Security platforms vs best of breed point products: What should you deploy?

Rick Howard: Hey, everyone, and welcome to CyberWire-X, a series of specials where we highlight important security topics affecting the organizations around the world. I'm Rick Howard, the CyberWire's Chief Security Officer and Senior Analyst.

Rick Howard: Today's episode asks the question, 'Security Platforms versus Best-of-Breed Point Products - What Should You Deploy?' From the beginning of the cybersecurity era, say early 1990s, security practitioners have mostly picked best-of-breed point products to deploy in their environments. Over time, as the number of security tools we all manage continue to grow, the complexity of those environments also grew. To the point where the processes become so difficult to control, that we might not be getting the best performance for our best-of-breed solutions.

Rick Howard: Big security vendors like Check Point, Cisco, Fortinet and Palo Alto Networks, offered security platforms that performed the bulk of the security task in one device. This reduced the complexity, but the individual services run from the platforms, were probably not best-of-breed, at least for some of the services.

Rick Howard: The question we will try to answer today is, which path should security practitioners take? Stay the course with best-of-breed point products, change over to a prevention platform, or adopt some hybrid of both? One programming note, each CyberWire-X special features two segments. In the first part we'll hear from two CyberWire hashtable subject matter experts; Mike Higgins, the CISO for Haven Health and Greg Notch, the CISO for the National Hockey League. And in the second part we'll hear from our show's sponsor, Lior Div, the CEO for Cybereason, for his point of view.

Rick Howard: For the past ten years I've been railing against the standard practice of choosing best-in-breed tools for my security stack. When I was just starting out, call it the mid 1990s, we only had three tools to choose from; a firewall, an intrusion detection system, and an anti-virus application. We could afford to be choosy. But since around 2010 the number of tools infosec professionals manage in their security stacks range anywhere from three to 300, depending on the organization size. I started to realize that we made our security environments way too complex. It was difficult to keep all those tools up to date. And if you cornered most CISOs at a bar at some security conference somewhere, they would admit that for the tools they have deployed they're only using about 30% capacity for each, because they just don't have the resources to keep them completely deployed. We all essentially had the security equivalent of Ferraris and Porsches deployed in our security stack, but most of them were idling in the driveway and had never been taken out for a spin.

Rick Howard: Mike Higgins in the Haven Health CISO and one of the CyberWire's hashtable subject matter experts. He offered this an explanation.

Mike Higgins: We're accretive, when people got their firewalls they didn't get rid of their firewalls when they got IDS. They didn't get rid of the IDS when they get NexGen network protection. They didn't get rid NexGen protection when they came up with machine learning AI protection. You know, you just add another tool on top of it within the environment, that's how most companies work. That's why they end up with a 100 tools, 200 tools within their environments because you just don't retire things. If you don't have the staff, complexity will kill you.

Rick Howard: Greg Notch is the National Hockey League's CISO and he's also one of the CyberWire's hashtable subject matter experts. He agrees with Mike.

Greg Notch: The first time I had a CISO role, someone said, "Well, every tool you buy you need one and a half to two bodies." And it didn't make sense to me at that time but now it makes sense. My SAS platform actually reads from a database that I run on prem, and that thing is consumed via an API by some applications I run in Amazon. I mean I can list scenarios in our environment that have that sort of thing. You're like, "Well, all right, where's my data?" It's like, you know, this three-card monte scenario. And they're candidly aren't tools that manage that sort of stuff and it happens all the time.

Rick Howard: This sounds like a problem that DevSecOps can fix. Can we automate our way out of this complexity? Here's Mike, the Haven Health's CISO.

Mike Higgins: It's an nice theory, it's a nice thought process, but I still think it's years from implementation. I haven't seen a really, really good robust DevOps setup yet.

Rick Howard: Greg has been very interested in SOA tools that help him with his DevSecOps process. But he doesn't think they are quite there yet.

