As human beings, we’re faced with tough decisions every day: take the bus to work or walk? Spiced-eggnog, triple shot extra hot, skinny soya latte or an espresso? Ant or Dec? Radio 1 or Talksport? Many an argument on the last one when driving with Mrs Hodson. She wins.
The world of cyber and information security is not immune from the need to make tough choices. A commonly-posed question is ‘do I buy best of breed or align to a single vendor’? I have been involved in this debate in all my former roles at some point. I don’t believe there is a right-or-wrong answer. The important point is the need to consider your security posture holistically; whether a single vendor or multiple suppliers, it’s cohesion and visibility that the CISO requires – we deliver this through the deployment of platforms…not products!
Best of breed is great…in principle
Let’s assume we take an enterprise view of security in our organisation (quite an assumption), we define a core set of architectural building blocks (we’ve all read the big blue SABSA book after all) and then we decide that we’re going to select the best vendor / technology in that specialist field. Sounds like the prudent approach, we’ll get the best technology for the job. Not always.
You may well get the ‘best’ IPS or firewall based on a series of generic or abstract metrics but as security people, I feel we sometimes miss what we’re there to do. The aforementioned ’job’ of the CISO is to preserve the confidentiality, integrity and availability of organisational data assets and systems. Information security controls are comprised of people, processes and technology* and should not be parochially-viewed as a set of appliances flashing away in a data centre. Having individual, best-of-breed components does not automatically create a best-of-breed security architecture for the enterprise. ‘Best of breed’ components loosely-coupled and poorly integrated provide a ‘security-veneer’; an impression of layered security but without the attributes of a platform (covered later), these solutions are failing to protect our users and our data. Eric Morecambe famously said ‘I’m playing all the right notes, just not necessarily in the right order’ and there are similarities in how we provision our cyber protections: We have all the right ingredients but it’s how they are baked together that matters.
“I’m playing all the right notes, but not necessarily in the right order” Eric Morecambe
In my end-user days, we’d spend hours, days, weeks-on-end discussing how to integrate a veritable smorgasbord of appliances with the end goal of preventing, detecting and responding to cyber attacks. We’d have firewall ‘x’ because we like the UI, we’d have IPS ‘y’ because Dave in SecOps used it at his last role, proxy servers were selected through a round of ‘rock, paper, scissors’ in the local and our TLS inspection appliance picked through a game of Top Trumps. Okay, I am being a little facetious with the last couple there but all too often ‘best-of-breed’ is assessed unilaterally by the team involved in watering and feeding the appliance as opposed to a top-down, strategic assessment of the capability the organisation needs.
Best of breed is irrelevant. What is important is ‘best for YOUR environment’.
* I appreciate that we churn out the ‘people, process and technology’ truism all too often but time-and-time again the post-mortem of data breaches identifies systemic issues with user awareness, patch management and incident response processes!
What do we mean when we say ‘platform’?
If you ask Google, a platform is found at a train station, on a stage or on the feet of Noddy Holder. Google’s missing a trick, where is the mention of a security platform?
Not quite a Googlewhack but I couldn’t find a definition of a security platform that I felt suitably articulated my interpretation. So, I decided to write one (as you do):
A security platform is a cohesive, set of capabilities brought together to deliver an integrated, centrally-managed set of building blocks for the protection of users and their data from cyber-attack.
So I need a single platform?
No. One ring may rule them all but security platforms come in different shapes and sizes; platforms should be considered to deliver a defined set of capabilities. There are no silver bullets in security and despite what some people may tell you, no vendor can solve all of your security headaches!
It is imperatively important that all of your platforms are interoperable and that they should provide flexibility of components to avoid vendor-lock and provide extensibility in light of the ever-changing cyber threat landscape. For example, take Zscaler. We are an Internet and Cloud Application Security Platform. Do we do Identity? No. Do we provide a SIEM? No. We identify the importance of these solutions and ensure we can integrate with them.
The characteristics of a true platform
I say ‘true platform’ because I hear the term ‘security platform’ these days as often as ‘Advanced Persistent Threat’ a few years ago. Single-vendor solutions and single-platform solutions are not always the same thing and it’s the latter I’d advocate. A true security platform must be:
Modular: Can we select components based on our risk posture and threat landscape?
Centralised: Do we have a centralised management plane? Am I required to maintain multiple logins for each capability? Does the platform protect my users irrespective of their location and device?
Interoperable: It’s no good if your platforms cannot work harmoniously. A strong cyber security strategy identifies the need to prevent, detect and remediate cyber attacks – our security services need to exchange information (logs, indicators of compromise, etc) to facilitate this approach.
Cost-effective: Strong security is no good if it isn’t cost-effective. If our security controls cost more than value of the data their protecting, there’s a problem. Your security platforms should lower your total cost of ownership when compared to point-based solutions.
Efficient: Efficiency is key, without it we cannot scale. Platforms should be designed ground-up as platforms. Solutions that do not follow this approach suffer from performance degradation as additional services and capabilities are switched on. This isn’t a true platform.
I’ve lost count of the times I’ve sat with a vendor and been ‘sold’ their platform approach to security only to discover a collection of point products, incorporated into a product suite through acquisition and very little integrated capability. The appearance of a platform is achieved through the concept of a service chain that becomes exponentially more burdensome as additional features are added to the platform. We often say that ‘security is a trade off’ and in that we mean that there is a balancing act of usability / business need and an appropriate level of security. I agree but this is where the tradeoffs should end. We shouldn’t compromise on security capability simply because our appliances cannot support the performance required to provide a consistent and secure user experience.
Let’s spend more time focusing on the strategic goals of our organisations and less time on our technology beauty parades. Let’s support business objectives and deliver ‘best-of-breed’ platforms NOT a component-level view of what is ‘best’. We need platforms to deliver value to the business and confidence to our customers. The threat landscape is continually evolving and this game of cyber cat-and-mouse is hard enough without additional integration and visibility concerns brought-about through fragmented architecture.