When APIs and DevOps Meet Cybersecurity

Cybersecurity professionals often complain about the number of disparate tools they’ve deployed on their networks. Ask any enterprise CISOs, and he or she will come up with a list of around 60 to 80 various security tools from a myriad of distinct vendors.

This has become a nagging problem as an enterprise cybersecurity architecture based upon point tools can’t scale and requires way too much operational overhead to maintain. Thus, CISOs are moving in another direction – a tightly coupled cybersecurity technology architecture based upon software integration.

I’ve been following this transition for years and always thought it would look something like the departmental application to ERP migration of the 1990s. Oracle, SAP, and lots of professional services built an interoperable software infrastructure connecting applications across the enterprise and soon dominated the market. This is happening in cybersecurity to some extent as ecosystems form around the biggest vendors like Blue Coat, Cisco, IBM, Intel Security, Raytheon, Splunk, Symantec, and Trend Micro. 

Yup, it’s likely that the cybersecurity space with consolidate around a few big vendors, but there is also an alternative integration path emerging more in line with DevOps than ERP. 

Loose software federations are developing around cybersecurity software integration based upon things like RESTful APIs, Python scripting, and open standards. For example, incident response platform vendors like Cybersponse, FirstHour, Hexadite, Invotas, Phantom Cyber, and Resilient Systems connect to a potpourri of incident detection systems, IT operations tools, and threat intelligence feeds to automate and orchestrate incident response processes. Similarly, vendors like Aruba/HP, Cisco, and ForeScout can enforce network access and remediation rules through API integration with anti-malware gateways, EMM/MDM, and network directories.

This API-driven cybersecurity software integration movement is a positive step toward a true enterprise cybersecurity technology architecture, but it could have a profound impact on the cybersecurity market at large in several ways:

1. Middleware rules. Cybersecurity software platforms will be built on top of technologies like message queuing, enterprise service buses, and machine-readable file formats like XML and JSON. This will introduce yet another skills deficit into the cybersecurity market, as demand escalates for infosec professionals with software architecture experience.
2. Process knowledge and experience matters. As software integration makes it easier to gather data and take action, the center of gravity shifts from finite prevention, detection, and response features to end-to-end cybersecurity process orchestration. Security vendors will want to recruit practitioners with years of experience so they can create process templates based upon industry standards (NIST, ISO, etc.) and pragmatic best practices.
3. Open source becomes a more viable option. Widespread security software integration means that central automation and orchestration platforms will collect data, interoperate with analytics systems, and take remediation actions. As this happens, it will marginalize a lot of today’s cybersecurity technologies. Why buy expensive commercial cybersecurity tools if you don’t intend to invest time and resources to learn and use the products management GUI? Open source will make a lot more sense, leading to the rise of more Red Hat-like security vendors.
4. Professional services booms. Like the shift from departmental apps to ERP, cybersecurity integration and consolidation will require an army of design, implementation, and infosec process expertise. Good news for Booz Allen, CSC, HP, Lockheed, Optiv, and Unisys.
5. Software-defined security gains momentum. As organizations improve their cybersecurity application infrastructure chops, they will be much more willing to experiment with more software-defined security tools. Eventually, this could lead to huge changes as CISOs see the opportunity to replace millions of dollars of hardware firewalls and gateways with low-cost software-defined alternatives.
6. Big software players pay attention to this shift. Who knows how to build enterprise software architectures? Vendors like Microsoft, Oracle, SAP, SoftwareAG, and Tibco. Ditto for cloud service and SaaS providers like Amazon, Google, and ServiceNow. The enterprise cybersecurity market could be an attractive next act for any of all of these market leaders. 

Since it’s the 2016 cybersecurity prediction season, allow me to take out my crystal ball on this one. In 2016, we will see a big shift as enterprise organizations extend DevOps to the cybersecurity domain. This will have a profound impact on enterprise security, cybersecurity professionals and the market as described above.