Greg Notch: You know, I remember seeing the SOA tools, I was like, "That's exactly what I need." And, so does that mean that I can just leave all of the data from all of my security tools in-situ and whatever tool they came from, and then just query across that? And they were like, "Well, not really." I was like, "Okay. Well, give me some use cases of a SOA tool." And everybody gives you the like, "Oh, you can forward a spam email to it and it will like break out and give you all the IOCs from that and tell you--" I'm like, "Okay. But how about some more?" If you run your own SOC,I think a SOA is an amazing tool, right? Like that's just straight up money, money in the bank. It's saving you on headcount. Like it's saving you on management overhead, like I got it. But if you're not running a SOC , a SOA tool is a somewhat more limited utility, and there's so much promise to that kind of automation that I'm like hoping the next iteration of that brings forth.

Rick Howard: The security industry solution to this complexity problem was the orchestration platform. These products did the bulk of the security tasks in one box that those 300 point products did. And at the same time, reduce the complexity involved in managing all of them. That was the good news. The bad news was, that those platform services were probably not best-in-breed, at least not for all the services offered by the platform. The debate amongst security practitioners is this; can a security platform handle the bulk of your security needs even if the tools aren't best-in-breed? Are the services offered good enough? Here's Greg again, the National Hockey League CISO.

Greg Notch: Good enough is good enough especially when you're talking about commoditized stuff like anti-virus, right? I mean, you could pick whichever vendor you want as long as you have something, you know, it's credible. And that, I'd say that's particularly true for more compliant, like technologies that are solving compliance problems and not real acute, security technology problems.

Rick Howard: There are plenty of reasons why platforms don't work in every situation. Here's Mike, the Haven Health CISO.

Mike Higgins: A single tool, I'm not 100% convinced this is the right answer. In most single tools solution sets, companies have had extreme problems over time, so, I'm more of a point person solution going forward, and I've been that way for a while. The platform solutions that are out there, that are really truly robust, I mean there's a bunch of them out there that are trying to be, one thing for-- I believe, is what you have is, you have a core product that started, and then they just started-- it's like a farmhouse, right? They just started adding rooms on this stuff, and they've just started making the product more robust, but it's all through additional acquisitions, trying to do some integration. And nobody does it, to my level that I've seen, extremely well, that I think I could do it all with one fail swoop. It's got to be defense in-depth. It can't be just put in one line of defense and they're going to do it all for me. I don't see that as being an effective defense strategy. A single source solution, I don't think is robust as the defense in-depth concepts around having point solutions. I haven't seen it yet.

Rick Howard: According to Greg, the platforms haven't quite figured out how to do SAS applications yet either.

Greg Notch: It hasn't gotten the SAS part right. Like it isn't giving me-- it isn't a caspian. It isn't giving me visibility into how my users interact with Office 365 for example. It doesn't let me write policies about that or say, "Hey, let these guys use Dropbox." It's still missing a few pieces. Right now there's the glue is missing.

Rick Howard: But Greg also believes that where it makes sense to deploy a platform, the reduction in complexity is worth it.

Greg Notch: The way that you buy tools it isn't like I bought a Palo Alto firewall and it's on the edge of my network and now I need several people to manage it. It's, I'm consuming some of the security technologies as a service from a vendor, and so that reduces the headcount need somewhat. So things that plugging into my AWS environment. There's a little bit less body to manage there. It's not zero but it's less. I have consistent policy with end points that are roaming around the world, and I have consistent policy, it's the same when they're in the office.

Rick Howard: The consensus then is that most medium to large scale organizations will deploy a hybrid approach.

Mike Higgins: It a little bit more of a hybrid approach. It is getting the complexity that you get with having single point solutions, best-of-breed, but it's picking major vendors for a specific range of solutions. Looking at a hybrid solution and saying, "Okay. This is my guy for network, this is my guy for endpoint, this is my guy for testing." And look at the solutions from that standpoint versus, all I've got to do is go out and sign one contract with Symantec and I'm done and I can just go home and sleep soundly.

Mike Higgins: If your firewall can handle 80% of the attacks, keep it in place. Let the IBS just handle the 20 and then let the next generation of network protection handle the one percent.

Rick Howard: Greg suggests a hybrid approach because the platforms are always going to lag behind point products in terms of new capabilities.

