CyberWire Daily - Security platforms vs best of breed point products: What should you deploy? [CyberWire-X]
Episode Date: January 31, 2021For 20 years, the cybersecurity practitioner’s goto move when confronted with a new risk or compliance requirement has been to install a technical tool somewhere in the security stack to cover it. O...ver time, the number of tools that the infosec team has to manage has slowly grown. With the advent of bring-your-own device to the workplace, CIOs choosing SaaS applications to do work that has been traditionally handled in the data center, and organizations rushing to deploy their services into hybrid cloud environments, the number of individual data islands where company material information is routinely stored and must be covered by the security stack has increased. The complexity of this situation is immense. Two strategies have emerged to address this problem. The first is to continue down the path of installing more technical tools in each data island to cover the risk and having the infosec team manually process the telemetry of all the security devices with bigger teams and helper-automation-tools like SOAR platforms and SIEM databases. The second strategy is to choose a security vendor's platform that performs most of the security tasks on all the data islands but now makes the organization reliant on a single point of failure. Joining Rick Howard from the CyberWire's Hash Table's group of experts to consider the matter are Mike Higgins from Haven Health and Greg Notch from the National Hockey League, and later in the show, Rick speaks with Lior Div of Cybereason, who gives their point of view on this debate. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire's Chief Security Officer and Senior Analyst. Today's episode asks the question, security platforms versus best-of-breed
point products. What should you deploy? From the beginning of the cybersecurity era, say early
1990s, security practitioners have mostly picked best-of-breed point products to deploy in their
environments. Over time, as the number of security tools
we all managed continued to grow, the complexity of those environments also grew,
to the point where the process has become so difficult to control that we might not be getting
the best performance for our best-of-breed solutions. Big security vendors like Checkpoint,
Cisco, Fortinet, and Palo Alto networks offered security platforms that performed the bulk of the security tasks in one device.
This reduced the complexity, but the individual services run from the platforms were probably not best of breed, at least for some of the services.
The question we will try to answer today is, which path should security practitioners take?
Stay the course with best of breed point products, change over to a prevention platform, or adopt some hybrid of both? Thank you. Notch, the CISO for the National Hockey League. And in the second part, we'll hear from our show sponsor, Lior Div, the CEO for Cyber Reason, for his point of view.
If you're a defender fighting to protect your organization from the dark forces of cyber attackers, it might seem like the bad guys have the advantage.
To win, they only
need to be successful once. As a cyber defender, you must be successful in ending attacks every
single time. Cyber Region reverses the attacker's advantage by putting the power back in your hands.
Their future-ready attack platform gives defenders the wisdom to uncover, understand, and piece
together multiple threats.
And the precision focus to end cyber attacks instantly on computers, mobile devices, servers, and the cloud.
Wherever your organization's data is being threatened,
Cyber Reason is ready to win the battle against cyber attacks with you and for you.
Join them and the world's leading companies.
Together, they are the defenders.
Cyber Reason. End cyber attacks from endpoints to everywhere and learn more at cyberreason.com
slash cyberwire. For the past 10 years, I've been railing against the standard practice of
choosing best in breed tools for my security stack. When I was just starting out, call it the mid-1990s, we only had three tools to choose from, a firewall, an intrusion detection
system, and an antivirus application. We could afford to be choosing. But since around 2010,
the number of tools InfoSec professionals manage in their security stacks range anywhere from 3 to
300, depending on the organization's size. I started to realize
that we made our security environments way too complex. It was difficult to keep all those tools
up to date. And if you cornered most CISOs at a bar at some security conference somewhere,
they would admit that for the tools they have deployed, they're only using about 30% capacity
for each because they just don't have the resources to keep them completely
deployed. We all essentially had the security equivalent of Ferraris and Porsches deployed in
our security stack, but most of them were idling in the driveway and had never been taken out for
a spin. Mike Higgins is the Haven Health CISO and one of the CyberWire's hash table subject matter
experts. He offered this as an explanation. We're accretive. We, you know, when people got rid of, got their firewalls, they didn't get rid
of their firewalls when they got IDS. They didn't get rid of that IDS when they got next-gen network
protection. They didn't get rid of next-gen protection when they came up with machine
learning AI protection. You know, you just, you just add another tool on top of it within the
environment. That's how most companies work.
That's why they end up with 100 tools, 200 tools within their environments, because you just don't retire things.
If you don't have the staff, complexity will kill you.
Greg Notch is the National Hockey League CISO, and he's also one of the CyberWire's hash table subject matter experts.
He agrees with Mike.
