Network defender innovation: time to throw out the old best practices

I don’t know if you have noticed this or not, but the number of security tools you manage today is significantly larger than the number of tools you managed back when the internet was young. From the late 1990s until now, a scant 20-plus years, InfoSec teams have gone from managing three tools — a firewall, an intrusion detection system, and an antivirus system — to managing from 20 to 200 tools, depending on the size of the organization. However, the size of your InfoSec team has not gotten any bigger. That has stayed constant as well as the fact that we, network defenders, have to integrate the 20 to 200 tools inside our organization ourselves. The vendors don’t do that for us. This vendor sprawl has resulted in many InfoSec teams engaging in what I like to call the continuous “security vendor mambo”—that never-ending ballet of installing a device or application on the network.

Installation of new security devices and applications is no easy feat as it includes wrestling with the product to incorporate it into your security workflow, crossing your fingers with the hope it’s configured properly, and then spending more time and resources updating it with the latest intelligence and software updates. For each shiny object that you add to your security vendor mambo, you have to pay for the actual control, pay to have somebody maintain it, pay for somebody to watch the data coming off of it and finally, pay to have somebody correlate the data from all of your shiny objects so that you have an integrated threat picture with which to make decisions. It seems that, from the very beginning, each year the network defender community has added more tools to our collective environments. After 20-plus years, we have reached a tipping point, a point in our community’s evolution where the security vendor mambo is no longer sustainable. We can’t keep adding more and more tools.

One of the contributing factors that got us to this point is the belief in a couple of legacy best practices established by us old timers in the early days: vendor-in-depth and best-of-breed. Vendor-in-depth is that sage advice that network defenders should never put all of their chips down on a single vendor. The idea is that, if the product from any one vendor fails, our environments would be protected by all of the other vendor products. The impact to our InfoSec teams is that they have to be experts on 20 to 200 tools. Of course, we know that they cannot possibly be experts on all of those things. And even if you could find one or two people who are, the systems they manage are so complex that they will most likely make mistakes in the continuous configuration and maintenance operations – that security vendor mambo I mentioned. Mistakes are the seams that cyber adversaries use to exploit our systems.

Best-of-breed means that the network defender community is going to haul every vendor’s product that accomplishes a specific task into the lab and run them through a battery of tests to find the very best one. We generally base our decisions on technical merit and whatever the coolest new shiny object is on the market. The contest usually lasts from six months to a year. And here is the kicker: if we replace an already installed vendor product with a new and shiny tool, your InfoSec staff is going to spend the next year forklifting that old technology out and forklifting the new technology in, all to get to the exact same place you were before you began the project a year ago. This usually only equates to an ounce more protection than the old system had. That’s not advancement; that is churn.

The innovation that is emerging is the recognition by many network defenders that it is time we admit to ourselves that these two old best practices are not all they are cracked up to be anymore. When you are picking new security tools for your environments, you should not be looking for vendor-in-depth or best-of-breed. Instead, you should look for tools that automatically integrate with the other tools you already have. Indeed, find a platform that does most of the work you need done in one box, and also integrates with the handful of other tools you need, so the members of your InfoSec team don’t have to do the integration themselves. You are no longer buying and installing vendor tools. You will have to establish a relationship with a handful of vendors you trust. I realize this is hard for many old timers as it goes against 20-plus years of best practices, and change is hard. But for those enlightened network defenders who can get their mind around the idea, this innovation reduces the complexity of your environments, and reduces the total cost of ownership of your security program.