Greg Notch: But I don't see a way, at least until security tools mature significantly more than they have already, for there not to be at least a smattering of point products involved. Another CISO friend of mine told me, he's like, "Listen, always do one year contracts with your security vendors, or at least the new fangled, you know, gizmo vendors," right? What you're hoping is that a) either mature and you starting having addition to subtraction of other tools. So you know, they either build out more of their capabilities or they get bought and rolled up.

Rick Howard: As a best practice, we might use platforms for the mature meat and potatoes security products. And best-of-breed point products for new security products that the platforms haven't made available yet. I asked both Mike and Greg about what they would expect to find in a meat and potatoes security platform.

Mike Higgins: I think, endpoint anti-virus. Why iteven exists something called anti-virus anymore, I'm not sure. It's like the next generation anti-virus or whatever the AI, those are trusted tools and they need to be out there as well. But, you know, the IDS systems, the firewalls systems for sure in there. On a network level or on a cloud level, there's probably a couple of tools up in the cloud level that are awesome. Maybe adding identity management.

Greg Notch: I need visibility on the endpoint, whether it actually lives on the endpoint or not. I need some understanding of what's happening on that endpoint. I need some understanding of what's happening on my network. Be that my on-prem server farm or my AWS network.

Greg Notch: Same sort of EDR or visibility on server infrastructure and sort of the underlining platforms that service that, whether it's VN ware, AWS or GCP or Azure. I need control plain view of that. I need some prevention tools like an anti-virus, I need some firewall prevention stuff. Preferably my firewalls would be application aware so I can set policies about not only what ports they go to but what applications they're speaking. I need some way to manage those tools and collect the data from them, and from all of the workloads and look across them. I need configuration management security tooling, like validate that my windows environment is somewhat correct. Validate that my AWS environment is somewhat correct. My unix server farm has a consistent state and its configuration is automable. My containers have some sort of security processing.

Rick Howard: Both Mike and Greg say that the size of the organization might dictate the use of platforms or not. Here's Mike.

Mike Higgins: I used to think back in the day, that one size fits all, type of vendor was the way to go, because all you needed was to have some security because the bad guys, it was just a statistics play with them, right? They were just looking for an opening and they were attacking wherever they found an opening. So having just a little bit of security was good enough. And I think most small size/mid size companies still don't have any real security, they just have that one type of solution set. Either endpoint solutions for themselves or maybe some network protection, but they've really reduced the complexity and they're not running robust security sets. In a large company, you've got so many ingress and egress points. You have so much risk in the company I think the best-of-breed solution is the way to go, especially best-of-breed when you're using defense in-depth solutions. The answers bifurcated between the two.

Greg Notch: I think it depends on the size of your organization first and foremost, right? If you're a very small company you're going to want a platform. I would consider us a mid-size company and the platform is the way to go, assuming it meets your needs. As you move up the scale from a small company to a really big company, you also want table stake stuff, network monitoring, EDR, you know that kind of stuff, you want to consolidate all of that to a platform.

Rick Howard: So that's what we got from Mike and Greg sitting around the hashtable. Let's move on to the second part of the show and my conversation with Lior Div from Cybereason, our show's sponsor.

Rick Howard: Lior, can you set the table for us? What problems do security platforms solve that we can't already solve with a host of other security point products already on the market?

Lior Div: I think the market changed dramatically in the past ten years. We are shifting from IT security to cybersecurity. In the cybersecurity world, there is a adversary behind the scene that are basically trying to manipulate everything that we put in front of them. A new approach and a new mindset is needed basically in order to stop this type of hackers, because if we are going to keep using the same approach, they will have the upper hand.

Rick Howard: So tell me what that new mindset is?

Lior Div: The cyberism platform is taking the approach, we call it the operation-centricapproach. Meaning instead of thinking about which type of logs we are collecting or which type of viruses we can stop, basically we think about it as we need to stop hackers, we need to understand what they're doing and how they're doing it. We need to be able to monitor every step that they are doing inside any network and be able to say first, "Hey, there is a hacking activityinside this network." And on top of that, to be able to really identify each and every one of the steps that the hackers are doing. And when the time is right, to prevent them from achieving their goals and basically stop them while they're trying to do it.

