Friends or enemies? Security vendors tiptoe towards collaboration
- 06 February, 2017 22:50
There are hundreds of security vendors across the security stack. You have providers for cloud, email, network and endpoint security, as well as threat, malware and DDoS protection, among phishing and whaling protection, insider threat detection and a whole lot more.
The trouble is, a huge number of these solutions don’t ‘play’ well with one another, with this often making life difficult for security teams adopting these technologies. At the same time, these same teams are expected to keep up with an ever-changing landscape and criminals who innovate faster than most Fortune 500 companies.
Magnum Consulting analyst Frank J. Ohlhorst captured this collaboration issue perfectly in an opinion piece last year.
“IT security has become one of the most complex elements of a modern IT environment, requiring layers of protection, along with advanced analytics to block attacks, halt intruders and secure data. Nonetheless, the current layers of security fail at times, often due to a single vendor approach to creating those layers of security.
“Naturally, vendors are not all to blame, except for the fact that a lack of collaboration and technology transfer among those security vendors effectively creates silos of protection, regardless of the number of layers installed.
“Simply put, the threats of today are larger than any one vendor, meaning that the isolation of security technology must become a thing of the past.”
Collaboration is idealistic, but required
Security professionals, however, believe that vendors are largely moving in the right direction with collaboration, primarily because it is the ‘right thing to do’.
“Idealistically, my response is [collaboration] is what you should do to make systems as secure as they can be,” says Pete Wood, CEO of penetration testing outfit First Base Technologies.
“[Collaboration] greases the bumpy road of building systems out of multiple vendor products," he said.
“Compared to a few years ago, there is a lot more collaboration between vendors,” Alienvault security advocate Javvad Malik tells CSO Online.
“At a technical level, this is seen where many vendors have opened up their platforms with APIs to allow transfer of data. On the research side, many vendors have collaborated to investigate, identify, and even disrupt threat actors.
Operation BlockBuster last year is a good example of this, which saw Novetta group leading a coalition involving AlienVault and Kaspersky’s global research and analysis team. Operation Blockbuster was an alliance between multiple security suppliers to disrupt numerous cyber-espionage campaigns that had been active for a number of years, targeting financial firms, media houses and manufacturing companies
Magnum Consulting analyst Frank J. Ohlhorst
James Chappell, CTO and co-founder of threat intelligence firm Digital Shadows, believes collaboration has been evolving in areas such as skills, standards and threat intelligence.
“Vendors in the information security sector recognize that very few technologies can be viewed as the 'one paracetamol for all headaches' – no vendor is an island,” he tells CSO.
“Security is such a broad topic and requires investment in a range of capabilities, rather than a single one. This means that naturally there is an eco-system of product areas that relate to each other. For example, we work closely with internal security monitoring and incident triage systems so that the alerts that we create and the services we provide can augment and enhance the incident-response process.”
Raj Samani, CTO of Intel Security and Europol adviser, is perhaps less convinced on the levels of collaboration between vendors, although he is heartened by the closeness which now exists between vendors and security agencies in bringing down criminal infrastructure.
“There have been unprecedented levels of collaboration,” said Samani, pointing to US law enforcement working groups and Europe’s European Cybercrime Center (EC3), which have worked with private sector firms to launch operations again criminal groups.
“It’s certainly moving in that direction whereby we’re seeing vertical alignment, product interoperability, and better collaboration [between] the public and private sector.”
Plenty of areas to collaborate, but interoperability a distant dream
In many ways, vendor silos are to be expected in a security market which analysts expect to grow to $170 billion by 2020.
Technology providers naturally look to differentiate their products around their unique features, while the ever-changing security landscape means that solutions, standards and even protocols can come and go almost overnight.
And yet despite this need for specialization, there is a clear recognition from industry that traditional security products need better interoperability to improve end-user protection. There is awareness now that traditional security products, such as firewalls and IDS systems, can’t stop increasingly complex attacks alone.
The leading vendors are looking at collaboration, through API integration and SaaS and cloud-based business models to improve interoperability. API integrations, in particular, allow for the exchange of threat, vulnerability or security event data information across different products.
Nik Whitfield, CEO at big data analytics software provider Panaseer, says his firm integrates data from Qualys and Symantec. “Historically, security vendors have done little to support clients in joining the dots between security systems.
“Indeed, some considered this a threat to their business. However, the vendor ecosystem is becoming more integrated as enterprises realize that viewing a security tool in isolation is meaningless, and only a joined up picture across all defenses will give them the context-rich picture they need.
Intel Security’s Samani agrees, but admits this isn’t the view of everyone in the vendor community.
“By and large, they don’t,” he said, asked if solutions always talk to each other. “That's always been bugbear for most organizations, interoperability.”
“I’ve had tons of calls with different vendors that don't want collaborate...but that's up to them,” he said. “But the market, the industry, is not moving in that direction.”
Wood meanwhile bemoans the lack of interoperability as a key issue in his line of work, blaming “siloed” vendors for not understanding technologies across the rest of the security stack. He says that this lack of understanding on how solutions mesh often results in “cracks in the joint”.
“The majority of security vendors don’t have a well-rounded view of security. So many of them don’t understand the parallel technologies involved.”
He went onto say that many vendors are simply “furthering their own agendas”, pushing barely-required products to CISOs, and not doing enough to help end-users establish a safe testing environment with ethical hackers.
“My recommendation is look at the bigger picture, look at the use case of your customer implementing [the solution],” says Wood. “Don’t think about your solution in isolation. Seek out, with vendors help, the cracks that exist in the way systems are built together.”
He added: “Be brave and invest in a proper lab-scale test environment for security people to break systems, properly, outside the live environment.”
Yet Malik argues that collaboration can be difficult, technically: “There are some challenges which come from the pure technology collaboration point of view. Most of that boils down to the amount of time and effort it takes enterprises to stitch together or customize the backend to provide meaningful reporting or metrics.
“This is where vendors that can unify security capabilities across different infrastructure (cloud, on premise) have an advantage in that all the integration is done in the back-end.”
There are, however, other barriers to collaboration, such as culture.
“Focus and paranoia,” said Whitfield. “Vendors are so focused on their own products that sometimes they forget about the customer and their needs.”
Threat intelligence and data sharing leads the way
In parallel with security research, threat intelligence is perhaps the most advanced area of industry collaboration. Previous examples have included the Cyber Threat Alliance, Global Cyber Alliance and the Threat Prevention Alliance, among many others.
Chappell believes that great strides have been taken to improve threat intel sharing between government and industry, such as Intelligence Sharing and Analysis Centers (ISACs) in the US and the Cyber Security Information Sharing Partnership (CISP) in the UK. He and Samani also point to The No More Ransom Project as a fine example of industry, law enforcement and government organizations working together to counter the ransomware threat.
“That was unprecedented,” said Samani. “Whereas in the past collaborations were around roundtable discussion groups, or certain operations for certain pieces of malware, now you have a permanent online presence.”
Malik says threat intelligence sharing has almost become the norm.
“Threat sharing is an avenue that historically vendors have engaged in. We’ve seen many enterprises join in actively sharing threat data too, and as a result, open threat sharing platforms like OTX have really gained in popularity in helping to increase collaboration.”
Chappell believes that standards have helped with threat intelligence collaboration, thanks largely to the work done by Mitre.com and Oasis, and the standardization of indicator information through initiatives such as STIX and TAXXI. He also believes the gaping security skills gap is being countered through industry acceptance of bodies like ISC2, SANS, CREST, ISACA, and ISSP.