A Call for Open Cybersecurity Middleware

While attending Splunk .conf15 I attended an interesting presentation given by Christof Jungo, head of security architecture and engineering at Swisscom.

Jungo described Swisscom’s cybersecurity strategy which is anchored by a “nerve center” (based upon Splunk) that centralizes all security data – network data, endpoint forensics, application logs, identity and access management, threat intelligence, etc. Christof mentioned that this process has helped Swisscom accelerate threat detection. 

In spite of all of this data, however, Christof described that it is still difficult to use this security data as efficiently as Swisscom would like to. Why? Jungo spoke of “IT industrialization” with specialized organizations and tools for the network, servers, applications, etc. So while it’s easy to collect data from all of these stovepipes for incident detection, it’s still difficult to operationalize security data for rapid incident response. 

Yes, you can do one-off integration and rule sets between tools and security analytics platforms, but since each tool has its own policy engine, command structure, and API set, Swisscom claims that this can take 6 to 12 months to accomplish, and his organization simply doesn’t have the luxury of time to integrate security technologies again and again. 

To move beyond this cybersecurity bottleneck, Swisscom is championing an intriguing idea: Open security middleware through an abstraction layer, which Christof calls the collaborative security model. This middleware has a worthwhile objective as it is designed to accelerate the ability to operationalize security data analytics. 

The Swisscom collaborative security model does three things:

1. Re-directs technology integration. This is intended to drive “out-of-box” two-way communication between security analytics and policy enforcement technology by placing the integration burden on the security vendors themselves through a series of open published middleware interfaces. It is also useful when enterprises add new types of threat detection tools as they can become part of a holistic ecosystem rather than run as another one-off security control. 
2. Standardize security syntax and communications. Aside from integration APIs, Swisscom is proposing open and freely available libraries for security commands (i.e. deny access, terminate a session, add rules, etc.) to standardize policy enforcement and remediation actions. Jungo believes that the oversight and governance of these standard libraries could be managed by a standards body like the W3C. 
3. Create a common policy management engine. Today, each tool has its own policy management adding time and operational overhead to threat prevention and incident response. To address this inefficiency, Swisscom’s collaborative security model is designed to abstract policy management so that policy enforcement rules can be applied across a multitude of security devices simultaneously.

Swisscom isn’t just talking about cybersecurity middleware, it actually has a proof-of-concept working and has already used it to integrate Fortinet and Splunk. The next steps include integration with threat detection and testing/scanning tools like vulnerability assessment.

Ever since I got into cybersecurity, I always thought it was absolutely crazy that security tools don’t work well together. Yeah, I get the competitive marketplace, but c’mon – we are talking about safety and national security here! Fortunately, the industry is starting to get it. Software-defined everything gives us the opportunity to abstract the control plane just as Swisscom is advocating. Furthermore, we’ve already seen some commercial progress along these lines in areas like network security policy management (i.e. vendors such as AlgoSec, Tufin, and RedSeal) and incident response (i.e. vendors like Invotas, Phantom Cyber, Resilient Systems, and ServiceNow).

Swisscom and Christof Jungo deserve a lot of credit for pursuing and promoting this strategy and it sure makes sense to me. Security technology vendors may not like it and could try to disrupt a standard and open middleware layer believing it may strip away their unique value and commodify their tools. To succeed in this effort, Swisscom needs help from other end-user organizations. I strongly suggest that CISOs and security engineers connect with Jungo, follow Swisscom’s progress, and join the effort if they see potential value here.