In 2007 Marc Andreessen offered an easy definition to tell the difference between a platform and everything else. “The key term in the definition of platform is ‘programmed’,” he wrote in a blog post. “If you can program it, then it’s a platform. If you can’t, then it’s not.” This definition is finding new ground in the cybersecurity field.
To anyone keeping tabs–even casually–it’s obvious the security industry is going through sweeping changes. High-yield targets are cheaper and easier than ever to compromise, and many companies don’t seem prepared to stop even basic attacks.
The changes info security companies are implementing, according to OpenDNS’s Executive VP of Engineering Brian Roddy, are a result of the rapidly growing number of threats security professionals are facing. Most companies do not have the security workforce necessary to monitor and respond to every threat under the sun. The RSA 2015 conference illustrated clearly that most vendors in the industry are operating behind evolving attackers–who move quickly–while using methods and technology that cannot keep up.
According to Roddy, all the change is driving two major trends that could help security vendors keep pace. First, cloud-delivered security will become the standard. “Nearly everything on the Internet is now delivered through the cloud, and security will be no different,” he said. “Even if you have a local security appliance on your network, it likely still gets its updates from the cloud.”
Like the Internet of the early 2000s, the cloud is becoming majorly important to security. From nearly instantaneous updates to lowered overhead on administration, cloud security offers equally as many benefits as it does to everyday Internet services. Read more on those benefits here.
The second trend, according to Roddy, is apparent in every major security player’s marketing, from Bit9 to McAfee to Intel. Every company serious about security is also serious about transforming into a platform. Similar to nearly a decade ago, when Andreessen was writing about the importance and growth of application development platforms, IT security vendors are now embracing the functionality and freedom platforms provide to security professionals who are fighting a losing battle.
Roddy added platform adoption is the key to expanding a company’s security capability past where the traditional model could ever take it. And one of the biggest benefits is in the speed of change cloud platforms provide. “With appliances you will occasionally gets updates from the cloud,” he said. “But the approval process for changes to these appliances are typically at least six months to a year behind.” And he notes that six months is likely very generous.
Though it doesn’t speak to the entire security industry, a Boston-based security audit company recently found nearly 95 percent of all SAP systems deployed are woefully behind on their security updates, leaving them open to known and patchable vulnerabilities. Admittedly, SAP systems present unique challenges in keeping updated–mainly that they do not fit into a typical vulnerability management program. But this gives an insight to the scale of the issue. Appliances and legacy technologies do not move at the speed of modern day attacks.
In order to fight new threats, the security industry is slowly embracing the need for vendors to share, which is a big component to both cloud delivery and platforms. For some security companies, intelligence sharing is a bit of a problem, Roddy said.
“Because [security so far] has been an appliance-based model, it hasn’t been easy to share intelligence and data,” he said. The challenge is a technical one, but also a business model issue. In order to share, security companies have to free up their intelligence feeds, which are often guarded like the “secret sauce” of the industry.
But sharing, according to some industry professionals, is key to making a company’s security stack fully functional across vendors and disciplines. Andy Pendergast, product director at ThreatConnect, explains it like this, “Aggregating intelligence and pushing it as a feed does not qualify as a platform–threat intelligence, security or otherwise,” he said. “What makes any platform is extensibility–its ability to grow to future requirements.”
What he specifically means in the case of a threat intelligence platform is having the ability to take a data feed from any security source, process it with a custom API, vet it for relevance and validity, and plug the refined intelligence into any number of other enforcement solutions.
“Enabling interoperability between systems and intelligence sources is a linchpin feature of any security platform. The entire industry is moving toward interoperability, if not somewhat slowly.” He added that the demand is there, however. ThreatConnect estimates that 40 percent of Fortune 100 organizations have adopted security sharing through extensible threat intelligence platforms.
Going back to Andreessen’s description of platforms–even though he was describing what would be the future of Internet platforms from companies like Google, Facebook, and Amazon–the true separator of good security platform technology, is in the ability for an infosec team to use it in whatever way works best for them, to convert their intelligence feeds into enforcement where they need it most. If this is not possible, it’s not a security platform.