The Six Pillars of Cybersecurity Platforms

Understanding how cybersecurity platforms can create value and might solve issues at SOCs

May 30, 2023

This week, I am diving into the world of platforms. "Platforms" is a new keyword at the center of a significant, large-scale cyber security vendor offering. In this post, I am providing some background on why these platforms are emerging and what they are made of. Many vendors are positioning themselves as “XDR,” but I’ll stick to that post's “platforms” terminology.

Before we dive into the details, let me thank you as a Cyber Builders membership and community member. Since I started this publication, I've been thrilled to see people subscribing daily to this new medium. Being a cybersecurity content creator is about connecting with people, so I write this newsletter every week. Please share the newsletter with your colleagues and reach out to me. It would be the best way to show your appreciation for the time I spent writing it.

Security Products at SOC

For a decade, the cyber security community has held the central discourse that if you care about securing your organization, you must have a Security Operations Center (SOC). These SOCs are staffed with people ranging from level one personnel who perform alert triage to level three personnel who analyze attacks and help remediate them. They gather feedback and alerts from teams and all IT tools to gather security telemetry and signals from networking and security products. They also have processes to help them stay connected with the rest of the company.

The industry was bullish about SOCs as the must-have for any enterprise serious about security. It had several consequences over the last decade. As soon as you have people to look for alerts, you need more and more! You will invest in detections such as network appliances or endpoint detection and response like EDR. As you will detect more attacks, you will need to respond to them, so you also invest in response tools, and so on.

Ten years later, on average, enterprises have installed 76 security solutions in their networks and IT systems. Recent research suggests that organizations with 10,000 employees use over 100 security tools. However, the same global companies continue to be victimized by cyber-attacks.

Lee Klarich, Chief Product Officer of Palo Alto Networks, highlighted this issue in his RSA Conference 2023 keynote. He stated that Palo Alto Networks even found one of their customers with 400 security solutions. Who can afford to deploy, manage, and use 400 different products? The cost of configuration, operation, and integration is likely higher than the high-priced subscription enterprises are paying.

Visible Costs: Configuration And Operation

The more your network or endpoints are hosting specific business products - think about an old software built for YOUR own business - the more your need to configure the detection tools to prevent false positives. The management and training costs associated with such a vast number of security products deployed are enormous. For each product, you need to spend from a few days to a few weeks tweaking parameters to adapt the default setup to your particular case.

Once you’ve configured, with 100 - 200 products to manage, you will have little time to take care of the alerts or look at the product UI. Most product creators expect SOC analysts are using their consoles regularly. They provide dashboards but also the capacity to drill down to specific insights. They add querying language in their stack or APIs to extend their product.

The harsh reality is that most analysts on the customer side don’t spend even an hour a week looking at these consoles. They do not have the time. Moreover, they have not been trained to use the tools.

Invisible Costs: Data Siloes

However, there are hidden costs associated with many solutions and vendors’ solutions. Every solution now has a Syslog export of their events and a RESTful API. But none has a standard data model to be able to interconnect products. The lack of interoperability is making security alert analysis hard.

Detection often means correlating data such as IP addresses or DNS names into a flat text list. As a result, even after 50 years of computing, cybersecurity products are still connecting the dots matching strings, and leveraging pattern matching. This makes identifying network-connected assets, threats, or events difficult, as no standard data model exists.

Every vendor has its definition of telemetry data, events, threats, alerts, etc. It works for them, but does it work for SOC analysts and their customers? Nobody seems to care.

The Promise of Platforms

That's why many large organizations are calling for integrated platforms that serve as the entry point for security within the organization and the security operations center.

These platforms promise to solve these issues by collecting structured data and integrating products to provide a common UI. They make it easier for security analysts to onboard and work together, ensuring collaboration between the various teams.

Security leaders see a lot of value in these platforms. As team members don't have to scroll through many screens to get up to speed on the latest insights and detections, they can work more efficiently and save a lot of time in their workday. It would be a way to solve the cybersecurity professional scarcity.

The situation described below leads many vendors to build platforms, hoping to position themselves as the gateway to cybersecurity efficiency for their large customers. Would they be successful? It depends if they can build up a comprehensive suite. Let's zoom into the platform's key pillars.

Six Key Pillars of Cybersecurity Platforms

Data

Fundamentally, cybersecurity is a data problem. Malicious behaviors will generate events inside security detection tools. Even the most advanced attacks would cause some traces; they won’t remain stealthy.

The main issue is determining whether the log that security analysts are reviewing represents actual malicious behavior or just a false alarm. It may appear to be an anomaly that should not occur but could result from an error or misconfiguration. It could also be a human change, such as an administrator altering a parameter.

IT and security systems often generate large amounts of data files or logs that require processing to identify meaningful events. A platform must be equipped to handle significant amounts of data and minimize false positives.

A good platform should also help structure this data since IT systems generate unstructured logs. While "structured logging" is part of the modern development stack, not all security vendors have adopted it.

I expect a platform to be more than a data sink. It must act as a way to do “data fusion” into a structured data repository.

Threat Intelligence

You'll need more than having data processing in your platform. Can you use the data points you see on your network to determine if a known threat actor is targeting your organization? It would be best to correlate it with attackers' techniques and tactics. The industry calls this "threat intelligence" – knowing how criminals and nation-state actors operate, what motivates them, and what they do.

