Cybersecurity Platforms

- Cybersecurity Platform Requirements

The current technological context demands a new security paradigm that’s focused on monitoring and analyzing all available information in order to identify and prevent any malicious cyberattacks on organizations. A cybersecurity technology platform must go beyond tightly coupled product integration and include the following: 

• Coverage from endpoints to data centers to clouds: Platforms must provide comprehensive coverage that includes endpoints (i.e. PCs, mobile devices, IoT devices, etc.) and networks, as well as physical servers, virtual servers, and cloud-based workloads (VMs, containers, etc.). The best platforms will also offer strong integration with common threat vectors such as email security and web security.
• Prevention, detection, and response capabilities: First, a security technology platform must greatly improve threat prevention when compared to today’s potpourri of point tools. Each individual tool should offer best-of-breed security efficacy, while the platform should provide incremental threat protection as more tools are glued together. Beyond threat prevention, each tool should also act as a sensor for collecting security telemetry. Platforms will be back-ended by some type of security analytics services that processes, analyzes, and acts upon this growing volume of security data. Security platforms must also offer well-defined and flexible options for responding to and mitigating threats, including automated and manual options. For example, the platform should be able to automatically find and block retrospectively installed files and IoCs when new threats (that include these files and IoCs) are detected in the wild or offer options for quarantining systems, deleting files, or restoring systems/workloads to a known good state.
• Hybrid deployment options: Today’s security technology world includes ubiquitous cloud services, costly security operations, and data privacy concerns.  Therefore, vendors shouldn’t be dogmatic about platform deployment but rather offer flexible implementation options so customers can pick and choose the best fit. In other words, individual security tools and the platform management plane should be offered in on-premises and/or cloud-based form factors. Customers can then pick and choose how they want to glue the whole thing together without sacrificing functionality or technology integration benefits.
• Cloud-based services: Security technology platforms should include myriad cloud-based services for things like threat intelligence analysis/sharing, static/dynamic file analysis, reputation list compilation/distribution, machine learning modeling, etc. In some cases, these services will be transparent to customers, while they will be offered as upgrade options in others.
• Central management and reporting: All individual tools must plug into a central management plane offering role-based access control that can be customized for different users, views, and functions. Management functionality must include policy management, configuration management, and detailed reporting from individual tools, from groups of tools, or across the entire architecture. Management data must also be easily exportable to other tools (i.e. SIEM, GRC tools, automation/orchestration systems, etc.).
• Openness: While security technology vendors want customers to buy their whole enchilada, it may take years to replace disparate tools owned by different budget holders. In many cases, large organizations have established best practices around certain point tools and will never swap them out. Given this market reality, security technology platforms must be open for easy third-party technology integration by offering developer support, technology partnerships, and well-documented and standards-based APIs as a core part of their platform.

[More to come ...]