Too Many Boxes Becomes a Fire Hazard

Too Many Boxes Becomes a Fire Hazard

I have a confession to make. The first five years of my adult work life were spent in fast food management – and I enjoyed it. I learned many life lessons in that time that are still carried with me today. What, you may wonder, does any of that have to do with the world of cyber security? Read on.

One of the most important areas I received training on during my fast food management indoctrination was customer and employee safety. Aside from sanitation and health concerns, the ability to quickly and safely evacuate during a fire emergency (flash oil fires are not fun!) was one area where I had to maintain a constant vigil. This led to one of the golden rules – Boxes piled up are a fire hazard.

This flashback to my early years was brought on by discussions I’ve recently had with CISOs around things that bother them most regarding security spend and I’ve discovered several things, one of which is:

Many CISOs hate the “appliance” model.

Appliances have a cost model that does not scale in a time when, despite news segments rolling nearly non-stop stories about major breaches, security managers still have tight budgets to control. The answer for every security control cannot be “buy another appliance (box)”.

You want to inspect your network traffic?  Buy vendor “appliance A”.
You want that network traffic at 10Gbps?    Now you need “appliance A-10G”.
You want to inspect e-mail? Buy vendor “appliance B”.
You want to analyze file shares? Buy vendor “appliance C”.
You want to submit objects for analysis? Buy vendor “appliance D”.
You want to run agents on the endpoint? Buy vendor “appliance E”.
You want to manage it all? Buy vendor “appliance F”.

This is a purchase and deployment model that simply doesn’t map to IT Security spend. And like the blocked emergency exits in that fast food restaurant, this model creates a fire hazard. First, like smoke detectors, you need them everywhere in order to alert you to the beginnings of a fire before a person’s life is at risk. If the IT Security budget doesn’t allow you to purchase the “appliances” necessary to cover every avenue of attack, you just put your organization at risk. Second, all of those “appliances” – rigidly controlled by definition – get in the way of what really matters most: integrating best-of-breed solutions into an easy to follow and executable security operations and incident response workflow. What good is a smoke detector if everyone ignores it when it goes off? What good is your security solution if your team ignores, or doesn’t recognize the alert for what it is?

Remember this Bloomberg Business article from March 2014?

Just like the boxes piled up by the emergency exit, this slows you down or prevents you from using the exit – creating more risk. IT Security teams are there to eliminate or greatly reduce risk and your solutions must help achieve that goal.

You may have noticed I keep putting the word “appliance” in quotes. That’s because I think the definition got muddied lately by vendors. Appliance, to me, means a customized piece of hardware with special OS and software loaded. Yet many of the “appliance” vendors out there are selling commodity hardware, running on a unix-based operating system with their software loaded on top. That’s not an appliance – that’s a server. The only custom piece of hardware in a lot of these “appliances” is that pretty bezel you get for the front of it. That’s pretty costly eye candy.

Another issue with this “appliance” mentality is the concept of forced hardware refreshes when the hardware you’re running has no proprietary chipset and the processing power is doing just fine. The vendors must keep their “appliances” up to date for their support model, so you are forced into their hardware refresh cycle and associated costs. Now you can’t afford those needed smoke detectors and your risk just increased.

IT security managers need a deployment model that allows them to decide what type of profile (hardware or virtual), what equipment vendor, and what refresh cycles fit best for their organization’s needs. They need a license model that allows them to InstrumentEverywhere™ without sacrificing coverage. They need solutions that allow them to focus on what they are trained to do – eliminate risk to the organization.

Lastline delivers the ability to InstrumentEverywhere using network and email object analysis via software deployment models as well as object analysis on endpoints via our open API integration capabilities. Lastline sensor components deploy on standard hardware as well as virtual instances and the licensing model ensures customers can deploy as much as they need so that every area has its needed smoke detector.

Lastline – It’s time to put out the fire!