Suppose that President Obama scheduled a visit to New York for an event in Time Square. Now what if the Secret Service deployed two teams responsible for security; one to secure the Avenues running north and south (i.e. Broadway, 7th Ave., etc.), and another to do the same for the streets running east and west (i.e., 49th St., 48th St., etc.)? Further, what if these teams operated independently with little coordination and communications and different chains of command?
Anyone familiar with physical security would quickly spot numerous problems with this scenario. Each team would likely perform redundant tasks wasting time and resources. Security responsibility at intersections (i.e., Broadway and 44th St., for example) would be confusing with either too much or too little coverage. Finally, a savvy adversary could exploit the communication gaps between security groups to his or her advantage.
Given these and other issues, the Secret Service would never execute this type of security strategy. Rather it would assign a single group to oversee all planning, law enforcement, and monitoring, and organize communications so all parties could perform their security functions and respond to anything that goes awry.
You would think that a similar strategy based upon central oversight, coordinated enforcement, and well organized communication would be a basic tenet of information security. Unfortunately, this isn’t always true. Case in point: Most organizations have separate organizations, management systems, and security controls for network and host-based (i.e., server, PC endpoint, mobile endpoints, etc.) security.
It’s easy to see the roots of this situation. Network security devices like firewalls, IDS/IPS, and assorted gateways examine IP packets so it makes sense that they are purchased and managed by the networking team. Host-based security protects individual devices so it was only natural that system security was delegated to server and PC administrators.
Yup, separate network and host-based security made sense in 1999 but it doesn’t make sense anymore. One CISO I know summed this issue up well when describing his situation with application controls. He stated, “I’ve got application controls on my endpoint software and application controls on my firewall. What I don’t have is any way to control policies or monitor activities from one central point. At my organization, application control is just one activity so why are my security vendors intent on selling me two discrete solutions that don’t talk to each other?”
He’s absolutely right. Enterprise organizations need common tightly-integrated solutions that enforce application controls, anti-malware inspection, or automated remediation on hosts or the network. Fortunately, enterprises are starting to realize this and slowly replacing disconnected point tools with integrated security architecture solutions that cover policy, enforcement, and monitoring across hosts, networks, and even the cloud.
I predict that enterprise demand for integrated host/network security solutions will grow precipitously over the next few years. Which vendors are best positioned to capitalize on this market trend?
- McAfee. In my mind McAfee has the best coverage here – especially after its Stonesoft acquisition. McAfee is also working on product integration and architecture with its Security Connected initiative. McAfee’s biggest challenge is learning to sell enterprise solutions rather than a potpourri of products.
- Cisco. Yes, I know that Cisco abandoned its Cisco Security Agent (CSA) for host-based security years ago, but with its Sourcefire acquisition, Cisco has a number of assets including FireAMP, FirePower, ISE, and TrustSec to weave together into an integrated architecture.
- Checkpoint. Checkpoint has a full portfolio of endpoint and network security it can glue together. I realize that Checkpoint hasn’t done well with its endpoint security products but the need for integration and new types of endpoint protection may create an opening for Checkpoint to have another go.
- IBM. After its initial fumble, IBM has really pumped up the old ISS product line so it can compete effectively on the network security side. On the host side, IBM will play up its BigFix management and has existing partners for endpoint security products.
Blue Coat, HP, Juniper, Symantec and Trend have good coverage and market share but need to provide an integrated offering. Big security players like these would be best served by working together to define an open security software architecture. Other vendors are building one-off network/host-based security partnerships – FireEye and Guidance Software come to mind. Given the march toward enterprise architecture, all others should move forward by adhering to a simple mantra: “Integrate or die.” An integrated enterprise approach works for military and law enforcement – it’s only a matter of time until the cyber security community follows this lead.