Lior Div: This method enables us to find and stop the most sophisticated attack that exists right now. One of the example, and it's a great example, this is SolarWind situation. When the hackers basically assume that they can by-pass any security measure that exists out there. And in our case, because we're leveraging behavior analytics and the operation-centric approach, we manage to say, "Hey, right now there is hacking activity going on in this company" and prevent the hackers from deploying their malware and to execute it.

Rick Howard: So the platform approach essentially puts together a bunch of security tools that had traditionally been sold individually as single point products. And what I hear you saying about the SolarWinds winds attack, is that you can combine these services to look for abnormal behavior and maybe have been successful against the SolarWinds attack.

Lior Div: Yes, absolutely. Think about it, in the past what you needed to do is you needed to install something on your computer in order to prevent basically malware or viruses. You need to collect log, you need to put all of them into a SIM product, then to put very, very smart people in front of the computer to write rules. And to hope that when the right alert will come, they will be in front of the computer, really be ready to understand and investigate what's going on, and to start and conduct a full investigation. This is kind of very the alert-centric approach. Basically we're doing all of those things for our customers automatically, so we know how to stop things on the endpoint specifically for example; ransomware and different types of activities. We know how to collect the data in real time unfiltered, and more importantly, we know how to make a decision out of the massive amount of data that we collected in order to say, "Hey, right now there is a malicious operation going on inside your organization. We collected all the necessary information, correlated and stopped the hackers of doing whatever they tried to do."

Rick Howard: So you're really talking about orchestration here. When I started doing this back in the '90s we only had three tools. We all had a firewall, we all had an intrusion detection system, and we all had an anti-virus. And we could manage those three things pretty easily. But in the last ten years the number of security tools like people like me to have to deploy, ranges anywhere from five to 300 depending on your size, that's just doing independent point products.

Lior Div: Yes, absolutely. I think that the platform point of view and the ability to correlate the data and to stop attack in real time, I call it give the power back to the defenders. Because even in orchestration, you need to be very, very smart to know which type of data you want to orchestrate, and which type of data is more important. In the past, people were talking about the kill chain, basically the different steps that the hackers can do. Then that thing basically evolved to what MITRE is doing today, they try to map more of the kill chain into more steps. We're basically saying, look we want to meet the hackers where they are. We don't just want to follow very specific ones. So needless to say, that we are following the kill chain method and we are following the MITRE kill chain. But there is many, many other things that the hackers can do and are doing that they're not mapped to those basically platform.

Lior Div: So basically, we collect and analyze every activity that the hackers can do, the benign and the malicious activity. So we're not judging the data in advance, we just collect everything and in real time, we make those decisions. And if something become malicious then we can go back in time and say, "Hey, this type of activity at the beginning looked very benign, now it become part of the malicious operation because the hackers starting to leverage."

Lior Div: This is exactly what's happened in the SolarWind situation. In the SolarWind the hackers basically injected a DLL that it looked benign, because it didn't do anything, it was signed and it looked okay. Then after triggering this DLL it starting to communicate kind of in a semi-benign way to the outside. But then it download a payload and from that point it become super malicious. So our software knows how to track that thing from the beginning to the end, from the time that it was fully benign, all the way to the point that it become malicious. But the important thing, we can tailor the operation that this DLL did all the way back to the point of time that it was installed. And say "Hey, it's become malicious over time" and this is the operation-centric approach. And that's the reason that we decide that that thing is basically malicious and this is the reason that we're going to stop it. And from now on, every time that we will see it we will stop it. So we don't need to do kind of that assessment again.

Rick Howard: So to your point though, if I was trying to do this with the traditional model which is a handful of point products, I'd have to do all that work myself. I'd have to have a high-end incident response team, tracking all of that telemetry across all those point products, just to decide what to do. And then they'd have to work their way back through them to make the changes to those point products in order to have some affect. What I think you're saying is that platform approach takes the complexity out of that and makes it easier for people like me to defend my organization.

Lior Div: Absolutely. Basically, the traditional approach, the user of the systems needs to do a lot of work and needs to be there all the time. What hackers understood that people cannot be in front of system all the time. They cannot respond to all the alerts all the time. So the alert-centric approach, what you do when you're a hacker, is just making sure that you're super quiet or you're creating so much noise that the human being will not be able to deal with it. So to make it simple, we just automate the whole process that the human being needed to do and then we do it at scale on every machine on every process on every connection that's happening on a massive big organization. This is really kind of changing the position of the defenders to have the upper hand against those hackers.

