The Importance of Security Software Integrations and How They Influence Purchase Decisions
When it comes to cybersecurity, it’s well understood that there’s no silver bullet. Organizations need a combination of products to effectively implement a layered defense. Having these solutions working together, exchanging information, is essential to improved security as well as managing the workload of a security team.
Your security stack is truly an ecosystem that, like all ecosystems, must work together and will change over time. Effective security hinges on the whole layered defense system working together. Integrations can shore up any gaps, improve individual layers, and help with the response process. I have had CISO’s express to me that there is a lot overlap going on in the industry and cyber companies are extending capability all the time. So, what they focus on is strategy and architecture to ensure their overall defense in depth is strong but also agnostic to any one vendor.
The challenge with this is that if the security tools being used are all siloed, running independently of each other, then managing them is not only time consuming, it is ineffective. These solutions work better when they’re working together. Of course, SIEMs and SOARs, by definition, need to integrate with other products, but it goes beyond that. Endpoint solutions are more effective when informed by what other tools may be detecting. Email security products are more effective when informed by file analysis that detects malicious behaviors.
So, the question becomes, how does the need for integration influence your decision about what new security products to purchase? Let’s start by looking more closely at the situation that security managers face.
To start with, there are ever more vendors offering more and more products. Even with concerns about COVID-19 lurking and some vendors cancelling, the 2020 RSA Conference offered compelling evidence about how crowded the field has become. Momentum’s CyberScape shows about 1,000 products, with increasingly granular solutions as the threats get more sophisticated and the attack surface continues to expand.
Many organizations have vendor management goals leading them to prioritize using multiple products from fewer vendors. Others prefer a best-in-class strategy, especially considering from an integrations point of view that many vendor portfolios were built through acquisition and the integrations came later if at all. Often “platform solutions” include a loose federation of acquired technologies brought in to fill gaps. Either way, after covering the major security categories – firewall, web gateway, email gateway, endpoint, IAM, IDPS, etc. – the remainder of their security stack is designed to meet particular needs, industry or regulatory requirements, or to align to models or frameworks recommended by governing bodies, such as NIST, or trusted organizations, such as Mitre and the MITRE ATT&CK matrix.
As a result, a typical enterprise can easily end up with 60-80 products in their security stack, mostly from different vendors. Historically organizations have relied on system integrators, consultants, and to a large extent on themselves to build the needed data integrations between individual products. But this is proving more and more challenging as the number of products installed expands. The result is that organizations are increasingly and appropriately relying on vendors to, ideally, provide fully developed and tested integrations or, at a minimum, providing APIs that speed the development of custom integrations. From an article in CIO magazine, “Pete Bodine, Managing Director at AllegisCyber Capital, stresses just how important productivity is and shares that the market is looking for solutions that can get even 0.5 to 0.6 more percentage of productivity out of existing security teams and stacks: ‘CISOs can’t acquire those resources fast enough,’ he says, ‘so the things they’re going to pay the most for are the ones that leverage the resources and personnel that are already there.’”
To cover all of their bases using best-in-class solutions requires integrations. Some vendors – one could argue, the responsible ones – make this easy. They develop and test the integrations themselves, working cooperatively with other vendors. But given the volume of products on the market today, it’s unrealistic for each vendor to develop integrations with every other product on the market. The next best thing is to offer APIs that make it possible and often relatively easy for another vendor or an organization, SI, or consultant to build custom integrations.
Simply put, in order to survive today, vendors need to facilitate the exchange of data with other solutions. They need to offer APIs to push in and pull out data from the various systems. For example, does it matter where Lastline gets netflow data for use in our network traffic analysis? Not really as long as it’s in the right format. So Lastline offers an integration that anyone can use to submit netflow information regardless of where it comes from.
When evaluating new technologies, its essential to understand the vendor’s integration strategy. At Lastline for example, our philosophy has always been to offer an open system with APIs that facilitate integration, and we’ve built and implemented scores of them ourselves. Learning about what a vendor offers in terms of proven integrations and APIs is really no more complicated than asking both the vendor and their references. If a vendor can’t articulate its integration strategy, tools, and examples, or if a system is walled off with no built-in integrations or any way to get data out of the system, my recommendation is to stay away. Just as our global economy is forever interconnected, so to are our security solutions.