By Augusto Barros, Cybersecurity Evangelist, Securonix, and Oliver Rochford, Applied Research Director
Move over XDR because a much more important development has quietly taken over — the advent of the consolidated security platform. Consolidated security platforms combine a variety of different, but adjacent and mutually beneficial security capabilities into a single solution, for example SIEM and UEBA or vulnerability assessment, security configuration assessment, and web application scanning. But when we already have XDR, why do we need yet another security operations solution? And haven’t we been here before?
SIEM has now been around for 20 years, and despite evolving through several generations of technology, it has again begun to show its age. When we started covering SIEM as industry analysts, most deployments were driven by compliance mandates.
By 2016 though, the threat landscape had changed quite dramatically, becoming far nastier and more threatening. SIEM vendors, who had heavily invested in fulfilling customer demand for improved compliance capabilities, were blindsided by this sudden escalation in cyberattacks. End users also faced a painful learning curve that being compliant was not the same as being secure.
It took many years for SIEM to move past the reputation of not being fit for the purpose of effectively managing threats. This has required new innovations such as user behavior and entity analytics (UEBA), alignment to the MITRE ATT&CK framework, and support for add-on technologies like SOAR to make it a fully-fledged security operations platform. But it has led to another problem — SIEM has grown inorganically, with many features and capabilities bolted on rather than built-in, not just increasing the complexity of the solution but also the skills required to deploy and operate a SIEM successfully.
XDR attempts to address some of these challenges, but it does this by reducing complexity with a primary focus on endpoint data correlated with a few other select data sources. That is great if you need a quick and easy solution for a small organization to fend off more basic cyberattacks, but ultimately XDR represents a dead end. There is no clear path to grow in maturity, and little scope to adapt and customize to changing circumstances, the organization’s specific processes and context, and new trends and developments.
Neither SIEM nor XDR provides a clear path for users who want to progress from basic threat management to large-scale security operations to follow. One throws you in at the deep end, the other leaves you stranded in the shallow half of the pool.
What users really need is to be able to quickly deploy effective threat detection and response capabilities that work out of the box and can be rapidly repurposed and reconfigured, and enable a progression whether gradual or quick, to evolve and grow with an organization.
Just like Gartner predicts, what we really need is a modular and composable consolidated security platform.
Security Platforms Past
The concept of a consolidated security platform is not at all new. There have been many attempts in the past, and they can be roughly divided into two camps.
There’s the portfolio platform that only exists in the form of a collection of different point solutions available from a single vendor. Almost all of the large companies like IBM, HP, Symantec, and McAfee at one point tried to acquire their way to this sort of “platform”. The problem was that this rarely resulted in a portfolio of best-of-breed solutions, nor did they really deliver any true technological advantages from tighter or deeper integration. Users got simplified contact and support management, and maybe even a great bundle discount, but the solutions themselves didn’t really benefit from tighter integration or “the sum is greater than the parts” synergies. You could have plugged together solutions from any other vendor and achieved the same security efficacy. In fact, picking from different vendors would usually be the way to achieve the best results as it will often maximize the ability to select best-of-breed components.
The second type of platform was the “SOC-in-a-box” model, usually built by throwing together a selection of features and capabilities for a small price. This is great if you are on a tight budget, but the capabilities were very rarely best in class. In many cases, these solutions even sacrifice capability for simplicity but fail to meet the challenges modern security needs to solve. UTMs are a good example of this approach. And, as mentioned before, this is the path that most XDR solutions are following today.
In each case, the platform was a commercial solution, not a technological one. Not to say that rationalizing your security stack is not a good reason, because it is. Security technologies have sprawled out of control, with a lot of overlap and duplication. For many CISOs, vendor consolidation is a high priority. But the true promise of the consolidated security platform lies in maximizing synergies.
In our defense it was not really technically feasible to build a truly integrated and consolidated platform, not for security, or for anything else either. We were limited by the available architecture and technology. Building a truly integrated platform out of point solutions and appliances with limited compute storage and data processing capabilities was just not possible.
The Security Platform of NOW
Thankfully, circumstances have changed. For the first time ever we have the technical and technological foundation to be able to build a fully integrated and consolidated security platform.
- Cloud gives us elastic and technical scalability
- Data platforms allow us to achieve much greater information volumes — translating directly into greater fidelity of activity across much longer time scales
- IaaS, PaaS, SaaS, and microservice architecture provide us with models for knitting together different functions and capabilities, including the ability to leverage data and services available outside the platform
- Big data and analytics at scale mean that we can process these data volumes
- Detection, hunting, and response as code allows greater portability and more rapid detection engineering
- More sophisticated mathematical models and approaches mean that we don’t just end up with messy noise, but actually gain insights
Taken together, these and similar trends mean that we have reached the critical mass necessary to build a truly consolidated security platform, and with DevSecOps we have the technological equivalent of the 100th monkey effect.
Just take our Security Operations and Analytics Platform as an example. We provide a core platform for SIEM and XDR with data collection, aggregation, and analysis. UEBA and SOAR are built-in because analytics, orchestration, and automation are required for whatever you do. The boundary between detection and response, which has become blurred as part of modern security operations processes, does not need to be reflected in the technology. You can also customize the platform to your needs through an assortment of purpose-driven add-ons.
The word “platform” often reminds us of monolithic solutions, but this is not the case. Even the data layer can be swapped out – you can use the one included with the SIEM, your Snowflake Data Warehouse, or AWS DataStore.
The Platform of the Future
Rather than thinking about security solutions in terms of point solutions and rigid technology market categories, we can now envision modular and composable micro stacks that enable the mixing and matching of critical functions and capabilities depending on need, and that is adaptable to changing circumstances.
In this model, XDR is just one possible star cluster in the constellation of modular and composable applications that is easily modifiable and extendable to accommodate any number of different use cases or allow maturity growth. But there are others, even if they have not yet been christened with a pretty name or acronym.
Modular and composable, a consolidated platform supports a mix-and-match approach to security operations to build micro stacks for a variety of applications.
SIEM, SOAR, and UEBA have already proven to be a potent and effective combination.
SIEM with integrated threat intelligence platforms (TIP) is another one that is already available commercially. But so far, these only scratch the surface of what we will be doing soon.
It is probably not possible to achieve a point where all the required threat detection and response capabilities are part of a single platform. But the way the new platform is designed accommodates that fact. Integration of external components is a native part of the architecture. Not only to ensure that all required pieces are in place, but also to provide organizations the freedom to pick and choose specific, preferred pieces where necessary.
The path to this new scenario has seen monoliths and portfolios as potential ways to deliver the security operations platforms. We learned about the mistakes and limitations of those approaches. Now, with the support of cloud technologies and more mature data and integration models, we are ready to finally deliver on the promise of consolidation providing better results.