Just a few days until the start of the RSA Conference and I expect an even bigger event than last year – more presentations, vendors, cocktail parties, etc. The conference will likely focus on security technologies like endpoint security, cloud, security, threat intelligence, IAM, and others which I described in a recent blog.
While these individual technologies will own the spotlight, there is another pervasive security technology trend (and enterprise security requirement) that will be far less visible – technology integration.
To be clear, large organizations are certainly in the market for more effective security technology solutions in a number of areas. For example, ESG research reveals that 51% of organizations plan to add new endpoint security controls as a countermeasure for advanced threats (note: I am an ESG employee). Nevertheless, these individual tools will have to exchange data, plug into messaging buses, and accept commands from a variety of other security analytics, policy management, and command-and-control systems.
Allow me to elaborate further. CISOs need to collect, process, and analyze security data for continuous risk management so they can accelerate and prioritize remediation activities. With the proliferation of technologies like mobile applications, cloud computing, and SDN, security professionals want to establish and enforce dynamic security policies for network access and network segmentation so they can lock down sensitive IT assets. In this instance, policy enforcement requires cooperation across IT and security technologies. Finally, many organizations want to use internal/external threat intelligence to automate remediation activities like generating a firewall rule or IDS/IPS signature, quarantining a rogue system, or routing suspicious traffic to a security analysis honeypot.
Yup, security vendors will trumpet their latest security tools at RSA but they are missing the big picture. Security directors care about individual tools, CISOs are more focused on building an end-to-end cybersecurity software architecture. This too is reflected in ESG research, 41% of enterprise say they plan to design and build a more integrated security architecture over the next 24 months.
In my humble opinion, there should be a lot more talk about open standards, APIs, and cybersecurity middleware at RSA. An industry-wide cooperative effort in these areas would benefit everyone – especially cybersecurity vendors’ customers. In lieu of this collective initiative, there are a few vendors proceeding down the security architecture path:
- Cisco is proceeding with a few initiatives that could become security integration hubs: its SDN push with ACI, pxGrid for network security publish/subscribe collaboration, and NetFlow as a standard for monitoring network traffic and behavior. Cisco has already used these efforts to establish a broad partner ecosystem with vendors like Blue Coat, Citrix, and Lancope for security architecture integration.
- Intel Security (aka McAfee) has been focused on integrating its products over the past few years under an umbrella program called Security Connected. Like Cisco, McAfee has created integration hubs like its Threat Intelligence Exchange (TIE) and Date Exchange Layer (DXL) which ease its homegrown integration effort and open its architecture up to third-parties. Symantec and Trend Micro are following a similar strategy.
- Splunk is well known for accepting any type of data feed making it a natural security integration hub. Beyond this however Splunk has become a security application platform as security vendors like Bit9, F5 and FireEye have already built applications that sit on top.
- IBM has used QRadar as its integration hub, bringing forensics, risk management, and vulnerability management into a common platform. And just this week, IBM introduced X-Force Exchange, a cloud-based portal for collecting, sharing, and operationalizing disparate internal/external threat intelligence.
Beyond vendors, it’s also worth mentioning that threat intelligence standards like STIX and TAXII from MITRE are also gaining momentum and should advance the security architecture cause. Ditto for FIDO to promote more pervasive use of multi-factor authentication and biometrics.
As that old security saying goes, “the cybersecurity chain is only as strong as its weakest link.” Unfortunately, enterprise security hasn’t resembled a chain in the past but rather an assortment of incongruent metal rings. Given today’s threat landscape, connecting the links has become even more important than the best-of-breed capabilities of individual security tools alone.