Managing Security Complexity: Automatic Orchestration through a Security Platform
By Rick Howard, CSO, Palo Alto Networks
The prevailing approach to cybersecurity, which is focused on detection and remediation, has proven inadequate to dealing sufficiently with therise in volume and sophistication of attacks organizations must now defend against. To keep pace with attackers, security teams routinely deploy 10-15 point products in their environments from different vendors in an attempt to institute security controls at each step in the lifecycle that an attacker must complete in order to successfully exfiltrate data. This has created a situation where there are too many tools for understaffed security teams to effectively manage, resulting in reduced security posture and increased total cost of ownership. The difficulty of managing all these point products increases as each product is essentially bought four times. For example:
1. An organization has to buy the point product.
2. The organization has to hire (buy) a person who can maintain the point product.
3. Then they need to hire (buy) a person who understands the data coming out of the point product.
4. Finally, they need to hire (buy) someone who can stich the data from all of their point products into something coherent in order to drive some sort of preventive action.
This is hard to do, time consuming, and expensive. The result is that many of the deployed tools are poorly maintained, never fully up-to-date with the latest security intelligence, and rarely produce a coherent set of data that can be used to achieve a secure outcome.
"Automatic orchestration is the key to crossing the last mile with any speed"
Too Much Complexity for Security
There is a rule of thumb among cybersecurity experts that complexity is the worst enemy of security. Unfortunately, with the proliferation of deployed point products, the security architecture for the enterprise became exponentially more complicated, and attackers love complexity. The more complex environments are, the easier it is for security teams to make a mistake in the deployment.
Too Much Wasted Time
Organizations with an extensive environment of point products have found themselves within an infinite loop of security vendor assessment. Many believe that they not only need to deploy security controls across the attack lifecycle, but that they also need the “best-of-breed” for each class of control. To accomplish this, they arrange head-to-head competitions that take months to coordinate for every point product class that they own or plan to add to their environment.
When organizations only had three or four security tools deployed, with product lifecycles between two and five years, this worked out to roughly one assessment per year. But with the proliferation of security tools, organizationsnow have 10-15 controls deployed in their networks. Instead of maintaining and orchestrating tools to improve security posture, organizations are continuously expending resources to evaluate up to four security point products a yearand manage the churn associated with replacing products.
Too Inefficient Crossing the Last Mile
Finally, the lack of integration of multiple point products deployed across an enterprise limits the effectiveness in preventing attackers from attaining their goals. At a basic level, the effectiveness of a security product is a function of the intelligence on malicious activity that it has access to. One source of such intelligence are markers that attackers leave in their wake as they crawl through a target organization’s networks, known as indicators of compromise, or IOCs, for which security vendors and independent researchers are constantly seeking. Once found, vendors convert them into prevention controls that they share with their customers.
The challenge then becomes what is known as “crossing the last mile” with this information. Once received, organizations must operationalize new intelligence as quickly as possible. This becomes a substantial management challenge when attempting to deploy and track new intelligence across 10-15 different security products from multiple vendors. In some cases, it may take days, weeks, or even months to get the right security controls fully disseminated, all the while leaving organizations vulnerable.
The Solution – Automatic Orchestration through a Security Platform
In the last three years, a new innovation has emerged from the security vendor community that addresses these problems;the security platform. It is an end-to-end system-of-systems where the deployment of security controls across the attack lifecycle is accomplished from natively integrated products built by one vendor. The platform contains most of the tools that network defenders have previously deployed separately from multiple vendors and manages the automatic deployment of prevention and detection controls to each step in the attack lifecycle.
While most of these new vendor platforms do not contain all of the tools that security teams might need, vendors established unified partnership agreements to fill the holes in their proprietary systems. These agreements integrate systems by exchanging intelligence and making it easier for the network defender to orchestrate both products in tandem. All of these innovations add up to mutual benefits for the security teams.
Adopting a platform approach reduces the number of deployed products that security teams have to manage from 10-15 down to a handful: the platform itself and the partners associated with the platform. Even with the partner products, this approach is easier to manage compared to the old way of managing separately deployed best-of-breed solutions. This reduction in the number of independently deployed systems greatly simplifies organizational security architecture and reduces the attack surface that attackers can leverage.
Improved Operational and Financial Efficiency
The simplicity that the security platform offers also has another benefit: more efficient operations and deployment of financial resources. Choosing a single vendor with strong partner ties is counter to everything the network defender has been doing for the past 20 years. But once that decision is made, organizations can leverage that decision to simplify the buying process, asthey will no longer need to sustain multiple assessments of every class of security products every year.
With a single vendor solution, security teams will be able to get closer to generating maximum potential from their security investments. Simplifying the orchestration of the last mile problem is no minor feature. Converting indicators of compromise into prevention controls is important, but deploying those new controls to existing systems is the gas that fuels the entire operation. Without an efficient way to do this, attackers will continue to run circles around their victim networks because the responsible security teams will be unable to move fast enough to counter them. Automatic orchestration is the key to crossing the last mile with any speed. The security platform from one vendor and associated tightly integrated partners is radically different from the prevailing vendor-in-depth approach.Change is required but requires paradigm-breaking, and CIOs must drive this change from the top.