Security products: Best of breed or create your own monster?
Beware the Frankenstack
IT security is not just about antivirus or firewall products anymore. There is a whole layer cake of different product types designed to protect your organisation in different ways.
It is a stack, in much the same way as TCP-IP networking or web server functionality has stacks of functionality. The question is, what's the best way to build it?
David Spence, director of security strategy and architecture at Deloitte, sees several layers to the security stack. Like most other technology stacks, such as networking, it runs from application-layer stuff at the top down to more fundamental bits at the bottom.
He puts customer and brand security technologies at the very top, embodied by products that look for phishing websites, for example, or search for counterfeit products online.
Other layers include identity and access management and application security. Network security (firewalls, intrusion detection systems and the like) come fourth, while system security (not only server security but also client-side devices and BYOD) come fifth in Spence's vision.
He includes data security near the bottom of the stack as a function that underpins everything else. This would include the use of cryptography to protect data at rest and in transit. Finally, security operations come last.
There is at least one category, however, that spans multiple areas, if not all of them: cloud security.
“You can either blend it into all the different areas or pull it out into a separate area as a point of focus,” he says.
It's alive! It's alive!
When it comes to covering all of the layers in this technology stack, companies have a critical choice to make: should they look for a single vendor that covers all these layers with a single, integrated security product set? Or should they go hunting for products from different vendors, each of which will excel at a particular aspect, to produce a “Frankenstack”?
A lot depends on the problems the enterprise is trying to solve and its online agenda, says Spence.
“A lot of what I have seen in organisations comes down to cost, and it’s hard to direct people away from that,” he says.
In short, the cheaper option is generally the one that wins, especially in an area such as security where there is not much chance of a return on investment.
Pros and cons
Integrated security stack offerings are generally cheaper to buy and manage, typically giving you most of the things that you want, if not all. For companies without complex needs they can present easy solutions, with a single vendor providing cross-spectrum support.
These things will make it attractive for some companies, but stack solutions have their own potential downsides.
"You’re putting all your eggs in one basket," warns Liam Enticknap, a network solutions architect at hosting firm Peer 1.
"If it fails you, you're no better off. You're stuck. Or you have to rebuild everything and spend all that time again."
One upside to best-of-breed solutions is independence. “Being vendor-neutral is always an advantage,” says Enticknap.
Lock-in can be a worry for companies that buy a particular vendor’s solution. The vendor may be benign but it may also have an iron grip and make its own products incompatible with others.
What pulls a company away from the ease and cost savings associated with many single-vendor solutions is a particular security need.
Dwayne Melancon, CTO at security and compliance vendor Tripwire, works a lot with energy companies that employ technology professionals in the IT and operational spaces.
"On the operational tech side you’re dealing with specific logic controllers and structures, and infrastructure that is specific to the operating environment of the electrical grid," he says.
"In those situations you won’t find an integrated solution that does what you need so you have to go to best of breed."
Similarly, different parts of an organisation may deal with different systems and risk profiles, necessitating a different vendor's product.
"So you have to assemble your own building blocks. One way to look at it is by determining the value to the enterprise. The other is to look at the impact. What is the shape of my risk?" says Melancon.
Specific features unavailable elsewhere may be a potential benefit in a best-of-breed product but you should be sure that you are going to use them, says Spence. It is all too easy to be dazzled by a particular feature, especially if you go into procurement without a particular goal in mind.
Take next-generation firewalls, for example. A dumb firewall might be able to block email at the port level, whereas a next-generation device might be more granular, allowing people to read emails but not write them perhaps, or to check email at work but not to send attachments.
Not all companies will take advantage of what they have bought after shelling out on these devices, Spence warns.
“They won’t spend time thinking 'we have this new technology, how do we get the best out of it?’ If you don’t change the operational processes and procedures supporting it, then it isn’t used,” he says.
On the other hand, best-of-breed products are not guaranteed to work with each other either. And there are other potential downsides.
“It comes with challenges. More mistakes, different bugs between the vendors, and integration can be an issue,” admits Enticknap.
Stitching parts together
Managing that interoperability can be a challenge for customers that cherry pick their solutions from different vendors. Security information and event management tools are designed to hook into multiple systems and correlate what they are doing.
They take data from different sources and homogenise it so that it works together, in a process known as normalisation.
"They tend to be expensive, and you are reliant on them keeping everything up to date," warns Melanchon.
The alternative is to get middleware that acts as the glue between different vendors' best-of-breed products.
