The theme of this year’s RSAC is “Many Voices. One Community.” While our field can rightly claim “many voices”, portraying it as a “community” is a bit of a stretch. By this, I mean countless cybersecurity vendors hawking proprietary solutions will be attending RSAC, but they are competitors, not players on a common team. Each vendor wants to capture as much of the cybersecurity market as they can and this economic reality hinders true community building.
To be clear, there is no hard and fast definition of what constitutes a community. The Cambridge dictionary defines community as: the people living in one particular area or people who are considered as a unit because of their common interests, social group, or nationality. In its broadest sense, one could argue our community has a common interest in cybersecurity. By this same definition, we all belong to the pro-breathing, pro-hydration, and pro-sheltering communities.
Simply put, when the definition of a community includes everyone, the word loses some meaning. My point is not to engage in a pedantic argument over the term community. Rather, I plan to demonstrate that where cybersecurity efforts are community-driven, they thrive. Likewise, when cybersecurity is done individually, opaquely, and in isolation, it often flounders.
For example, public and open-source projects such as VirusTotal, Wireshark, Metasploit, and OWASP provide critical resources to our field. Individuals with an interest in cybersecurity support and manage these efforts in a non-competitive way that makes them useful for everyone. By contrast, cybersecurity companies have little motivation to make their solutions play well with competitor’s products. This is a natural consequence of market competition where each vendor wants to sell their branded suite of solutions.
Unfortunately, this proprietary approach leads to massive difficulties when SOC analysts and service providers try to integrate multiple third-party tools into their security stack. Most medium enterprise SOCs use over 50 security tools, and getting them to work together is extremely difficult. Every hour spent troubleshooting, integrating, and engineering workarounds for existing security solutions is time SOC analysts are not focused on detections and response.
Build a Community of Competitors?
There are two primary forces keeping cybersecurity vendors from forming a truly cooperative community. First, vendors need to make money to stay in business, and that puts their individual interests in direct opposition to all competitors in their space. Second, many vendors sell solutions whose effectiveness partially relies on keeping their operational details a secret. These factors alone make building an open community among private cybersecurity organizations highly unlikely.
Instead, we should accept that the competitive nature of business is not going to change. Nor are cybersecurity vendors going to publicly divulge their lucrative secrets for the sake of doing a good deed. In fact, doing so would be like asking a bank to post the blueprint of their vault online. Yes, other businesses might gain security knowledge from studying the vault design, but bank robbers would too.
The downstream effect of this necessary secrecy are SOCs filled with dozens of opaque solutions, requiring large teams of experts to manage. Ironically, many zero trust environments consist of security analysts absolutely trusting countless black-box vendor solutions. While vendor-trust is common for businesses, we regularly see stories of attackers compromising organizations who use the most esteemed security vendors in our market. Last year, we also saw an honest mistake from a large vendor cause the largest IT outage in history. These lessons should remind us that there is a stark difference between securing your organization, and trusting someone else to do so.
The market forces driving secrecy and competition among cybersecurity vendors force many businesses to trust tools they cannot fully audit. However, this does not mean we cannot reap the benefits of fostering a cybersecurity community in other ways. There are resources available today that help third-party security solutions work transparently and cooperatively, even when their patent holders will not.
Community Built by Cloud, APIs, and Automation
The key to realizing the benefits of a cybersecurity community relies upon adopting a vendor-neutral cloud platform for centralizing security resources. Such a platform frees your organization from being locked into vendor-specific solutions while also creating a space to integrate your existing security stack. Rather than asking your SOC to wrangle countless third-party tools, you create a cloud-based control center for centralized management of all security resources.
Integrating your security stack via API on a cloud platform greatly simplifies tool use, management, and coordination. Those of you familiar with IT operations will recognize this approach as infrastructure-as-a-service. For cybersecurity, the equivalent of adopting AWS/GCP to manage infrastructure is found in the SecOps Cloud Platform (SCP). Instead of hiring several analysts to monitor dozens of solutions and manage their infrastructure, you retain a few experts to operate a SCP.
An SCP normalizes data, allowing security tools, services, and telemetry sources to communicate using a common language. Communications happen via API, which fosters rapid information sharing throughout the platform and simplifies automation. For example, if you receive an O365 alert indicating a suspicious login you could have a script immediately disable the account pending further review. Once your security stack is integrated on a common cloud platform you have extreme control over its behavior and operation.
Cloud consolidation does not provide visibility into precisely how private vendors make detections with their black-box solutions. However, you will have full visibility into how your security stack handles information from all sources and control over how it responds to detections. This informative birds-eye view can help you discover redundancies, lapses in coverage, and areas of exposure.
Adopting an SCP frees your team from the drudgery of maintaining cumbersome infrastructure. It consolidates security solutions from the hands of competitive vendors and turns them into cooperative resources focused on a common task. In other words, a SecOps Cloud Platform transforms security resources into a true cybersecurity community and reliably delivers the benefits we gain from working together.
About the Author
Maxime Lamothe is the Founder and CEO of LimaCharlie. He is an accomplished computer scientist and information security specialist. As part of the Canadian Intelligence apparatus, Maxime worked in positions ranging from development of cyber defense technologies through Counter Computer Network Exploitation and Counter Intelligence. Maxime led the creation of an advanced cyber security program for the Canadian government and received several Director’s awards for his service.
After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defense and spent some time working with CrowdStrike. For the past few years Maxime has also been providing analysis and guidance to major Canadian media organizations. Maxime was a founding member of Google X’s Chronicle Security. He left in 2018 to found LimaCharlie.
Maxime can be reached online at LinkedIn https://www.linkedin.com/in/maximelb/ and at our company website www.limacharlie.io.
