August 19, 2013
Last year I wrote a blog post titled, “Incident Response Isn’t About Point Solutions; It Is About An Ecosystem." This concept naturally extends beyond incident response to broader enterprise defense. An ecosystem approach provides us an alternative to the cobbling together of the Frankenstein’esque security infrastructure that is so ubiquitous today.
Many of us in the information security space have a proud legacy of only purchasing best in breed point solutions. In my early days as an information security practitioner, I only wanted to deploy these types of standalone solutions. One of the problems with this approach is that it results in a bloated security portfolio with little integration between security controls. This bloat adds unneeded friction to the infosec team’s operational responsibilities. We talk about adding friction to make the attacker’s job more difficult, what about this self-imposed friction? S&R pros jobs are hard enough. I’m not suggesting that you eliminate best in breed solutions from consideration, I’m suggesting that any “point solution” that functions in isolation and adds unneeded operational friction shouldn’t be considered.
This ecosystem concept isn’t particularly new, but from a practical and operational reality it is just now bourgeoning. Over the past 18 months, we have seen the emergence of true integrations between endpoint, network security, network visibility and SIM solutions. FireEye, desperate not to be positioned as a point solution has led the way in this regard. In some cases, these third- party integrations have been more innovative than some of the internal integrations of the traditional “suite vendors.” The size and complexity of these suite vendors can easily stifle integration amongst a portfolio built upon acquisition. This must change.
So how do we go about putting point solutions out to pasture?
- Measure the effectiveness of your existing security solutions. In my experience, most enterprises don’t measure the effectiveness of their security investments, they just keep renewing support each year. This must stop; each of your controls must be evaluated from both an operational and risk mitigation perspective. If they aren’t effective, throw them out.
- Only invest in security controls that you actually need. Don’t buy the sexy new solution just because everyone else is doing it. Your threat model isn’t the same as everyone else’s. Does this control actually address a risk that you have? See "Avoid The Information Security Squirrel" for more on this.
- Stop, don’t purchase. Once you have identified a legitimate need, make sure that you don’t already own a solution that will address the need. How many times do organizations have overlapping controls? Perhaps a 50% solution leveraging existing controls is enough. This will allow limited budget resources to be applied to higher organizational risks. See “Expense In Depth And The Trouble With The Tribbles” for more details.
- Test now or forever hold your peace. Once you have identified a shortlist, test them out. Don’t take a sales engineer’s word for it, and certainly don’t take my word for it. Virtual appliances and SaaS security services make proof of concepts much easier. They reduce some of the operational friction required for dedicated testing. If you don’t test out solutions prior to purchase, you only have yourself to blame if things don’t go as promised.
- Integration capabilities should be a key vendor selection criterion. Challenge vendors to actually demonstrate product integrations. “We have a joint go-to-market strategy” DOES NOT equal integration. You need to “Show Me State” it up.
Longer term, integrations between two solutions are great, but we can do so much more. As Mr. Zero Trust, John Kindervag says, “Management is the new back plane.” We need robust orchestration of our defenses, and vendors who enable this will standing at the top of the hill. APIs are a key component of the ecosystem play, and you can expect continued focus on them. Fellow analyst and XML co-creator Eve Maler, is going to help me define ways to measure APIs and their ability to enable ecosystems. Later this year, when I start my next Forrester Wave on web content security, there will be a significant focus on the integration/ecosystem capabilities of the solutions. I will also follow this blog up with a focus in the cloud implications of an ecosystem based defense. In the meantime, RIP point solutions, RIP.
Image Source: Stock.XCHNG