• United States




Network defender innovation: time to throw out the old best practices

Aug 14, 20175 mins
Network SecuritySecurity

We have reached a tipping point, a point in our community’s evolution where the security vendor mambo is no longer sustainable.

tipping point
Credit: Thinstock

I don’t know if you have noticed this or not, but the number of security tools you manage today is significantly larger than the number of tools you managed back when the internet was young. From the late 1990s until now, a scant 20-plus years, InfoSec teams have gone from managing three tools — a firewall, an intrusion detection system, and an antivirus system — to managing from 20 to 200 tools, depending on the size of the organization. However, the size of your InfoSec team has not gotten any bigger. That has stayed constant as well as the fact that we, network defenders, have to integrate the 20 to 200 tools inside our organization ourselves. The vendors don’t do that for us. This vendor sprawl has resulted in many InfoSec teams engaging in what I like to call the continuous “security vendor mambo”—that never-ending ballet of installing a device or application on the network.

Installation of new security devices and applications is no easy feat as it includes wrestling with the product to incorporate it into your security workflow, crossing your fingers with the hope it’s configured properly, and then spending more time and resources updating it with the latest intelligence and software updates. For each shiny object that you add to your security vendor mambo, you have to pay for the actual control, pay to have somebody maintain it, pay for somebody to watch the data coming off of it and finally, pay to have somebody correlate the data from all of your shiny objects so that you have an integrated threat picture with which to make decisions. It seems that, from the very beginning, each year the network defender community has added more tools to our collective environments. After 20-plus years, we have reached a tipping point, a point in our community’s evolution where the security vendor mambo is no longer sustainable. We can’t keep adding more and more tools.

One of the contributing factors that got us to this point is the belief in a couple of legacy best practices established by us old timers in the early days: vendor-in-depth and best-of-breed. Vendor-in-depth is that sage advice that network defenders should never put all of their chips down on a single vendor. The idea is that, if the product from any one vendor fails, our environments would be protected by all of the other vendor products. The impact to our InfoSec teams is that they have to be experts on 20 to 200 tools. Of course, we know that they cannot possibly be experts on all of those things. And even if you could find one or two people who are, the systems they manage are so complex that they will most likely make mistakes in the continuous configuration and maintenance operations – that security vendor mambo I mentioned. Mistakes are the seams that cyber adversaries use to exploit our systems.

Best-of-breed means that the network defender community is going to haul every vendor’s product that accomplishes a specific task into the lab and run them through a battery of tests to find the very best one. We generally base our decisions on technical merit and whatever the coolest new shiny object is on the market. The contest usually lasts from six months to a year. And here is the kicker: if we replace an already installed vendor product with a new and shiny tool, your InfoSec staff is going to spend the next year forklifting that old technology out and forklifting the new technology in, all to get to the exact same place you were before you began the project a year ago. This usually only equates to an ounce more protection than the old system had. That’s not advancement; that is churn.

The innovation that is emerging is the recognition by many network defenders that it is time we admit to ourselves that these two old best practices are not all they are cracked up to be anymore. When you are picking new security tools for your environments, you should not be looking for vendor-in-depth or best-of-breed. Instead, you should look for tools that automatically integrate with the other tools you already have. Indeed, find a platform that does most of the work you need done in one box, and also integrates with the handful of other tools you need, so the members of your InfoSec team don’t have to do the integration themselves. You are no longer buying and installing vendor tools. You will have to establish a relationship with a handful of vendors you trust. I realize this is hard for many old timers as it goes against 20-plus years of best practices, and change is hard. But for those enlightened network defenders who can get their mind around the idea, this innovation reduces the complexity of your environments, and reduces the total cost of ownership of your security program.


As a 23-year military veteran, Rick Howard has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors. During his previous military career he learned the technical skill sets necessary to succeed in the IT/sec world and in his current role as the chief security officer (CSO) of Palo Alto Networks he continues to learn and contribute to the business aspects of this evolving industry.

Prior to joining Palo Alto Networks, Rick was the Chief Information Security Officer (CISO) for TASC and led the development of TASC’s strategic vision, security architecture and technical roadmaps for information security. As the GM of a commercial cybersecurity intelligence service at Verisign (iDefense), he led a multinational network of security experts who delivered cyber security intelligence products to Fortune 500 companies. He also led the intelligence-gathering activities at Counterpane Internet Security and ran Counterpane's global network of Security Operations Centers.

A veteran, Rick served in the US Army for 23 years in various command and staff positions involving information technology and computer security and spent the last two years of his career as the US Army's Computer Emergency Response Team Chief (ACERT). He coordinated network defense, network intelligence and network attack operations for the Army's global network and retired as a lieutenant colonel in 2004.

Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the U.S. Military Academy. He also taught computer science at the Academy from 1990 to 1995.

He has published many academic papers on technology and security and has contributed as an executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials.” In the spring of 2013, Rick Howard spearheaded the creation of a "Rock and Roll Hall of Fame" for cybersecurity books called The Cybersecurity Canon. The Cybersecurity Canon's goal is to identify a list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional's education.

The opinions expressed in this blog are those of Rick Howard and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.