Critical Change in Endpoint Security is Inevitable: Breaking the shackles (Part 2 of the series)
I became an entrepreneur after 28 years in the tech industry. For a short time, I was pursuing a new idea in social media, before quickly turning back to cyber security. This is an industry that is full of pain points, gaps and opportunity. I wanted to solve a big problem. I found that the biggest pain points that I could conceive as a business opportunity are in the endpoint security market where there are too many players and too little interoperability.
I want to use an analogy to which we can all relate, to help make my points. Imagine a scenario in which a well-known armed terrorist enters the airport and a guard uses facial recognition technology to recognize him but is unable to capture him. The guard does not raise a general alarm, but only informs his manager. His manager logs it as required for someone else to act on the alert, and then moves on with his/her daily work. If the terrorist then gets past the gate security because they don’t have the right detection technology and causes mayhem on a flight, who would you consider guilty of dereliction of duty? This scenario plays out at every organization almost every day in cyber security. Not only do many vendor products fail to exchange security event information in real-time, but very often products from a single vendor is not aware of threats seen by each other. While threat intelligence is being shared to a reasonable extent, largely that’s not the case with real-time threats or alerts that need to be handled immediately. The results are all too familiar – breaches that cause catastrophic damage to nations or organizations.
To be fair, a couple of large vendors have created a framework to share this information in real-time. McAfee’s DXL and Palo Alto Network’s Application Framework are reasonably mature frameworks but not neutral for sure. While their intention seems to be in the right direction, their framework only applies to their own vendor eco-systems. This is completely consistent with the business instinct of vendors and their “sticky strategy” to solidify the customers’ dependence on their own products. I don’t blame the vendors for this strategy, but this does not leave the customers in a secure position. The SIEM is typically an integration point for all systems, but it is not in real-time, complex, expensive and requires more components to respond. To be a true open interoperable platform it should not be biased to any vendor, which only a neutral platform provider can deliver. A true platform should also be applicable to as much of the endpoint security market as practical and enable real-time data-driven interoperability between components. Enterprises will be best-served by an architecture in which all vendor products collaborate in real-time and can use each other’s strengths to protect them. In the absence of that, enterprises are choosing the best single-vendor ecosystem. Given this rigidity in the “sticky and siloed” architecture, no wonder we continue to have the same problems on endpoints for the last two decades with worsening consequences and loss of trust.
And then, things started to change. It was change driven by customers, who did not wait for the industry to solve their endpoint problems of lack of open systems and interoperability. Open source systems started showing up earlier in this decade but picked up momentum more recently, proliferating in the market with increasingly larger deployments. If you track the history of many of these open source endpoint security frameworks, they all started with large enterprises who started building systems for their own internal use or because they did not find anything in the market that met their needs adequately. The latest and fast growing open source system, #OSQuery, created and backed by Facebook, started off as an internal project to monitor their servers and employees’ endpoints which was eventually released to the public in 2014. It is a well-designed framework that gives users flexibility, real-time and historic data as well as cross-platform support at a low cost. Google Rapid Response (GRR) came into existence much the same way for incident response. The underlying value proposition of these frameworks and a few others that have gained popularity is the flexibility and openness. It is very clear that off-the-shelf products are not adequately protecting customers. This has resulted in many capable enterprises and service providers to customize their security operations workflow using these frameworks to stitch together a “tighter security net” with as much automation as possible.
Vendor neutrality is a key design criterion in any of these solutions. Customers and service providers are finding ways to break the shackles of the “sticky strategy” which frees them to replace products when they are either no longer effective or there are more effective solutions in the market. In the same vein of vendor neutrality, another emerging area of innovation is an open standard for command and control called OpenC2 (developed under the standards organization OASIS). The driving vision of this committee (of which I am a member) is to allow for far wider integration of security systems via a standardized language for execution of command and control. This is being done through definition of a language for unambiguous interpretation and execution of command and control across vendor systems. Suddenly, a perimeter firewall or a network sandbox can communicate with an endpoint to take remedial action with or without integration from the vendor or worrying about versions. At that point adding new components (or equally important, replacing a component) is feasible without major overhaul of the security workflow – and that’s a huge win for customers. The #OpenC2 standard was an initiative chaired by the NSA and driven by some large enterprises including global financial institutions. The active participation in these committees from both the user and vendor sides indicates that this standard has a bright future.
The proliferation of open source frameworks and standards in recent times is an indication that the customers are no longer ready to leave their data security in the hands of a few large companies. They are actively pursuing and promoting open concepts that will lead to freedom of choice and ease of adoption of innovation. The day we enable the proverbial “two kids from a college dorm” or “a small company in a garage” to provide rapid solutions to a new or evolving threat within hours, only then will we eliminate the vulnerability gap – defined here as the time customers have to wait to truly protect themselves from against a new threat notwithstanding the marketing from every company claiming support almost immediately.
Endpoint security is undergoing critical change, one that will reorder the hierarchy over the next decade. Smart companies will adapt and transform to the new environment even if it means losing some control, and those who resist will slowly wither away.