The Emerging Cybersecurity Software Architecture

It’s been a busy week for the information security industry.  FireEye announced the acquisition of nPulse which adds network forensics to its advanced malware detection/response portfolio.  IBM chimed in with a new Threat Prevention System that includes an endpoint security client, threat intelligence feeds, and integration with its network security and analytics platforms.  Finally, Symantec unveiled its Advanced Threat Protection strategy that combines existing products, future deliverables, and services.

It’s no coincidence that these three infosec security leaders are moving in this direction as the whole industry is on the same path.  I’ve written about this trend a few times.  I wrote a blog about the integrated anti-malware technology model in March, and this one in April about the new cybersecurity technology reality.  Other vendors such as Blue Coat, Cisco, McAfee, Palo Alto Networks, and Trend Micro as also on board.

Why all the industry action?  Let me answer this question with a brief history review.  In the past, security technologies like AV software, IDS/IPS, and web threat gateways were implemented and managed as separate entities.  If you wanted integration you were on your own.  Unfortunately, this tactical security approach no longer works as a cybersecurity strategy based upon point tools is both ineffective (i.e. it doesn’t provide the right level of incident prevention or detection) and an operational nightmare (i.e. it’s based upon manual processes, one-off skills, and lots of people). 

So what can poor CISOs do?  The answer to this problem can be articulated in one word – “architecture.”  Independent infosec technologies need to be integrated for central command and control, data sharing, and reporting while cooperating on distributed enforcement.  In theory, a cybersecurity software architecture can aggregate security functions and analytics, making cybersecurity processes more timely, automated, and accurate. 

While the concept of software architecture is somewhat new in the cybersecurity world, we’ve seen this movie before within the broader IT spectrum.  In the 1990s departmental applications were supplanted by ERP systems.  This introduced an architecture for data exchange, transactional systems, and business intelligence that had a profound impact on business processes.

The infosec software architecture train has already left the station.  Large enterprises will replace individual piece parts over the next few years and phase in an enterprise security architecture in the process.  In my humble opinion, this tectonic shift has a number of implications:

1.  CISOs will push for more open standards.  While some enterprises will work hand-in-hand with a single vendor, many will want to hang onto to other leading offerings like Check Point firewalls, Kaspersky endpoint security and Proofpoint email security services.  It would be great if there were an open way to bring these tools into an enterprise security architecture without a massive custom coding project.  To alleviate this headache, CISOs will likely work with the Apache Project, Mitre, and OASIS to develop open architectural APIs, standards, and middleware glue.

2.  Security vendors will up their game.  Which infosec vendors know how to sell software architecture?  I can think of one, IBM and maybe Cisco as well.  Others will need to acquire these skills, train their sales teams, and bring channel partners up to speed.

3.  Enterprise organizations need to think about architectural planning.  Where do you begin to create an information security technology architecture?  Which pieces do you already have and what else is needed?  How do you measure progress?  These are all net new issues for information security professionals.  It’s probably worthwhile to review some ERP best practices, lessons learned, and horror stories as background.

4.  Enterprise software vendors may jump in the water at any time.  When you think of enterprise software architecture, names like Microsoft, Oracle, Red Hat, and SAP come to mind but none of these firms are currently engaged.  When Tibco bought LogLogic a few years ago, I thought that it would lead the charge but the company appears to have gone cold on cybersecurity.  It wouldn’t surprise me at all if any of these other enterprise software honchos went on an acquisition spree to get into the booming cybersecurity market soon. 

5.  Professional services will take off.  While Oracle and SAP sold lots of ERP software, professional services firms like Accenture, E&Y, and PWC made a lot of dough on assessment, planning, project management and implementation.  The same professional services boom will happen in the cybersecurity space.  This is where Beltway players like Boeing, Booz Allen, CSC, Leidos, Lockheed, Northrup, Raytheon, and Unisys should clean up.  Oh and HP and IBM will do okay as well.