Based upon anecdotal evidence, I estimate that the average large enterprise organization uses more than 70 different security tools from an assortment of vendors. As they say in Texas, "that dog don't hunt." In other words, it's nearly impossible to maintain strong security hygiene or establish best practices when the security organization is chasing cybersecurity optimization on a tool-by-tool basis.
Recognizing this problem, I've been preaching the need for an integrated cybersecurity technology architecture for years, often comparing the evolution from point tools to the departmental application to ERP transition that occurred in the 1990s. The good news is that this is actually starting to happen.
From a market standpoint, security vendors like Blue Coat, Cisco, FireEye, IBM, Intel Security (McAfee), Palo Alto, Raytheon Cyber Products, and Symantec are busy building integrated security architectures of their own. The goal? Sell customers the whole integrated enchilada to become the SAP of cybersecurity. Hmm, good idea but it may take years for CISOs to rip and replace 70+ point tools.
Fortunately, the security community has come up with an alternative plan – custom integration. Yup, cybersecurity professionals are taking advantage of message buses, APIs, open source, scripting, and emerging threat intelligence standards to glue together their own integrated cybersecurity architecture in order to accelerate incident detection/response, and streamline security operations.
Allow me to elaborate a bit:
- Early cybersecurity integration activities have a distinct "roll your own" feel to them but there are some collective efforts also gaining momentum. For example, Netflix announced an open source release of its Fully Integrated Defense Operation (FIDO, but not to be confused with the Fast Identity Online (FIDO) Alliance) in early May. Netflix describes FIDO as, "our system for automatically analyzing security events and responding to security incidents."
- There are several similar efforts within the US federal government. The Department of Defense has an architecture called the Integrated Adaptive Cyberspace Defense (IACD) IACD is described as follows: "The function of (I)ACD is to provide sensing, sense-making, decision-making, and acting in cyber-relevant time in order to provide cyberspace defense before an adversary is able to bring about their desired effect." The DOD team is also collaborating with the Department of Homeland Security, since DHS has a similar initiative called the Enterprise Automated Security Environment (EASE). There is an RFI describing EASE here.
- In some cases, the integration effort has moved beyond frameworks and middleware. For example, the US intelligence community has put together a fully-integrated cybersecurity architecture dubbed SHORTSTOP made up of products from FireEye, Hexis Cyber Solutions, Palo Alto Networks, and Splunk.
- For organizations that remain tentative about building their own integrated cybersecurity architecture, it may be worthwhile to look into a few startups that offer more turnkey solutions. Vendors like Hexadite, CSG Invotas, and Resilient Systems come to mind.
These cybersecurity integration efforts represent a positive step for the white hat community, but it's far too early for a group hug or a rendition of Kumbaya. The bad news is that some vendors believe these grassroots efforts threaten their longer-term plans for cybersecurity world domination. As a result, they continue to refuse to open their APIs or play nicely with others.
Attention cybersecurity technology vendor and VC community: this ain't COM vs. CORBA, Ethernet vs. Token Ring, or other technology pissing contests from the past – we are talking about data privacy, law enforcement, national security, and your customers' ultimate well-being here. I get the capitalist pursuit of revenue but come on – public safety trumps self-interest.
Since cybersecurity integration could benefit society as a whole, proprietary agendas must be considered as totally unacceptable. In my humble opinion, vendors that are unwilling to take one for the collective cybersecurity team should be treated as the cybersecurity technology equivalent of Hester Prynne from Hawthorne's The Scarlet Letter.