Digital transformation is more than just an in-vogue buzz phrase, and consolidating all your security technologies effectively is a vital part of the effort. For many businesses – particularly some of the globe’s biggest and longest-established corporations – it’s both a vital and urgent preoccupation, and, if it doesn’t go perfectly, could well become an existential threat to the company.
A typically lively discussion on the topic broke out when Sentinel One hosted a RANT Forum event in London, as security professionals from across a diverse range of commercial and industrial sectors agreed on much of the basics, but found holes to pick in each other’s detailed assessments of how best to move forward.
What is Consolidation?
“As a market supplier, a typical trend I see is that we define the problem, we tell you you’ve got that problem, and we suggest you buy our solution,” SentinelOne’s senior system engineer, Elliot Went, offered by way of a candid opening statement. “So this is a great opportunity for me to try to understand consolidation. Is there genuine appetite within the modern business to consolidated security tech tools – and, if so, what does that look like?”
“The easy answer is obviously ‘Yes’,” replied Went’s fellow panellist, Myriam Abiaad, business information security officer with a major media and telecoms company. “We’re all conflicted, because we’re cybersecurity – we’re not necessarily IT, so we’re not necessarily the ones making the decisions around the technology stack, what we need to secure.”
Abiaad made the point that a company in a sector such as mining may be relying on technologies bought and deployed decades ago, where digital security was a given because the systems were not connected to a network. When that firm begins “replacing levers with buttons”, its institutional instinct may be to enable internal data connection by “punching holes in the firewall”, leaving security teams struggling to defend systems that had no security when originally designed, and where the security measures that have been put in place since are seen as an impediment to functionality.
“We absolutely need to consolidate,” she said. “The question is: can we?”
Put People First
A secondary, but intrinsically linked, issue is over capability and intention. Technology may be acquired, but is it always being brought in to meet a clearly defined and properly understood requirement? And can different systems be brought together effectively, while strengthening security, if the business isn’t absolutely clear on what every element in its towering tech stack has been bought to do?
“If you take the word ‘cybersecurity’ out, then this is just a traditional investment decision,” argued the third panellist, Rob Black, director of the UK’s Cyber 9/12 Security Challenge. “How do we utilise the kit that we’ve got to do what we need? What’s the function? What are the tasks? What are the courses of action we need to deliver on, and how are we going to do that? We have to hold ourselves to account a little bit better. I’ve seen repeated incidences where the job is to evaluate a piece of kit, and where people go: ‘Yep, the shiny button works. Right – what are we going to use it for?'”
Went suggested that, perhaps, the question is less one of technology than implementation: less about acquiring capability, and more about understanding those capabilities and ensuring they are deployed in a way that supports the skills and talents of those in the security team.
“There is a function being delivered by the security team, and it’s a function you should care about,” he said. “We talk about use cases, and of course there are going to be great technologies that meet those use cases. But lots of the function you try to achieve with the people you have, the skills they have.”
Another issue is the specialist and bespoke capabilities many security products and platforms offer. One member of the audience pointed out that the proliferation of “point solutions for individual problems” is resulting in solutions for several narrow issues, but fails to look at the whole. Went suggested this may be an inevitable consequence of the nature of the network-defence task.
“There’s really no other industry where the market is so often defined by the adversary,” he said. “And, to be honest, the vendors, the suppliers, the service providers capitalise on that as well. If we go back 20 years, it was easy to take problems, create point solutions, and sell them. You had simpler threats and simpler systems to protect.”
A big part of the problem, therefore, lies in the inevitably piecemeal and ad-hoc manner these older, successful, effective sub-systems have become part of larger, ongoing platforms. Point-solution vendors have been acquired and absorbed by security platform developers, compatibility has been achieved in ways that may not always be optimal – where technologies have been forced to fit together rather than designed to do so from the start. And even when those new platforms have been designed to allow for easy integration of future developments, the vision for how that integration is achieved and what it might mean to the end user is not always a helpful one.
“I’ve worked in companies before where we’ve acquired a company and we go, ‘Yeah, this is going to be part of our technology stack’, and two years later there’s a button that clicks over to another web interface, and that’s it,” he said. “That’s not integration. That’s not interoperability. That kind of thing cannot exist anymore if we’re talking about platform function.”
The Obfuscation Advantage
Perhaps counter-intuitively, there may be benefits to leaving disparate tasks to unconsolidated systems, provided the confusion caused inside the business is manageable.
“I’m a big fan of obfuscation, and messing with the heads of the attackers – and I don’t think we do enough of that,” Black suggested. “There’s a real opportunity in that space. While we might be accepting a degree more risk while consolidating down, there’s a real opportunity to think about how we’re presenting ourselves to the attackers.”
Black recalled a piece of research carried out by the NSA, where penetration testers were invited to attack a network but told that the network used a perception layer as part of its defence.
“And guess what? The attackers moved through the network more slowly,” he said. “They questioned everything. That little gap over there looked a bit too open – it looked too obviously a gap. It was just a poorly designed network. But it messed with their heads.”
“We’re talking about technology – none of us have talked about heads of the attackers in the space,” he added. “So what are we doing to consolidate our offering in the defence of our networks so that when we engage with our attacks, we’re presenting our most robust defence we can? That’s the consolidation I’m interested in, not necessarily whether we’ve got 10, 12, 5 pieces of kit, because again, I think we’re drawing down into the technology space looking for the silver button solution.”
There are other reasons to avoid consolidation, too. Another question from the floor highlighted an obvious one. The audience member described how their company has spent five years looking at how to fuse and integrate disparate security technologies and functions, but ended up deciding not to do so. “Why? Because it’s too expensive and too risky,” they said.
“If your organisation or institution takes the same attitude when they’re dealing with their financial-service products and capabilities, then I understand – but they lose their competitive advantage,” Black replied. “That really isn’t any different to cyberspace. The board needs to recognise that there’s a competitive advantage that needs to be thought about in exactly the same way as you would look at your performance of your key service offering.”
“This is a personal issue,” Went suggested. “How much of your remit is to run the business, and how much of your remit is to change the business? Can you change anything? Is where you’re at the best you can do? There’s going to be a better state, but there’s no one way to get from A to Z quickly. It’s always going to be incremental change.”
Ultimately, perhaps, there may be a risk of seeing only the challenges, and not perhaps grasping all the opportunities that complex, overlapping, often difficult-to-manage security stacks offer.
“I repeatedly remind myself that we’re working in a virtual world – a manmade environment,” Black said. “Yes, we’re having commercial discussions about solutions and options – but we own the terrain. We can create conditions where the sky is green rather than blue. Yet we don’t give ourselves license to be as innovative as we can. Let’s invest in a bit more creativity and ingenuity, and come up with some really funky solutions. And at that point you can start having a conversation about whether you need to consolidate or not, because by then you’ve thought about what you want to achieve.”
There is also opportunity in the design and development of the stack, if it can be thought about early enough.
“If you’re a company that has money, then think about how to build your technology stack from the ground up,” Abiaad said. “Think of getting your foundation right, then building your walls and putting the roof on. If you don’t have money, then just start shooting at the house and see what crumbles, then invest there.”
“The path to consolidation is always going to be outcome-based,” Went concluded. “There is no better way to understand if the technology is actually capable of consolidating than hearing from product management. I never get customers or prospective customers asking me, ‘Can we talk to product management, and can they show us the roadmap of the ability to consolidate multiple technologies?’ If it’s a hike or if it’s a short sprint, then you have some proof that the technology is capable of being agile enough to integrate and provide interoperability. They should be able to pivot and do that for you.”