We’re thrilled to share our latest cybersecurity guest blog post written by Rick Howard, chief security officer at Palo Alto Networks. Howard will be sharing his expertise at the Capital Cybersecurity Summit on November 2-3, 2016 on the CISO Sidebar panel.
In today’s cybersecurity landscape, where attacks are increasing in number and sophistication, the network defense model developed over the past 20 years has become overwhelmed. Commonly referred to in cybersecurity circles as the “Cyber Kill Chain,” the model uses what was originally a military concept to help network defenders find a cyber attack and fix any damage it caused and then track, target and engage with the cyber attacker.
Over time, cyber adversaries’ capabilities grew. Soon, they were routinely finding ways to circumvent the Cyber Kill Chain model. This happened for several reasons:
- Too many tools for defenders to manage. As network defenders struggled to keep up with evolving cyber attackers, more security tools were implemented on the network, and the man-hours spent ensuring those tools were operating correctly and analyzing the data they provided quickly became a burden with which most network defense teams couldn’t keep up.
- Too much complexity for security. As new security tools were added, the complexity of the network grew. The more complex the network, the easier it is for network defenders to make a mistake that can expose the network to cyber attacks.
- Too much wasted time. As vendors launched new security tools, customers entered into a kind of arms race in which they were constantly evaluating new “best of breed” security products against each other to determine which was the most effective. These evaluations could take months, with more time and money wasted after a decision was made in order to remove legacy security tools and replace them with new ones, and then train teams on how to use them effectively. It was a process that became more complex – and expensive – every year as cyber threats evolved and new tools were developed to address them.
- Too inefficient at crossing the last mile. Cyber attackers often leave clues when they penetrate a network’s defenses, which are called “indicators of compromise.” Once an indicator is found, network security vendors develop prevention and detection controls that address the indicator and deploy them to customers—a process the industry has referred as “crossing the last mile.” But when an indicator affects multiple products from different vendors, or a new indicator of compromise is discovered, keeping track of the status of each tool and whether or not that tool has the most updated controls installed becomes a logistical nightmare.
Much of the complexity that currently overwhelms the Cyber Kill Chain model can be solved with an integrated security platform. “Platform” is a buzzword many vendors use, but I define it as a way to combine tools that network defenders have previously implemented as point solutions from different vendors into a platform built and maintained by one vendor. The “secret sauce” is that integration – when the platform components work together – makes each component more effective as a result of its integration with the others and it makes the network easier to defend by reducing the number of tools to be managed.
More advanced security platforms have the additional ability to automate the deployment of prevention and detection controls, making the process to cross the last mile much less labor-intensive. By replacing an ad hoc collection of independent, patched-together tools with a well-integrated, automated security platform, the problems described above become much simpler to resolve or disappear altogether. Partnering with one vendor gives network defenders leverage in terms of contract negotiations. They can use longer term contracts to get significant discounts from the vendor and, because of that, they can insist on creative fulfillment models that are advantageous to themselves in defending their networks.
The challenge for automated security platform adoption is primarily cultural. Network defenders are familiar with the best-of-breed security tool model, and many see the constant evaluation of new tools as a sort of “survival of the fittest” contest that ensures they’ll find the best tool for their network. It will take a lot of education and mind-changing, a process that may require support from an organization’s board of directors or C-suite, to ensure it happens. But it’s a change that needs to happen in order to protect our way of life in this digital way more effectively and efficiently in the future.