It may sound like a debate only engineering geeks should care about – the terms platform and architecture. Are we getting in the weeds here? Aren't they basically synonymous? Well, I'm a proud geek and assert that these terms do not mean the same thing. The fact is, one approach future-proofs your investment and makes security easier yet more effective, while the other increases complexity and creates an ever-widening security effectiveness gap.
It's kind of like the difference between simply locking your doors and windows, putting lights on timers, and setting the alarm, rather than using a smart home system to protect your house. Individual measures don't work together, have to be managed independently, and leave gaps in protection. For instance, they can't prevent someone who has slipped through an open window from taking something from a safe or medicine cabinet. A smart home system is architected to automate and integrate individual security solutions, and allows you to see and manage it all centrally. Adding more layers of defense increases the overall effectiveness of the system without adding complexity.
When it comes to securing your enterprise against cyberattacks, we need a similar shift in approach.
You want the very best solutions to protect your organization, but at this point you probably have a patchwork of so-called product platforms that don't work together – firewall, IDS/IPS, AV, NAC, email security, web gateway, DLP, and sandboxing. Large organizations can have upwards of 40+ disparate security vendors while even smaller enterprises can have between five and 10 – whether the right staff is in place to oversee it or not.
The “see a new threat and buy a new box” approach just isn't sustainable. Not when the attack surface is growing exponentially and increasingly diverse thanks to the IoT and applications and infrastructure moving to the cloud. Not when threats are increasingly sophisticated and evolving rapidly. And not when users are no longer constrained to locations, apps, and devices you control. You're mired in complexity with classical detection methods that can't keep up. In other words, you're experiencing a security effectiveness gap – when the security capability each new product adds is outdone by the additional complexity it piles on.
To close the security effectiveness gap, enterprises are now re-thinking the way they purchase and deploy security technologies. New research from ESG found that 62 percent of security professionals surveyed are actively consolidating their cybersecurity vendors and 82 percent are actively building a security architectural that integrates multiple individual products.” But to get the operational efficiencies and better protection they seek, they need to do it the right way.
Organizations need an architecture that can integrate multiple best-in-class platforms so that they work in concert to deliver security that is less complex and more effective. APIs alone are not the answer – that approach just places development burdens on the buyer.
What really makes an architecture an architecture? An architecture shares four key types of data across multiple products that work together to achieve architectural integration at the functional, solution, and management levels:
1. Event information from the logs and alerts of your different security platforms improves visibility across your infrastructure.
2. Contextual awareness reveals the “who, what, when, and where” of an attack in order to build granular controls across your network.
3. Policy information allows for consistent, automated, and faster response actions.
4. Threat intelligence shared seamlessly and in a synchronized fashion allows you to see a threat once and protect everywhere, speeding time to detection.
Let's take a look at this integration in action.
You often learn about an attack when a user reports that “something looks weird.” You didn't receive any alerts, because the attack evaded your security controls. How can you quickly assess the situation, identify the threat, and respond? With separate platforms, even great teams struggle to juggle dozens of product consoles, absorb the assault of thousands of rapid-fire event logs, or rapidly engage in a malware goose-chase.
But with a proper security architecture, multiple best-in-class product platforms work together seamlessly. Take a zero-day threat that is delivered via a phishing email.
· An event can occur when a user unknowingly downloads and executes zero-day malware on their computer. The associated indicators of compromise are automatically shared with the next-generation firewall (NGFW) to immediately begin determining the scope of the attack associated with this malicious software that has entered the network.
· The NGFW has the contextual awareness with network and device trajectory maps to be able to quickly identify those endpoints that also have the same malicious file, even those hosts that do not have endpoint protection software.
· The NGFW then communicates policy information with the network access control system (NAC) to dynamically quarantine the infected endpoint on the network.
· While the infected endpoint is quarantined, the threat intelligence on the zero-day is shared with the full architecture at once, blocking it everywhere to prevent further compromise and future attacks.
It's not just about keeping up with the pace of attacks, but keeping up with the pace of business as well. What happens if your organization decides to open more branches or adopt more SaaS apps? No problem. With an open architecture you can turn on an additional layer of protection at the DNS layer using existing investments in VPNs or routers to secure users and branches in minutes. You can also add a cloud security platform to monitor third-party cloud applications, instantly highlight any risky apps, and automatically update policies across your infrastructure.
There's no need to debate the virtues of a security architecture vs a platform. Security response is faster, easier, and more comprehensive when you have both: a security architecture that integrates multiple best-in-class platforms.