Rick Howard: Let's talk about that, right? Because in today's really complex environments, organizations have data scattered across multiple data islands. We're still on the prim, we still have data in data centers but now in many cases we have company data on employee-owned devices like phones and tablets and laptops. And not to mention cloud deployments in the one or more commercial clouds, and that doesn't even begin to talk about all the SAS applications that we all have now. How does a security platform help? Can you tie into all that until you have a complete view of my organization?

Lior Div: Yes. So the way that we tackle it and we're a big believer that you have to see the full attack surface. You cannot just focus on your Windows machine or Linux machine. You need to have one point, one place that has the bird's eye view that see all of them and can correlate all the data that's happening in all of them in real time. So today, we know how to basically protect and collect data all the way from Windows, all the way from XP, like all the way back, all the way to the Windows server, Linux, different type of Linux. All the way to your iPhone or to your android, very important to your cloud container, cloud server or cloud workforce. So basically, any processing power that the company has that can process data for them or store data for them, we know how to monitor in real time.

Rick Howard: So it's going to be some combination of your platform plus other kinds of point products. And then we have to deploy them, maintain them and monitor the telemetry coming off of them. I think the only way we can manage all that complexity is through some sort of automation in the form of SOA or some other general purpose DevSecOps tools. How does a platform plug into all that so that you don't miss anything?

Lior Div: We are trying to basically detect and to do the heavy lifting as much as possible, because at the end of the day, it's not just about which data that you are tapping into, it's what you're doing with this data. And can you make the decision in real time? Basically, transform data into actionable intelligence that you can act upon. So I think that it's not just about correlating the data, it is about the ability to make smart decision in real time in order to protect the organization. Because today hackers move, if in the past it was between 100 days of attack then it become 60 days then it become 30 days. I think that in 2020, we saw that hacker shrink the time to attack, and specifically when it's come to ransomware attack, to between two to five days. So they're acting very rapidly, and if you don't have this ability to really analyze in real time and make decision and respond in real time, the time to response will be just endless.

Rick Howard: Lior, does the size of an organization impact the kinds of customers that can use a security platform? In other words, is the security platform better suited for a small to medium size organization who don't have a lot of staff or money, or as opposed to Fortune 500 companies that have relatively infinite resources? Does it matter what size you are?

Lior Div: I think it used to matter in the past but today the cyber security phenomenal it just become so massive and everybody become a target. So in the past it was like the big banks that needed to protect themselves but today, think about it, schools that are getting hit by ransomware, or hospitals that are getting hit by a ransomware and then, you know, it's a life and death situation in many cases. So it's become, after ten years, the cybersecurity phenomenal become a problem of everybody. Not just the small organization, it's really the full spectrum of organizations. So it's not just about the small organization, it's about the big organization as well. Needless to say, that the big organization usually have better funding, they can hire more people, but usually the footprint that they need to protect is just bigger, and the problem that they need to deal with is just bigger. So this kind of where we come into play and help them as well.

Rick Howard: All good stuff, Lior but before I let you go, any final thoughts about this discussion?

Lior Div: Absolutely. I think that 2021 is going to be a very, very interesting year. I think that in 2022 we will see the revival for ransomware in a very, very active kind of year. I believe that 2021 will be active as well. We saw kind of an uplift of three times more attack in 2020, and I believe that hackers have a big appetite right now. And this is needless to say without talking about, you know, the different government attack group that exist out there that we almost have kind of a Cold War between the U.S. and Russia and China. So I believe that 2021 is going to be super interesting and you know, our job as defenders is to make sure that we reverse the adversary advantage every day.

Rick Howard: Our thanks to Mike Higgins from Haven Health and Greg Notch from the National Hockey League for sharing their expertize. And for the Cybereason's Lior Div for providing his insights and for sponsoring this program. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the Startup Studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben, and our executive editor is Peter Kilpe. I'm Rick Howard. Thanks for listening.