The first time I took the CISO role, someone said, well, every tool you buy, you need one and a half to two bodies. He agrees with Mike. via an API by some applications I run in Amazon,
which is a, I mean, I can list three scenarios in our environment that have that sort of thing.
You're like, well, all right, where's my data?
It's like, you know, this three-card Monty scenario.
And they're actually just,
they candidly aren't tools that manage that sort of stuff.
And it happens all the time.
This sounds like a problem that DevSecOps can fix.
Can we automate our way out
of this complexity? Here's Mike, the Haven Health CISO. It's a nice theory. It's a nice thought
process, but I still think it's years away from implementation. I haven't seen a really, really
good, robust DevOps setup yet. Greg has been very interested in SOAR tools to help him with this
DevSecOps process, but he doesn't think they are quite there yet. You has been very interested in SOAR tools to help him with this DevSecOps process,
but he doesn't think they are quite there yet. You know, I remember seeing the SOAR tools. I was
like, that's exactly what I need. And like, so does that mean that I can just leave all of the data
from all of my security tools in situ and whatever tool they came from, and then just query across
that? And they were like, well, not really. I was like, okay, well, give me some use cases of a SOAR
tool. And everybody gives you the like, oh, you can forward a spam email to it, and they were like, well, not really. I was like, okay, well, give me some use cases of a SOAR tool. And everybody gives you the like, oh, you can forward a spam email
to it and it'll like break out and give you all the IOCs from that and tell you, I'm like,
okay, but how about some more? If you run your own SOC, I think a SOAR is an amazing
tool, right? Like that's just straight up money, money in the bank. It's saving you
on headcount. Like it's saving you on management overhead, like I got it. But if you're not running a SOC, a SOAR tool is of somewhat more limited utility and there's so much
promise to that kind of automation that I'm like hoping the next iteration of that brings forth.
The security industry solution to this complexity problem was the orchestration platform. These
products did the bulk of the security task in one box that those 300 point
products did, and at the same time reduced the complexity involved in managing all of them.
That was the good news. The bad news was that those platform services were probably not best
in breed, at least not for all the services offered by the platform. The debate among
security practitioners is this. Can a security platform handle the bulk of your security needs,
even if the tools aren't best in breed? Are the services offered good enough? Here's Greg again,
the National Hockey League CISO. Good enough is good enough, especially when you're talking about
commoditized stuff like, you know, antivirus, right? Like, I mean, you can pick whichever
vendor you want, as long as you have something.
It's credible.
And I'd say that's particularly true for more compliant technologies that are solving compliance problems and not real acute security technology problems.
There are plenty of reasons why platforms don't work in every situation.
Here's Mike, the Haven Health CISO.
A single tool, I'm not 100% convinced is the right answer. And most single tool solution sets, companies have had extreme problems over
time. So, you know, I'm more of a point person solution, you know, going forward. And I've been
that way for a while. The platform solutions that are out
there that are really, truly robust, I mean, there's a bunch of them out there that are trying
to be, you know, one thing for everybody, is that what you have is, I believe, is what you have is
you have a core product that started and then they just started, it's like a farmhouse, right? They
just started adding rooms on this stuff and they've just started making the product more robust,
started adding rooms on this stuff and they've just started making the product more robust,
but it's all through additional acquisitions, trying to do some integration. And nobody does it to my level that I've seen extremely well that I think I could do it all with one fell swoop.
It's got to be defense in depth. It can't be just put in one line of defense and they're going to
do it all for me. It just doesn't, I don't see that as being an effective defense strategy.
A single source solution, I don't think is robust as the defense in depth concepts around having point solutions.
It's just, I haven't seen it yet.
According to Greg, the platforms haven't quite figured out how to do SaaS applications yet either.
It hasn't gotten the SaaS part right.
Like it isn't giving me, it isn't a CASB.
It isn't giving me visibility into how my users interact with Office 365, for example.
Like it doesn't let me write policies about that or say, hey, let these guys use Dropbox
or let these guys, like it's still missing a few pieces to be, right now there's the glue is missing.
But Greg also believes that where it makes sense
to deploy a platform,
the reduction in complexity is worth it.
The way that you buy tools isn't,
it isn't like I bought a Palo Alto firewall
and it's on the edge of my network
and now I need several people to manage it.
It's I'm consuming some of these security technologies
as a service from a vendor.
And so that, you know, reduces the headcount need somewhat. it. It's I'm consuming some of these security technologies as a service from a vendor.
And so that, you know, reduces the headcount need somewhat. So things that are plugging into my AWS environment, there's a little bit less body to manage there. It's not zero, but it's less.
I have consistent policy with, you know, endpoints that are roaming around the world,
and I have consistent policy. It's the same when they're in the office.
