There is a historical conundrum in cybersecurity about where to concentrate security skills, controls, and oversight. Hackers penetrate networks in order to compromise hosts and steal data. Given this obvious workflow, should CISOs focus security resources on networks, hosts, or a balanced combination of both?
ESG recently posed this question to 395 security professionals working at mid-market (i.e. 100 to 999 employees) and enterprise (i.e. more than 1,000 employees) organizations. The results are extremely interesting:
• 58% said that network security processes, skills, and technical controls are “much more thorough” or “somewhat more thorough” than server security processes, skills, and technical controls.
• 37% said that network security processes, skills, and technical controls are no more or less thorough than server security processes, skills, and technical controls.
• 7% said that server security processes, skills, and technical controls are “much more thorough” or “somewhat more thorough” than network security processes, skills, and technical controls.
Somewhat surprisingly, there is a clear imbalance in most cases. Why? Many security professionals have networking backgrounds and tend to focus in areas like firewall administration, network segmentation, or security analytics. Alternatively, server security is often thought of as a checkbox requirement for regulatory compliance. Simply outfit servers with antivirus software and your job is completed. You can always use network segmentation to isolate server traffic or apply security services to network flows if you need to.
The ESG data also indicates that this behavior is changing. CISOs recognize that servers are under attack so they are increasing their use of tools like application controls, HIPS, and File Integrity Monitoring (FIM) on critical servers. Nevertheless, network security investment is also on the rise so I don’t expect any measurable behavior modification in terms of security priorities.
There are several market implications here:
1. Network security vendors remain in the cat-bird seat. Cisco and Juniper will continue to have an edge where they are the network incumbents, but ESG does see some changes in behavior. CISOs and security architects are becoming more active in network security technology selection. These folks tend to consider new functionality, security efficacy, consolidated services, and security infrastructure integration – opening doors for vendors like Check Point, FireEye, Fortinet, and Palo Alto Networks. Regardless of the vendor however, the network continues to be the place to be. There also may be an SDN security angle here in the future.
2. Integrated host/network security coverage is becoming more appealing. Note that 37% balance their security focus across hosts and networks. This is the prevailing trend. As one CISO put it to me, “I pay for and then manage network defenses and host defenses. If these things worked together, my guess is that I’d have better security and lower costs. So please tell me: Why don’t they work together?” In the past, host and network security controls were a world apart but several vendors including McAfee, Sophos, and Sourcefire are bridging these technologies giving them a market advantage. Others will acquire or partner as host/network integration gains popularity.
3. Host-based security technology vendors must get the word out. You’d think that the threat landscape, de-perimeterization, web services applications, and server virtualization would motivate more enterprises to focus on host-based security. So why aren’t they doing so? Because they know how to segment networks and tweak controls but aren’t nearly as familiar with host controls. Vendors like Bit9 are starting to get the word out but they need help. Additional host-based security technology providers must offer market education, reference architectures, use cases, and professional services, or this network-centric behavior will continue.
The ESG data indicates that most enterprises still think of their networks as a security hub. If you know what you are doing, you can use network segmentation, security services, and monitoring to provide strong security for servers. That said however, host-based controls make sense from a defense-in-depth perspective. What’s more, integrated network/host controls could improve security and lower IT operating costs as my CISO friend suggests. My prediction is that network/host security technology will continue to move in this direction – it’s hard to argue with those kinds of results.