Threat intelligence is a crucial component of any platform. Microsoft recently introduced a new taxonomy of Threat Intelligence that includes a large group of technical (e.g., reverse engineering) and language experts and experts in geopolitics and disinformation. This new taxonomy provides more context, is easier to read and search, and scales better to the diversity of actors.

Threat Intelligence must be localized per country, and a local research team will likely provide more insights than a global US-based one. I expect platforms to continue to invest in Threat Intelligence as the value-added knowledge within their platforms, mainly using their M&A power, such as Google's acquisition of Mandiant or Microsoft's acquisition of RiskIQ. I expect also some European actors to emerge and become stronger.

Software at Scale

A platform requires a lot of software, especially software that can scale and teams with the right mindset. For too long, cybersecurity has been associated with embedded systems engineering. Developing embedded software or hardware can take 18 to 36 months to create a new product, going through a waterfall process with gates and processes.

However, prominent SaaS vendors do not operate in this way. It is common to see several productions pushes per day of their latest software. To achieve this level of agility, leaders must have the right mindset, moving away from a culture of control to an agile mindset, where change and errors are permitted as long as teams are reactive, fix problems quickly, and invest in test automation over time.

If you are unfamiliar with these methodologies and software companies’ culture, I recommend reading “Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organisations.”

AI

AI, and its latest shiny flavor, such as Generative AI, is part of the platform's constituency. There are at least two use cases.

First, machine learning algorithms will help to cluster data within the platform. You should not expect ML or AI to do the detection and alert triage and replace the analysts. But it is legitimate to expect some data filtering and clustering based on ML algorithms. For example, building a set of coherent - from a data standpoint - cluster of events within a significant 10 000 events log is a mature technology and should be provided by default.

The second use case is to assist users with their usage and onboard more people onto the platform. Generative AI allows you to ask questions using natural languages like English or French. This can speed up access to cybersecurity knowledge, such as moving from an idea to a Splunk query or Microsoft KQL.

I like this use case: for a long time, I have been convinced that we need more people within the security community, but only some people need to be an expert. Consider the auto industry: the person who fixes your car is not necessarily a motor engineer for F1 racing. The security industry must organize itself to use the wide range of skills available, moving away from the need for college graduates and professionals with ten years of experience.

AI embedded within the platform is a way to be more inclusive and move in that direction.

Above these use cases, the more advanced use case can be envisioned.

Generative AI can help brainstorm and plan what is needed to analyze an alert, such as gathering more data or performing specific computations. Although there are current limitations, J. Lambert from Microsoft suggests, for example, extending Generative AIs beyond their cutoff date with a "Skills Library" to use APIs and connect to more data. Google AIs are already designed to leverage Google's extensive knowledge of the web.

UX

A great user experience (UX) is necessary for today's software. Internet giants like Google and Facebook have demonstrated that the more straightforward and intuitive your application, the more users you gain and the more you build your business.

This also applies to B2B SaaS applications. You must understand the most common workflows and what your users will do daily. What are their objectives for looking at the data posted on the platform? What kind of queries do they have in mind? For example, they may want to run their cybersecurity program on the platform and map their daily, weekly, and monthly processes onto its UX.

For security apps, answering all these questions takes work. Cyber Builders are constantly balancing between power users who know what they are looking for and push them to some advanced features. Conversely, newcomers needing entry points in the application data are easy to understand and actionable.

Lastly, having a common user experience (UX) is paramount for companies moving to a new platform. Companies such as Cisco, Microsoft, IBM, and others have developed their products and acquired others that do not share the same UX. This can be confusing and lead to communication breakdowns between different products. A platform strategy can solve this problem by building one standard UX and consolidating all features under the same umbrella.

Value Creation

The final piece of the puzzle is value creation. In his talk “Create more value than you capture,” Tim O’Reilly explained that companies, especially modern software platforms, must create more value - more revenue for their partners - than what they capture - what they charge. If you want others to contribute to your platform with plugins, apps, or widgets, the effort and money they invest must pay off exponentially. Unfortunately, many security platform makers today don't seem to understand this.

To illustrate the concept of value creation, we can look at other platforms like Amazon.com. Amazon is the go-to e-commerce website for online shopping. When you visit Amazon, you know you'll get the best prices and a vast selection of products. As a consumer, you're well-served and keep coming back. They've created offerings such as AmazonBasics products, Whole Foods supermarkets, and schools. But Amazon doesn't stop there. They also have a huge marketplace where they leverage their logistic power to enable third-party sellers. While these third-party sellers may compete with Amazon's in-house offerings, the overall value created for both the seller and the consumer is so huge that it benefits everyone. This has positioned Amazon as the go-to platform for online shopping.

I have not seen any security platform vendor building an ecosystem today, creating value for partners.

Conclusion

The impact of SOC is currently limited. Will the platforms solve this issue?

It is still too early to say, but platforms could be a way forward to address the limitations of SOCs. Platforms promise to integrate security products and provide a familiar UI, making it easier for security analysts to work together and ensuring collaboration between the various teams. They could also help with data processing, structured data, threat intelligence, software at scale, AI, UX, and value creation. Only time will tell if platforms can deliver on their promise.

In the meantime, it will be an exciting time for the security industry as the vendor landscape changes. I’ll happily chat about the post and platform their offering with the startup’s CEO and product manager!

Cyber Builders