supreme and some of the inherent trade offs.

First off, we need to acknowledge while there are and will be dominant market players, there will always be vendor diversity to some point. This is due to the fact that no product, platform or vendor is all-encompassing, leaving gaps in features, functionality and capabilities that are opportunities for new vendors to address as they enter the market.

For a great conversation on the fact that both Platforms and Point Products will never cease to exist, see an article from Adrian Sanabria titled “Platforms and Point Products Will Both Continue to Be a Thing”.

Additionally, there is the reality that no two organizations are identical. Every organization has diverse budget, talent, resourcing, bandwidth and more, making every organizations approach to rallying around platforms or point products unique.

Large Fortune 500 enterprise security teams look much different than startups, and the security engineering talent of a cloud-native silicon valley startup will look much different than that of a Federal agency or traditional enterprise organization. This means the ability to build vs. buy isn’t identical, especially when you also account for internal politics, preferences, biases and more.

No single security or technology platform will solve all of our challenges and meet all of our needs. The business needs are too diverse and dynamic and the threat landscape is ever evolving and complex - no one can, nor will do it all.

Conversely, over-optimizing for diverse vendors has its own unwanted side effects, which we discussed above, such as vendor/tool sprawl, complexity, inherent security risks and decreased ROI.

Much like everything in security, and society more broadly, the answer is somewhere in the middle, and that answer looks different for every organization and situation.

We will never see one approach without the other when it comes to vendor Density or Diversity.

It is much more likely, like a pendulum, we will watch the technology buying and consumption habits of organizations swing back and forth as they grapple with the pros and cons of each approach we discussed here.

So what is the right balance?

Like anything else in cybersecurity….

It depends.