In February, McAfee, which has fleshed out large parts of its own security stack, launched its middleware platform. The Data Exchange Layer (DXL) is a platform for integrating third-party security products together, explains Raj Samani, vice president and EMEA CTO at McAfee.
"We would like to use DXL as the piping, or plumbing, for multiple security controls across multiple vendors," he says.
Other efforts are being made to create standard information exchange formats so that products can talk to each other more easily
He adds that the platform acts as the basis for a product launched at the same time, called the McAfee Threat Intelligence Exchange. The idea is to collect information from multiple sources and identify systems at risk.
"It really allows you to enforce security by being able to review multiple intelligence sources," he says.
Other efforts are being made to create standard information exchange formats so that best-of-breed products can talk to each other more easily.
The not-for-profit research company Mitre has two initiatives in play, both sponsored by the Department of Homeland Security: the Trusted Automated eXchange of Indicator Information (TAXII), and the Structured Threat Information eXpression (STIX). Other standards efforts in its arsenal include the MAEC language for exchanging malware information.
TAXII defines protocols for exchanging cyber-threat information, while STIX is a common format for that information, including cyber-security incidents.
Could companies use open source to bolt together best-of-breed products more effectively? Melancon thinks so, arguing that you will often see it in companies assembling best-of-breed security components to tackle a specific job.
"In best of breed you have to take on the burden of audits and security testing," he says.
"Organisations that are willing to invest that extra effort will be attracted to open source because of the cost of acquisition, but they take on an additional cost of operation."
McAfee already uses open source as part of its intrusion detection and prevention systems. Niche companies have created signatures for specific verticals such as industrial control firms.
"We have specific signatures that we made available under Snort [an open-source intrusion prevention system]," Samani says.
The line between integrated stacks and best-of-breed products can often blur. Large firms have been known to buy smaller best-of-breed firms with technologies that can add value to their own stack.
Small firms can also buy each other to gradually expand a best-of-breed product into a broader product offering.
There is a third option, according to Corey Nachreiner, director of security strategy at WatchGuard. Companies can partner with each other, folding different solutions from others in the industry into specific products.
Like many startups, Watchguard started out with a single product category – next-generation firewalls -– but knew it would have to add more functionality as it went along if it was to stay competitive.
“When we added all of these additional layers to our stack, we went with best-in-class companies,” Nachreiner says.
The firm partnered with other companies for antivirus software, and also forged relationships to use other products in the areas of intrusion prevention and web security.
“That way, I know that I’m getting big names behind each of these services, too,” he says.
The company still purchases security firms to add their technologies to its stack, but the decision about when to purchase rests largely on how the technology relates to the rest of the stack.
“Are we adding something that’s commoditised? Unless there’s some new evolution in intrusion prevention, there’s no reason for us to buy that so we’ll partner instead” he says.
“When we get to advanced threat detection, then maybe that’s where we consider whether we might want to buy somebody.”
As companies blur the lines, you will find a mixture of integrated and best-of-breed products, depending on what part of the security stack you are talking about.
Companies sometimes collapse some layers of the stack into a single product set (and perhaps even a single product, such as an appliance) while leaving others separate.
Blending different layers of the security stack together in this way is fine, says Melancon, as long as the merged layers make sense to the people using the product.
"I have seen some security suites that don’t make sense together because they’re handled by different people in the organisation," he says, citing database monitoring and firewalls as an example.
"You have database guys and network guys who known nothing about the database, and you’re trying to blend that."
Conversely, application monitoring and firewalls make more sense, because network techs often have a better chance of understanding how applications are used, he adds.
Spence warns that another set of vendors may also muddy the waters: infrastructure players.
"A lot of the basic security requirements won’t be delivered by traditional security companies," he says, imagining a not-too-distance future. "They will be delivered by classic IT infrastructure providers."
Cisco, for example, folds security features into products in the traditional networking stack, such as switches and routers. Microsoft includes notable security functionality in its latest products.
"In the latest releases Microsoft pushed some of the more basic requirements such as data loss prevention and e-discovery into its own product sets," says Spence.
"These basic features allow you to do a number of things that you used to need a security vendor to do for you."
In truth, IT departments may find it difficult to source a complete security stack from a single vendor. Even if they want to take an integrated approach, they may have to deal with a small number of companies to cover all of the layers that they want.
So the choice between best of breed or integrated stack products is not so much a binary one as a position on a spectrum.
However far to either side you care to sit, take a proper look at third-party evaluations to ensure that your security stack does exactly what you want – or at least that you will be able to live with what it won't do. ®