The consensus then is that most medium to large scale organizations will deploy a hybrid approach.
It is a little bit more of a hybrid approach.
It is getting the complexity that you get with having single point solutions, best of breed,
but it's picking major vendors for a specific range of solutions. Looking at a hybrid solution, saying, OK, this is my guy for network.
This is my guy for endpoint.
This is my guy for testing.
This is, you know, look at the solutions from that standpoint versus, you know, all I got to do is go out and sign one contract with Symantec and I'm done and I can just go home and sleep soundly.
If your firewall can handle 80 percent of the attacks, keep it in place.
Let the IDS just handle the 20.
And then let the next generation of network protection handle the 1%.
Greg suggests a hybrid approach because the platforms are always going to lag behind point products in terms of new capabilities.
But I don't see a way, at least until security tools mature significantly more than they have already, for there not to be at least a smattering of point products involved.
or at least the newfangled, you know,
you know, gizmo vendors, right?
What you're hoping is that they either mature and you start having addition through subtraction
of other tools.
So, you know, they either build out a,
they build out more of their capabilities
or they get bought and rolled up.
As a best practice,
we might use platforms
for the mature meat and potatoes security products
and best of breed point products
for newer security products
that the platforms haven't made available yet.
I asked both Mike and Greg about what they would expect to find
in a meat and potatoes security platform.
I think endpoint antivirus,
why it even exists, something called antivirus anymore,
I'm not too sure.
You know, it's like the next generation antivirus or whatever,
the AI, those are trusted
tools and they need to be out there as well. But, you know, the IDS systems, the firewall systems,
for sure in there. On a network level or on a cloud level, there's probably a couple tools
out in the cloud level that are also maybe adding in identity management.
I need visibility on the endpoint.
I need some sort of, whether it actually lives on the endpoint or not,
I need some understanding of what's happening on that endpoint.
I need some understanding of what's happening on my network,
be that my on-prem server farm or my AWS network.
Same sort of EDR or visibility on server infrastructure and the underlying platforms that service
that, whether it's VMware, AWS, or GCP, or Azure.
I need control plane view of that.
I need some prevention tools like an antivirus.
I need some firewall prevention stuff.
Preferably, my firewalls would be application aware so I can set policies about how stuff, not only what ports they go to, but what applications they're speaking.
I need some way to manage those tools and collect the data from them and from all of the workloads and look across them.
I need configuration management security tooling like, hey, validate that my Windows environment is
somewhat correct. Validate that my AWS environment is somewhat correct. My Unix server farm has a
consistent state and its configuration is auditable. My containers have some sort of security processing.
Both Mike and Greg say that the size of the organization might dictate the use of platforms or not.
Here's Mike.
I used to think back in the day that one size fits all type of vendor was the way to go.
Because all you needed was to have some security.
Because the bad guys,
it was just the statistics play with them, right? They were just looking for an opening and they
were attacking wherever they found an opening. So having just a little bit of security was good
enough. And I think most small size, midsize companies still don't have any real security.
They just have that one type of solution set, either endpoint
solutions for themselves or maybe some network protection, but they've really reduced the
complexity and they're not running robust security sets. In a large company, you've got so many
ingress and egress points. You have so much risk in the company. I think the best of breed solution
is the way to go. Especially best of breed when
you're using defense in-depth solutions. The answer is bifurcated between the two.
I think it depends on the size of your organization first and foremost, right? If you're a very small
company, you're going to want a platform. Even, you know, I would consider us a mid-sized company
and, you know, the platform is the way to go, assuming it meets your needs.
As you move up the scale from a small company to a really big company, you'll want your table stake stuff, network monitoring, EDR, that kind of stuff.
You want to consolidate all of that to a platform.
So that's what we got from Mike and Greg sitting around the hash table. Let's move on to the second part of the show in my conversation with Lior Div from Cyber Reason, our show's sponsor.
Lior, can you set the table for us? What problems do security platforms solve that we can't already solve with a host of other security point products already on the market?
cybersecurity. In the cybersecurity world, there is an adversary behind the scene that basically trying to manipulate everything that we put in front of them. A new approach and a
new mindset is needed. And basically, in order to stop this type of hackers, because
if we're going to keep using the same approach, they will have the upper hand.
So tell me what that new mindset is.
Yeah, the Cyber Reason platform is taking the approach,
we call it the operation-centric approach.
Meaning instead of thinking about which type of logs we are collecting
or which type of viruses we can stop,
basically we think about it as we need to stop hackers.
We need to understand what they are doing and how they're doing it.
We need to be able to monitor every step that they are doing inside any network and be able
to say first, hey, there is a hacking activity inside this network.
