9 reasons why the death of the security appliance is inevitable

The confluence of encryption, cloud and containers is making a poor situation intolerable

security lock

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Organizations are used to appliances being the workhorse of their protection needs. There are appliances for everything from firewalls, to Intrusion Detection Systems, Web Security Gateways, Email Security Gateways, Web Application Firewalls, and Advanced Threat Protection.

But as crucial as security appliances are today, they are eventually going to die out as they get increasingly less effective, requiring detection to be pushed to the machines that need protection.    Here are the nine reasons why:

1. Companies getting comfortable with cloud-based security. Organizations, including governments and large financial institutions are getting comfortable moving many security functions to the cloud (email, web and vulnerability management, for instance). The result – more reliable and easier to maintain solutions with a lower total cost of ownership.

2. Appliances are bad for cloud-based infrastructure.  Quite a lot of infrastructure is moving to the cloud.  Reportedly, Capital One has already moved 60%.  FINRA, the Financial Industry Regulatory Authority, has moved ¾ of its infrastructure to Amazon.  Organizations aren’t willing to pay traffic cost or latency to hairpin out to an appliance.  Vendors will try to provide “virtual appliances” within the cloud, which is an unnecessary bottleneck to auto-scaling.

3. Appliances won’t be able to view the data required to detect. In the United States, Edward Snowden’s disclosures were a wake-up call to those who thought encrypting data across the Internet wasn’t particularly important.  Many people used to think it was unlikely that anyone would have the means and desire to listen.  It turns out, they were wrong. (Note that, in many other countries, the Government is quite explicit about this kind of access to Internet traffic).

The standards community, in protecting against nation state attacks, are making it nearly impossible for security appliances to rely on what is essentially a decryption back door to escrow traffic.  Those appliances will need a significant re-design to get the same effect, and only if people are willing to terminate TLS at the appliance (which many companies don’t want to do). As a result, companies will have to go to huge expense to provide both data privacy and give security appliances visibility to do detection.

This is already on the horizon, with the forthcoming version of TLS, which secures every HTTPS connection end-to-end.

4. Appliances will make managing hybrid environments difficult. Hybrid deployments (i.e., partially on premise and partially in the cloud) will undoubtedly be a fact of life in the enterprise for a long time to come.   That means, security teams must provide solutions for both kinds of environments.

Today, while we’re still early in the adoption curve, security organizations are okay with implementing different solutions to protect their cloud infrastructure and their internal infrastructure.  Yet, it will become a burden—more costly, and more cumbersome to manage -- so people won’t do it forever.

5. Appliances can’t see containers. The DevOps movement is pushing toward microservices and containerization.   When multiple containers live on the same machine and talk to each other, that communication doesn’t go over the network and can never be seen by an appliance—even a virtual appliance.   That lack of visibility means appliances are far less effective at detection for modern production environments.

6. It’s not practical for “prevention” appliances to prevent.  In most enterprises, security detection appliances are usually sitting off to the side, looking at a copy of network traffic, not the actual network traffic.   Organizations do this to eliminate unnecessary latency and so they don’t become a single point of failure, for instance if they get flooded or have a bug.   It’s also hard to get high quality signal from network traffic at scale, so appliances generate many false positives, which is a disaster for automatic response.  As appliances become less effective, companies will move to techniques that will prevent attacks.

7. Appliances are easy to circumvent. While old-school devices (e.g., traditional Intrusion Prevention Devices) sacrificed accuracy for speed, today’s more sophisticated appliances do a lot of processing on the data they see so they can give better results with far fewer false positives.  But they rely on emulation, so an attacker has many options to detect and circumvent the emulation. Eventually, detection will move to the systems being protected, where there is no need to emulate, and there’s a much greater ability for security software to thwart an attack.

8. Appliances can’t auto-scale. Generally, appliances with the best detection consume the most resources.  Even with a high-speed appliance, it’s generally not difficult to overload them.  Once an attacker manages that, they can sneak malicious traffic through undetected.  As companies embrace cloud infrastructure that can auto-scale their applications, they will want to auto-scale their protection to match, instead of failing open.   

9. Appliances – too much work for too little value. Finally, perhaps the single biggest problem security organizations wrestle with is they’re drowning in alerts.   That’s the case even after the raw data from around the network goes through a best-of-breed correlation and analysis engine.   This problem is due to the horrible signal-to-noise ratio in security appliances.  The problem is that they rely on a single data dimension (network data), which is itself a high volume signal with plenty of noise. Instead of hiring more analysts or letting more and more drop through the cracks, companies will look for detection approaches that provide much lower noise, which again pushes detection away from an appliance solution.

The confluence of encryption, cloud and containers is making a poor situation intolerable.  While alternative approaches don’t exist yet, they’re coming, and in the meantime plenty of large organizations are creating their own stopgap solutions that ignore or greatly devalue the appliance.

This  process will take a little longer to emerge.  Yet in a few years,  only the misguided will pay for a security appliance.

Visit Capsule8.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT