5 Questions to Ask Your Security Platform Vendor
22nd May 2020
CISO are always on the hunt for innovative solutions to solve their most pressing problems. They have been forced to choose their own adventure from an industry that’s rife with incompatibility, running their operations across dozens of tools and a plethora of consoles that don’t talk to each other. And this, combined with unmet scores of policy updates, inevitably leaves vulnerabilities in different point solutions across the security ecosystem. The reality is that most organisations already have an abundance of point products designed to address specific challenges, but most of these products can’t be easily integrated to fulfil a larger and more effective security strategy.
Choose your Adventure
“There are choices to be made, challenges to overcome, dangers to encounter and, as always in life consequences to be had. Choosing wisely could lead to triumph while taking the wrong path could end in disaster – but who’s to say what’s ‘right’ and ‘wrong’, anyway?” says Netflix for its first interactive television film Bandersnatch. The interactive film offers viewers various instances of choices, which can drastically change the outcome of the story. The parallel between a CISO looking at his next technology adventure and you as a viewer making those choice on behalf of the main protagonist is uncanny. These choices have the power to alter your endgame. Or as Netflix puts it “Fret not because once one experience comes to a close, you can – and should! – go back and make a new choice, alter the path of your story and maybe even change its outcome”. This reminds us of the ‘Choose your own adventure’ books that we read in our childhood. Much like these books, wouldn’t it great if every CISO could retrace their decisions back to an outcome— not just technology but also people and processes — and find a totally different way to make them work. Together.
And ESG’s 2020 Integrated Platform report indicated that 30% of organisations use more than 50 different security products while 60% use more than 25. Every technology decision impacts your overall security program and creates more dependencies and vulnerabilities when these vendors’ products are not integrated. Clearly, choosing your own adventure is not going to work. Security platforms are evolving in response to customers’ need to consolidate their vendor landscape and simplify security.
The following are important questions to ask when you’re evaluating your options.
1. How is your platform different from a SIEM or SOAR?
Many vendors are calling their native SIEMs or SOARs “platforms” because they know the need for integration is so huge. The main purpose of SIEMs and SOARs is to cut down on the number of alerts, so response is more efficient. While they can automate incident investigation and response workflows, they don’t enable you to take holistic, coordinated actions across your environment. Even next-gen SIEMs and SOARs remain complex and tough to integrate. Without native connectivity between the back end control points and front end workflows, you must divert limited staff resources to labour-intensive integration work. Platforms enable you to effectively integrate a portfolio of best-of-breed security products into your SIEM or SOAR tool to strengthen threat detection and research analysis for your SOC. Consider a vendor that offers a more sustainable platform approach that:
- Provides a full life cycle dashboard – unifying visibility and control across all your security solutions from one central location.
- Streamlines workflows – enabling automated responses and coordinated actions to investigate and respond to threats more efficiently.
- Unifies workflows – enabling NetOps and ITOps to serve as an extension of SecOps, improving each team’s productivity.
2. To which control points does your platform natively connect?
Your security solutions should work as a team, delivering consistent visibility and control across your entire environment. A platform should provide coverage for all major threat vectors and natively connect controls across the network, endpoints, cloud, and applications, giving you one unified view. This unified view enables teams to respond to threats from multiple angles and understand the full life cycle of alerts, regardless of where they originate. It should enable you to choose what works for your business from a broad and open ecosystem. The fact is, two products do not make a platform – an open standard based exchange platform will allow you harness you existing investments and integrate with third party products seamlessly.
3. How many of my existing security components can connect to your platform?
There are incremental advantages to using multiple solutions from a portfolio-based platform vendor; however, wall-to-wall coverage isn’t a realistic goal or expectation. You need to be able to leverage your current investments and easily integrate new solutions in the future.
Ask your vendor how they prioritise working with third-party technologies; do they use partnerships, out-of-the-box integrations, standards-based information exchange, or open APIs?
Their platform should be:
- SIEM/SOAR-agnostic – so you can connect the platform to any SIEM or SOAR one time to send fewer, higher-fidelity alerts from multiple control points.
- Cloud-agnostic – so you can keep network security policies consistent, whether you’re using AWS, Azure, Google Cloud Platform, or on-prem control points.
- Infrastructure-agnostic – so you can connect your existing best-of-breed solutions to the platform.
4. How will your platform increase my efficiency?
When your teams get buried under repetitive, manual tasks, efficiency goes down and the probability of errors goes up. A platform should deliver built-in automation and analytics that aid in policy and device management, detecting unknown threats, and coordinating response and policy change.
Find out if the platform can apply analytics to identify behaviour anomalies across on-prem and cloud network traffic — even in encrypted flows. It should be able to do this while enforcing policies and automatically adapting network and application access for compromised endpoints. At the same time, your automation should be nuanced enough to not get in the way of productivity — while a compromised endpoint should automatically have its access blocked, the individual user should still have access on a healthy device.
5. How will I know your platform is improving my security?
The right platform won’t just help you improve your security across users, applications, and devices – it will help you measure and prove success. Does the vendor provide a unified, easy-to-consume dashboard with insights into how well your security program is mitigating risks?
Ask the vendor how easily the platform can create reports or show live views that measure how your security maturity is changing. If one of your objectives is to achieve a continuous improvement cycle, the platform should also provide metrics that map policy changes to the meaningfulness of alerts.