And on top of that, to be able to really identify each and every one of the steps that the hackers
are doing and when the time is right to prevent them from achieving their goals
and basically stop them while they're trying to do it.
This method enables us to find and stop the most sophisticated attack that exists right now.
One of the examples, and it's a great example, this is the SolarWinds situation.
And it's a great example.
This is the SolarWinds situation when the hackers basically assume
that they can bypass any security measure
that exists out there.
And in our case,
because we're leveraging behavior analytics
and the operation-centric approach,
we managed to say,
hey, right now there is a hacking activity
going on in this company
and prevent the hackers for deploying
their malware and to execute it.
So the platform approach essentially puts together a bunch of security tools that traditionally
have been sold individually as single point products.
And what I hear you saying about the SolarWinds attack is that you can combine these services
to look for abnormal behavior and maybe have been successful against the SolarWinds attack.
Yes, absolutely. Think about it.
In the past, what you needed to do, you needed to install something on your computer
in order to prevent basically malware or viruses.
You need to collect log. You need to put all of them into a SIEM product, then to put a very, very smart people in front of the computer
to write rules and to hope that when the right alert will come, they will be in front of the
computer, really be ready to understand and investigate what's going on and to start and
conduct a full investigation. This is kind of very the alert-centric approach. Basically, we're doing
all of those things for our customers automatically. So we know how to stop things on the
endpoint, specifically, for example, ransomware and different type of activities. We know how to collect the data in real time, unfiltered.
And more importantly, we know how to make a decision out of the massive amount of data that we collected
in order to say, hey, right now there is a malicious operation going on inside your organization.
We collected all the necessary information, correlated and stopped the hackers of doing whatever they tried to do.
So you're really talking about orchestration here.
You know, when I started doing this back in the 90s, we only had three tools.
You know, we all had a firewall.
We all had an intrusion detection system and we all had an antivirus.
And we could manage those three things pretty easily.
But, you know, in the last 10 years, the number
of security tools like people like me have to deploy ranges anywhere from five to 300,
depending on your size. That's just doing man, you know, independent point products.
Yeah, absolutely. I think that a platform point of view and the ability to correlate
the data and to stop attack in real time, give the power,
I call it, give the power back to the defenders. Because even in orchestration, you need to be
very, very smart to know which type of data you want to orchestrate and which type of data is more
important. In the past, people were talking about the kill chain, basically the different steps that the hackers can do.
Then that thing basically evolved to what MITRE is doing today.
And they try to map more of the kill chain into more steps.
We're basically saying, look, we want to meet the hackers where they are.
We don't just want to follow a very specific one. So needless to say
that we are following the kill chain method and we are following the MITRE kill chain, but there
is many, many other things that the hackers can do and are doing that are not mapped to those
basically platform. So basically we collect and analyze every activity that the hackers can do,
We collect and analyze every activity that the hackers can do, the benign and the malicious activity.
So we're not judging the data in advance.
We just collect everything.
And in real time, we can make those decisions.
And if something becomes malicious, then we can go back in time and say, hey, this type of activity that at the beginning look very benign, now they become part of the malicious operation
because the hacker starting to leverage it.
This is exactly what's happened in the SolarWinds situation.
In the SolarWinds, the hackers basically injected a DLL
that it look benign because it didn't do anything,
it was signed and it looked okay.
Then after triggering this DLL,
it's starting to communicate it
kind of in a semi-benign way to the outside.
But then it's downloaded a payload
and from that point it becomes super malicious.
So our software knows how to track that thing
from the beginning to the end,
from the time that it was fully benign
all the way to the point that it's become malicious.
But the important thing,
we can tailor the operation that this DLL did
all the way back to the point of time
that it was installed and say,
hey, it's become malicious over time,
and this is the operation-centric approach.
And that's the reason that we decide that that thing is basically malicious,
and this is the reason that we are going to stop it.
And from now on, every time that we will see it, we will stop it.
So we don't need to do kind of the assessment again.
So to your point, though, if I was trying to do this with the traditional model, which
is, you know, a handful of point products, I'd have to do all that work myself.
I'd have to have a high-end incident response team tracking all that telemetry across all
those point products just to decide what to do.
And then they'd have to work their way back through them to make the changes to those point products in order to have some effect.
What I think you're saying is that platform approach takes the complexity out of that
and makes it easier for people like me to defend my organization.
Absolutely. Basically, the traditional approach, the user of the systems needs to do a lot of work and needs to be there all the time.
What hackers understood that people cannot be in front of system all the time.
