Summary: This content discusses the challenges faced by security teams in consolidating and analyzing data from various sources to defend against cyber attacks.
Threat Actor: N/A
Victim: N/A
Key Point :
- Security teams often work with a technology stack composed of hardware, software, and data from different sources.
- Merging and combining this data can be complex and time-consuming.
- Investing in overlapping tools and services is necessary to create a functional technology stack.
- Consolidating and analyzing data is crucial for triaging and defending against cyber attacks.
COMMENTARY
If you are a member of the security team in charge of defending a network, you are probably accustomed to working with a technology stack composed of hardware (computers, servers, appliances, and network gear), software (applications and services), and data (logs and packet captures) from dozens of different sources. All of these tools generate a wealth of information that needs to be merged and then combined with your own internal systems and data to triage and defend against attacks.
Consolidating and joining this data can be complex and difficult for customers, but it has become status quo in the technology industry. Everyone knows that if you want a functional technology stack, you need to invest a significant portion of your budget in a variety of overlapping tools and services and then be prepared to invest a substantial amount of time on an ongoing basis to make the information relevant and useful for your own business. There doesn’t appear to be any way around it.
You bought 10 “single panes of glass,” yet there are none. What happened?
With technology designed to improve areas of operational management within a business, progress happens incrementally, according to the amount of time and budget that the business can invest. New tools and solutions are constantly being introduced, and the business chooses to buy them or they don’t. Improvement is linear and the risks are fairly minimal for businesses that choose not to adopt every new technology the moment it is introduced.
In cybersecurity, however, the stakes are much higher. New critical vulnerabilities are being uncovered all the time, and the risks are much greater. Everyone suffers when critical infrastructure systems is taken down by hackers, when a local hospital is impacted by a ransomware attack, or when an enterprise-level financial services firm is hit with a data breach.
The pace and volume of network security exploitation has increased exponentially in the past few years, and with the advent of generative artificial intelligence (AI) and large language models, it is likely to become even more relentless. As an industry, it’s time to address the disconnect within the cybersecurity ecosystem to ensure that our technology is working more effectively for the network defense teams that use our products.
The Case for Tighter Collaboration
In its current incarnation, you could make the case that players in the cybersecurity vendor ecosystem have no incentive to cooperate. Like many technology vendors, cybersecurity providers are often publicly traded and therefore held to ambitious growth goals with respect to their market share and profitability. With so many players competing to dominate the entire space, it’s hard to find good reasons to collaborate because the near-term growth and profit aspirations of these vendors are at odds with the very concept.
The way the ecosystem works now, many technology vendors charge a premium for their products to interact or integrate with other products. As an example, a security information management provider usually needs an endpoint detection and response product for integration. It’s not uncommon for those technology vendors to charge one another, or charge the customer more, to access the integrated version. Worse yet, vendors will occasionally neglect their integration ecosystems in the event that they might want to enter an adjacent market at some point in the future. The quest for market share has taken priority over the need to make sure the customer is secure.
Unfortunately, this kind of hypercompetitive dynamic results in more complexity, more friction, and more difficulty for our customers. Security teams are often pulling in data from technology vendors that don’t trust one another and therefore have to do a great deal more work to make the tools and information usable in a timely fashion.
Another complication is that buyers and sellers of technology often put too much faith in large research firms that have a vested interest in perpetuating the status quo, rather than supporting innovation or collaboration within the industry. These resources would be better devoted to R&D.
5 Steps in the Right Direction
There is no silver bullet solution to this problem. The United States has the greatest number of cybersecurity technology vendors, so business competition within this space is not likely to cease any time soon. The complexity we are currently encountering in the cybersecurity ecosystem is evidence of the industry’s success. As they say: “Every system is perfectly designed for the outcomes it receives.”
Nevertheless, there are a few things we can do as an industry to ensure that security teams do a better job of defending their networks without compromising the robust health of our businesses:
-
Implement common standards. Shared ontologies, vocabularies, formats, and frameworks will go a long way toward correcting some of the issues currently faced by our customers with regard to integrating various technologies. Rather than writing your own, embrace existing formats and standards that customers are used to.
-
Shift our collective mindset. Customers need to start demanding tighter integration, and technology vendors need to take steps to improve the integration among our hardware, software, and data. For example, would it make sense for us to share data samples or API specs?
-
Allow greater software and hardware freedoms around data control and privacy. Regulation is necessary, but our customers need to be able to share their data with vendors without running afoul of compliance laws.
-
Support trusted sources of information. The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerability (KEV) list is a good model of something that works well in the private sector. The list is vendor agnostic and informed by many excellent sources, including the US Intelligence Community. That said, it is currently solely focused on protecting critical infrastructure, with no clear mandate to expand beyond that, so there are many blind spots. But on the whole, it provides a comprehensive, trusted source of information for the industry. Also, the National Institute of Standards and Technology provides good documentation and recommendations about broad topics, such as cryptographic strength systems, architectural and configuration best practices, and so forth.
-
Invest in cross-technology integration. This may require looking for other types of empirically driven key performance indicators, beyond short-term growth and profits. Optimize for joint customer wins using the technologies your customers are already buying.
Ultimately, cybersecurity technology vendors need to do a better job of collaborating for the sake of the organizations that utilize our technology. Many cybersecurity attacks against organizations happen through vulnerabilities found in software running on the network perimeter. New developments in AI and machine learning are making it easier for bad actors to find and exploit these vulnerabilities. In order for organizations to properly defend themselves, they need to share information more quickly and efficiently.
If we want to live in a world that is not constantly plagued by automated, machine-generated cyberattacks, we need to prioritize cooperation and defense within the cybersecurity industry over the promise of short-term growth and profits. More than anything, we must never forget that the enemy of the security industry are attackers, not other vendors.
“An interesting youtube video that may be related to the article above”