All the Kids Get to Play in Our Sandbox

All the Kids Get to Play in Our Sandbox

As I took on a global manager role these past few years, I have had to evaluate different solutions that would help my team do their job better. Quite the reversal from being the vendor wanting to show prospects the solution I sell and proving to them it will meet their requirements. I have learned several lessons from this experience, one of which is that robust integrations with a rich API are a cornerstone requirement – this allows me to choose Best of Breed in each solution area I invest.

Some vendors have built their reputation based on a flagship product that was Best of Breed in its class. These vendors gained notoriety and acquired other companies to complete gaps in their solution portfolio. But did they purchase the Best of Breed in those areas? Most of the time the answer is “no”. The Best of Breed in that area would most likely sell for top dollar. What tends to happen when a vendor starts focusing their energy on filling capability gaps through acquisitions? They stop innovating.

Another problem this creates is the vendor wants you to only play in their playground. They have no incentive to become an open platform, allowing customers to pick and choose from the best vendor solutions and integrate everything together easily. That would mean all the money they spent acquiring those other solutions would have gone to waste. You want to take advantage of their malware analysis capabilities? Buy their intelligence. You want to take advantage of their intelligence? Buy their appliances. You want the endpoint to integrate with their appliance? Buy their agents.

How do we break this cycle and get back to what matters most: Implementing the best security solutions that will reduce my organization’s risk exposure to as close to zero as possible. There are three primary tenants I would ask any business and technical decision-maker to demand when evaluating both vendors and their solution offerings.

  1. Demand open integration. If they have a Best of Breed solution in one platform area, demand that solution integrates openly with other platform solutions no matter the vendor. “I’m sorry but your endpoint solution doesn’t meet my needs, I need your network solution to integrate openly with Vendor X’s endpoint solution to satisfy the requirements.”
  2. Establish clear and concise Success Criteria for evaluating solutions. One huge disservice many vendors do (and prospects as well) is to request a Proof of Concept without having a real understanding of how to fairly test and evaluate competing solutions against each other. “Plug it in and we will show you what we find!” is what many vendors will say. This, however, will not show you what the vendor has missed. How can one vendor’s detection efficacy be compared to another when Vendor A was connected to your production network during Week 1, and Vendor B was connected during week 2? If each vendor did not have the opportunity to observe and respond to the same traffic, the test cannot be valid. Will it take more coordination and planning to run a proper POC? Absolutely. If you are going to spend a million dollars, you really do not want buyer’s remorse six months later (that conversation will not go well with the CEO). Stay tuned for an upcoming blog entry that will provide more information on running successful Proof of Concepts of advanced security technologies.
  3. Don’t settle for the checkbox. I know that extra 10% – 20% discount is enticing – but will it be worth it when your company’s name is in the news as the latest organization to have their customer’s financial information stolen or your internal emails are leaked? Look at what those compromises cost those companies – the risk is too high. Get the most capable product in each area – and integrate them together.

So when you are evaluating automated malware detection platforms (sandboxes), I hope you will consider all of these factors in your selection process. Any IT solution in your environment that touches or processes objects should be able to seamlessly submit them for analysis through an open API. The analysis results should be able to be utilized by those solutions, also via API, in enforcing policy changes at the network, endpoint and mobile device. And of course, the chosen solution should be Best of Breed in its class (you have read Extinction Level Event: Evolution of the Sandbox haven’t you?)

All the kids get to play in our sandbox.