Sometimes the cybersecurity tech industry is its own worst enemy



One of the fundamental infosec problems facing most organizations is that strong cybersecurity depends on an army of disconnected tools and technologies. That’s nothing new — we’ve been talking about this for years. But it’s still omnipresent.

Take cyber risk management for example. To be clear, I’m talking about identifying threats and vulnerabilities to a digital infrastructure and then taking the right risk-mitigation actions.

At any reasonably sized organization, cyber-risk management could easily include a boatload of technologies including attack surface management (ASM), vulnerability management (VM), cloud security posture management (CSPM), cyber-threat intelligence (CTI) feeds, configuration management databases (CMDBs), penetration tests, red teaming tools, and more.

The cybersecurity platform model has limitations

Security technology vendors recognize this pervasive problem and propose a number of solutions. First (and most attractive to the vendors) is the notion of the platform. Under this model, companies simply buy everything from one vendor and let them do the integration work on their behalf. That sounds attractive and platforms may work for smaller organizations, but I see real limitations for larger enterprises.

To a large enterprise, “platform” is a code word for vendor lock-in, something organizations tend to avoid. Okay, but let’s say an organization was platform curious. It could also take many months or years for a large organization to migrate from distributed tools to a central platform. Given this, platform vendors need to convince a lot of different people that the effort will be worth it — a tall task with skeptical cybersecurity professionals.

I believe the threat landscape and associated security requirement changes will always outpace platform functionality. How will organizations bridge these gaps? With additional point tools engineered for specific use cases of course.

Relying on APIs to integrate security is a mistake

Let’s face it, large enterprises with complex IT infrastructures and application environments probably won’t address their security needs with “inch-deep and mile-wide” security technology platforms. What will they do instead?

Fear not, for the security technology industry has another arrow in its quiver — application programming interfaces (APIs). Disparate technologies can interoperate by connecting via their APIs, thus cybersecurity harmony reigns supreme, right?

Wrong! In theory, API connectivity sounds good, but it is extremely limited in practice. For it to work well, vendors have to open their APIs to other vendors. Sometimes they do, opening some APIs and not others, sometimes they refuse to do so. Even if they open their APIs, there are still problems.

Suppose a customer wants their vulnerability management vendor to integrate with endpoint detection and response (EDR) tools, and they have a mix of Crowdstrike, SentinelOne, and Trend Micro EDR installed. The VM vendor would then need to work with all three vendors and integrate with three different API sets. Lots of work for a common goal.

Cybersecurity technology has a connector problem

As I see it, cybersecurity technology at large has a fundamental connector problem that boils down to an industry conflict between altruism and capitalism. Unfortunately for all of us, capitalism is winning by a large margin as vendors protect their technologies for competitive advantage.
Some vendors may win the battle, but we are losing the war by making cybersecurity a lot harder than it could be. Want an example? As I understand it, none of the major vulnerability scanners will ingest data directly from competitive scanners. So, if you happen to have a variety of scanners in your environment, you are on your own to integrate the data as part of your risk mitigation mission, even though each scanner performs the same basic functions. More unnecessary work.

How to fix the cyber industry disconnect

What could be done to fix this problem? We need to take an open architectural approach a la ESG’s security operations and analytics platform architecture (SOAPA) or Gartner’s cybersecurity mesh architecture (CSMA), and these architectures depend upon the creation and agreement on some open standards including:

  1. A data format standard. I’m encouraged by the open cybersecurity framework (OCSF), but it was a long time coming and too many vendors haven’t joined the effort. I’d like to see more acceptance and more progress.
  2. Standard APIs. There’s no reason why you need to speak multiple languages to connect with different tools in the same technology category. Vendors in each area, or some central governance/engineering body, should help create and manage these projects.
  3. Standards for remediation actions. If I want to block an indicator of compromise or generate a virtual patch as a compensating control, I need to be able to communicate with all flavors of endpoint security software, firewalls, and IDS/IPS systems. There should be a single way to tell every security control to take this action. A few years ago, I was bullish on a standard called Open C2 fulfilling this role. Hopefully, this is happening, but if it is, few know about it.
I know that standardization efforts can get messy and become engineering science projects. Okay, but I’d counter this argument by pointing to the STIX/TAXII standards, which provide a consistent way to describe and communicate threat intelligence details. In this way, STIX/TAXII improved the efficacy and efficiency of threat intelligence analysis and subsequent risk mitigation actions.

Who could drive a cybersecurity standards effort? A government agency or perhaps MITRE, ENISA, or some type of collaborative project. Large organizations in the financial services industry could get their security engineers together, develop some standards, and then issue a mandate to the industry.

I remember something called the Jericho Forum along these lines, focused on network security in the early 2000s. Finally, tech giants like Amazon, CrowdStrike, Microsoft, or Palo Alto Networks could lead the way and then lean on others to jump on the bandwagon.

In my humble opinion, this would be a win-win for the industry. With agreement on standard plumbing, vendors would be free to focus their resources and compete on feature/functionality.

In 1972, the comic strip Pogo, modified a famous quote of American naval commander Oliver Hazard Perry, saying: “We have met the enemy, and he is us.”

Unfortunately, I believe this statement is true when it comes to the cybersecurity technology industry. Prioritizing capitalism over altruism makes cybersecurity a lot harder and puts us all at risk. It’s time we as a cybersecurity community put our heads together and demand cooperation. In an increasingly complex and dangerous world, our digital safety depends on it.

Comments