Uncomfortable Observations About Platforms

First, some background

Every company that wants to say alive in security, today, is talking about building a “platform” of one kind of another. “We’re not a tool, we’re a platform”… sure it sounds great but who is actually doing it. More importantly — what are their motivations?

There are EDR and MDR platforms (and the only difference seems to be the marketing), there are Incident Response platforms, there are SOAR platforms, and so many more. They all try and talk a good game, but delivery has been …shall we say, lacking?

I’m writing my first post on the new platform specifically on this topic because it’s topic that I’ve spent the last 11 years or so believing is the key. It’s not one of those “nice to have” things, it’s a “can’t live without” thing. The problem is the “platform” is like sex in high school (thanks Paul, now I use this all the time)… nearly every company is talking big, but no one’s actually doing it right. I’ll let you think about that for a second…

So — platforms. Security needs to be built as a platform in order to stand a chance at increasing the efficiency and effectiveness of detecting and responding to badness. This is true. I believe it because I’ve watched the alt-tab, alt-tab, alt-tab, swivel chair charade for years. I firmly believe that the effectiveness of a security operations center is inversely proportional to the number of disparate tools that team uses. Happy to debate that point, but experience teaches me I’m on the right track.

The problem with the way platforms are developed today, is that they’re done in one of two ways. The two ways are via MSSP, or via “Mega-vendor”. Yes, there is a DIY option C, but that’s so often a train wreck I don’t think it’s worth discussing here.

So, the MSSP… your typical MSSP has been the same “your mess for less” model since I can remember. Every large outsourcing company does “outsourced SOC” or “Managed SIEM” (God help us all). The problem is that they will tell you that they have a platform, but behind the scenes it’s duct tape, bubble gum, and a lot of hope. Ask me how I know…The reason for this is simple, most MSSPs will take whatever mess of tools you have, and manage it for you. This makes their teams ‘experts’ at hundreds of security tools. I use ‘experts’ in quotes because they’re not really experts, no one can be an expert at that many things.

So you’re left with the MSSP who develops a platform for you, but it’s still a bunch of disparate security products glued together behind the scenes. And that glue is often human-driven, which makes everything so much worse. Humans that write the import/export/transform scripts, and humans that are relied on for tribal knowledge of integrations. Humans are the problem… this shouldn’t be news.

The “mega vendor” is a problem too. Y’all laughed at Symantec when they bought a backup company… but a decade and a half (or so) later we’re finally admitting that security isn’t a single ‘thing’. Security is the octopus, that has tentacles into data management, backup/restore, and user management, and many other pieces. Remember that whole CIA thing we were taught back in the late 90’s? Confidentiality, Integrity, Availability — it’s been lost in the security products out there today.

The markets today are an economy of features. I’ve been using that term a while to describe the fact that there are hundreds of vendors who don’t have a ‘product’ per se, but a feature that’s in search of a product to become part of. Don’t tell their investors or founders that…but it’s 100% true. Recently we’ve started seeing the rise of platform companies (Palo Alto comes to mind). But when you look under the curtain in many of them it’s still duct tape and bubble gum and hopes. The way these companies work from a leadership role is that these are all still separate P&Ls, with different organizational goals, timelines, development resources, and sales/marketing teams. Yeah… process that.

SO in the end, we have two potential ways the industry COULD be solving the need for platforms, but isn’t. That’s disappointing… so I’ve been hunting around and doing some research, and I’ll give you my list of requirements to make this thing work. I believe that either the MSSP OR the mega-vendor can make it work — but it’ll take actual commitment and effort which will make everyone involved just a bit uncomfortable because you have to put aside egos, restructure your growth plans, and get some strategic vision.

So here’s my list of requirements to make this vision a reality; one that increases effectiveness and efficiency without raising costs and complexity.

For MSSPs:

  • Focus on outcomes — define what you’re going to deliver to the customer, and be explicit and precise with metrics and KPIs; less focus on selling tasks and hours and more on the outcome of the arrangement (yes, this will take some serious re-structuring because pricing isn’t done this way today at the vendor)
  • Sell capabilities, not tools — this means that you should stop talking about the TOOLS that you’re going to be using to deliver the CAPABILITIES; does the CISO really care if you’re using Carbon Black or SentinelOne or whatever else? No, they don’t. The CISO cares that they’re getting anti-malware, vulnerability scanning, host-based intrusion detection, log storage and analytics… that way you can interchange the tools when the technology needs it, rather than being ‘stuck’
  • Define measurements — your customers wants KPIs, measurements of quality and effectiveness. Carefully define leading and trailing indicators, and provide measurements that will suit the customers desired outcomes. How many tickets you generate is meaningless, but the average time to round-trip a response is critical. Define measurements with your customers, agree to them, and hold yourselves accountable (and hold the customer accountable too!)

For platform vendors:

  • Smash the P&L barrier — when different groups inside your company have different goals, roadmaps, and leadership needs you will fail. Develop a singular vision of the platform, and make it so that the platform succeeds as a unit, or fails as a unit. Incentivize your leadership to work together, not against each other and structure your sales, marketing, and engineering to accommodate this vision
  • Common data formats — there’s no good reason that we should be exporting data to import it into another system, but to make things easier a common format needs to be developed, or at least pick one of the existing ones and agree upon it. Set aside the ego of who developed it, who maintains it, and whose logo is on it — and do what’s right for the customer
  • Recognize the octopus — in order for security to be successful you have to have access to network, endpoint, identity, data, and context. This means you’ll probably have to make some acquisitions that the “analysts” will question. For example, a data management company buying a forensics company … weird right? Nope, makes total sense.

I think we have a chance, because I’m seeing the vision creep back into presentations of MSSPs, and mega-vendors. While many are going away (a moment of silence for what was once HP Enterprise Security Products, please) because of lack of leadership or commitment to vision — there are some out there that are holding true. Let’s see where this ends up. I think with the rate of growth in IT and data we as an industry either figure it out, or someone figures it out for us. Option 2 is going to hurt.

I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store