I recently read an article posted on Linkedin by Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG). Jon is a well-respected thought leader in the security industry and has been quoted in the Wall Street Journal and Business Week. His article, “The most important attributes of a cybersecurity platform,” struck a chord with me. We are losing the cybercrime battle but many on the “good side" keep deploying the same ineffective strategies.
Jon describes a cybersecurity technology trend, as follows:
Enterprise organizations address cybersecurity using disconnected point tools.
Security teams address these problems by consolidating and integrating the security tools they use.
Seeing this trend in process, security technology vendors push internal development teams to integrate point tools across their portfolio. They then pitch integrated security "platforms" to customers.
But he points out that not all platforms are equal. When evaluating a cybersecurity security platform, you should look for eight attributes.
The one that especially caught my attention is this one:
A combination of tightly-coupled products and services -- i.e. products and managed service options offering central command-and-control
With a deficiency of resources and the complex IT architectures that are in place today, there will be a shift to more managed security services and vendors who are providing a comprehensive security platform that provides full protection across all the major threat vectors and infrastructures (on premise, cloud and hybrid).
As you read Jon’s article, it's natural to think of some of the big players in security, such a Palo Alto Networks, Fortinet, Checkpoint, and Cisco. This is because all of these powerhouses are marketing their offerings as a “security platform.” However, all fall short in meeting all eight attributes that are essential to fully qualify as a platform. This is not an attack on these vendors and some are doing much better than others in integrating different point tools that were either developed or acquired, but it is NOT going to be the manufacturers of security technologies that deliver the security platform that most organizations need to deploy.
No one security software/hardware manufacturer is going to deliver a fully comprehensive security platform. It's going to be the responsibility of security integrators and managed security service providers to create platforms. These specialized providers will leverage the technology from manufacturers and couple it with their own services to deliver what the market needs. Some manufacturers will definitely get close to a full integrated security “technology platform," but technology alone will not solve the problem. There is still a void in people and process that will only be solved with managed services.
There are seven other attributes that Jon outlines in his article:
- Coverage that includes major threat vectors such as email and web security
I will add three additional threat vectors that must be included: humans, endpoint, and cloud. Humans are the first line of defense and endpoints are the last with email and web somewhere between. And of course the cloud is everywhere and many businesses’ data is sitting there. It is going to be hard to find a security technology manufacturer that provides all of these well. Therefore, it will be the responsibility of managed security services providers to integrate disparate technologies and deliver them in a comprehensive security platform as a service.
- Central management across all products and services
This is essential. There must be a single dashboard for visibility and control for all of the major threat vectors mentioned in attribute one.
- Capabilities across threat prevention, detection, and response
This is a big one. Too many security vendors are in the game of detection and response. Their value propositions are “not if, but when you are breached” or “preventative security is not possible, you need detection and response.” This idea just makes me angry. It’s like saying let’s just give up and wait for someone to attack us and then try to survive. If I told anyone this in the physical context of security, they would think I was crazy. The conversation would go like this, "Don’t lock the doors in your house, just sit in your child’s room through the night with a gun and motion sensor waiting for the attacker to enter (and hopefully you stay awake) and then shoot him." What??
Exactly, that’s crazy. If something can be prevented, then do it. The same holds true in the cyber world. Any company or offering touting they are a security platform and does not provide prevention coupled with detection and response is completely in “left field." A security platform should be adaptive where preventative security controls are continuously improved by what is learned through intelligence, detection and response.
- Coverage that spans endpoints, networks, servers, and cloud-based workloads
Not much to say here other than you need to secure everything regardless of location. Anything left unprotected is your weakest link.
- Cloud-based backend services -- i.e. analytics, threat intelligence, signature/rules distribution, etc.
This is extremely important. Data and intelligence are king and should also be shared across customers. All users and organizations that utilize a security platform should contribute and receive intelligence from the community. The platform should also intake intelligence from outside its own data lake to provide additional security to its community. Finally, the processes for updating the platform should be automated as much as possible utilizing machine learning and API integrations.
- Openness -- i.e. open APIs, developer support, ecosystem partners, etc.
As mentioned above, APIs allow for automation but also allows for integration into other third-party applications for reporting, management, etc.
- A platform that is offered in multiple deployment options -- i.e. on premises, cloud delivered, hybrid, etc.
This is almost obvious, but many times ignored. Our businesses no longer operate behind four walls. Employees are accessing data from everywhere. Our security needs to be in place and available regardless of location. A security platform should have the flexibility to be deployed and easily managed to support the mobility of our modern workforce.
As the chief strategy officer at Rocus Networks, I am extremely happy that Jon published this article. I sometimes feel as if I am on an island or swimming upstream in the fight to protect organizations. It is this kind of validation that keeps me going against conventional thinking. I have heard it a million times: the definition of insanity is doing the same thing over and over and expecting different results. Companies are suffering the catastrophic results of cyberattacks but most professionals in the cybersecurity industry continue to fight back with the insufficient weaponry, expecting different results. Join me in this fight and let’s start delivering the cybersecurity platform our digital world really needs.
- Mike Viruso, Rocus Networks Chief Strategy Officer