One of the fundamental infosec problems facing most organizations is that strong cybersecurity depends on an army of disconnected tools and technologies. That’s nothing new — we’ve been talking about this for years. But it’s still omnipresent.
Take cyber risk management for example. To be clear, I’m talking about identifying threats and vulnerabilities to a digital infrastructure and then taking the right risk-mitigation actions.
At any reasonably sized organization, cyber-risk management could easily include a boatload of technologies including attack surface management (ASM), vulnerability management (VM), cloud security posture management (CSPM), cyber-threat intelligence (CTI) feeds, configuration management databases (CMDBs), penetration tests, red teaming tools, and more.
The cybersecurity platform model has limitations
Security technology vendors recognize this pervasive problem and propose a number of solutions. First (and most attractive to the vendors) is the notion of the platform. Under this model, companies simply buy everything from one vendor and let them do the integration work on their behalf. That sounds attractive and platforms may work for smaller organizations, but I see real limitations for larger enterprises.
To a large enterprise, “platform” is a code word for vendor lock-in, something organizations tend to avoid. Okay, but let’s say an organization was platform curious. It could also take many months or years for a large organization to migrate from distributed tools to a central platform. Given this, platform vendors need to convince a lot of different people that the effort will be worth it — a tall task with skeptical cybersecurity professionals.
I believe the threat landscape and associated security requirement changes will always outpace platform functionality. How will organizations bridge these gaps? With additional point tools engineered for specific use cases of course.
Relying on APIs to integrate security is a mistake
Let’s face it, large enterprises with complex IT infrastructures and application environments probably won’t address their security needs with “inch-deep and mile-wide” security technology platforms. What will they do instead?
Fear not, for the security technology industry has another arrow in its quiver — application programming interfaces (APIs). Disparate technologies can interoperate by connecting via their APIs, thus cybersecurity harmony reigns supreme, right?
Wrong! In theory, API connectivity sounds good, but it is extremely limited in practice. For it to work well, vendors have to open their APIs to other vendors. Sometimes they do, opening some APIs and not others, sometimes they refuse to do so. Even if they open their APIs, there are still problems.
Suppose a customer wants their vulnerability management vendor to integrate with endpoint detection and response (EDR) tools, and they have a mix of Crowdstrike, SentinelOne, and Trend Micro EDR installed. The VM vendor would then need to work with all three vendors and integrate with three different API sets. Lots of work for a common goal.
Cybersecurity technology has a connector problem
How to fix the cyber industry disconnect
What could be done to fix this problem? We need to take an open architectural approach a la ESG’s security operations and analytics platform architecture (SOAPA) or Gartner’s cybersecurity mesh architecture (CSMA), and these architectures depend upon the creation and agreement on some open standards including:
- A data format standard. I’m encouraged by the open cybersecurity framework (OCSF), but it was a long time coming and too many vendors haven’t joined the effort. I’d like to see more acceptance and more progress.
- Standard APIs. There’s no reason why you need to speak multiple languages to connect with different tools in the same technology category. Vendors in each area, or some central governance/engineering body, should help create and manage these projects.
- Standards for remediation actions. If I want to block an indicator of compromise or generate a virtual patch as a compensating control, I need to be able to communicate with all flavors of endpoint security software, firewalls, and IDS/IPS systems. There should be a single way to tell every security control to take this action. A few years ago, I was bullish on a standard called Open C2 fulfilling this role. Hopefully, this is happening, but if it is, few know about it.
Comments
Post a Comment