They cannot respond to all the alerts all the time.
the time. So the alert-centric approach, what you do when you're a hacker, you're just making sure that or you're super quiet or you're creating so much noise that the human being will not be able
to deal with it. So to make it simple, we just automate the whole process that the human being
needed to do. And then we do it at scale on every machine, on every process, on every connection that's happening on a massive, big organization.
This is really kind of changing the position of the defenders to have the upper end against those hackers.
So let's talk about that, right?
Because in today's really complex environments, organizations have data scattered across multiple data islands.
We're still on the prim. We still have data in data centers. But now, in many cases,
we have company data on employee-owned devices like phones and tablets and laptops,
and not to mention cloud deployments in one or more commercial clouds. And that doesn't even
begin to talk about all the SaaS applications that we all have now. How does a security platform help? Can you tie into all that? Do you have a complete view
of my organization? Yeah. So the way that we tackle it, and we're a big believer that you
have to see the full attack surface. You cannot just focus on your Windows machine or Linux machine. You need to have one
point, one place that has the bird's eye view that see all of them and can correlate all the data
that's happening in all of them in real time. So today we know how to basically protect and
collect data all the way from Windows, you know, all the way from XP, like all the way
back, all the way to the Windows servers, Linux, different types of Linux, all the way, you know,
to your iPhone or to your Android, very important to your cloud container, cloud server or cloud
workforce. So basically any processing power that the company has
that can process data for them or store data for them,
we know how to monitor in real time.
So it's going to be some combination of your platform
plus other kinds of point products.
And then we have to deploy them, maintain them,
and monitor the telemetry coming
off of them. I think the only way we can manage all that complexity is through some sort of
automation in the form of SOAR or some other general purpose DevSecOps tools. How does
the platform plug into all that so that you don't miss anything?
We're trying to basically detect
and to do the heavy lifting
as much as possible.
Because at the end of the day,
it's not just about which data
that you are tapping into.
It's what you're doing with this data.
And can you make decision in real time,
basically transform data
into actionable intelligence
that you can act upon?
So I think that it's not just about correlating the data.
It is about the ability to make smart decisions in real time in order to protect our organization.
Because today, hackers moved, if in the past it was between, you know, 100 days of attack
and then it's become 60 days and then it become 30 days.
I think that in 2020, we saw that hacker shrink the time to attack and specifically when it's come to ransomware attack to between two to five days.
So they acting very rapidly.
And if you don't have this ability to really analyze in real time and make decisions and respond in real time, the
time to respond will be just endless.
Bihor, does the size of an organization impact the kinds of customers that can use a security
platform?
In other words, is a security platform better suited for, say, a small to medium-sized organization
who don't have a lot of staff or money? Or as opposed to like Fortune 500 companies that have relatively infinite resources?
Does it matter what size you are?
Yeah, I think that it used to matter in the past.
But today, the cybersecurity phenomena, it's become just so massive.
And everybody becomes a target.
So in the past, it was like big banks that needed to protect themselves.
But today, think about it, schools that are getting hit by ransomware or hospitals that are getting hit by ransomware.
And then, you know, it's a life and death situation in many cases.
So it's become, after 10 years, the cybersecurity phenomena become a problem of everybody, not just a small organization.
It's really the just a small organization. It's really
the full spectrum of organization. So it's not just about the small organization, it's about the
big organization as well. Needless to say that the big organization usually have a better funding,
better kind of, they can hire more people, but usually the footprint that they need to protect
is just bigger and the problem that they need to protect is just bigger.
And the problem that they need to deal with is just bigger.
So this is kind of where we come to play and help them as well.
All good stuff, Lior.
Before I let you go, any final thoughts about this discussion?
Absolutely.
I think that 2021 is going to be a very, very interesting year. I think that in 2022, we see the rise or revive of ransomware in a very, very active kind of year.
I believe that 2021 will be active as well.
We saw kind of an uplift of three times more attack in 2020.
And I believe that hackers have a bigger appetite right now.
And this is needless to say,
without talking about, you know,
the different government attack group that exists out there,
that we almost have kind of a cold war
between the US and, you know, Russia and China.
So I believe that 2021 is going to be super interesting.
And, you know, our job as defenders is to make sure that we reverse the adversary advantage every day.
Our thanks to Mike Higgins from Haven Health and Greg Notch from the National Hockey League for sharing their expertise.
And for the Cyber Reasons, Lior Dev, for providing his insights
and for sponsoring this program.
Cyber Wire X is a production of the Cyber Wire
and is proudly produced in Maryland
at the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity startups and technologies.
Our coordinating producer is Jennifer Iben,
and our executive editor is Peter Kippe.
I'm Rick Howard.
Thanks for listening.