Is a Security Platform a Monopoly?

Mar 09, 2018
8 minutes
... views

Executive Summary

Back in 2003, respected thought leaders like Dan Geer and Bruce Schneier, among others, pointed out that Microsoft’s monopoly position as the world’s operating system of choice had dire implications in terms of future cybersecurity protections and that the network community should do something about it.

In 2017, I wrote a white paper that advocated for network defenders to change their thinking around the purchase of too many point products that do not integrate easily together in favor of a security platform from a vendor they trust that performs most of the point product functions under a single interface. I received some feedback: isn’t a security platform like the one I described going to produce a similar situation to the one we had with Microsoft?

But a security platform that integrates with other vendors isn’t a monopoly; it’s exactly the same solution recommended by Geer and his fellow authors, and that’s why you’ve seen a number of security vendors come around to this way of thinking. A true platform keeps you on top of technology and brings you closer to the goal of automatic integration and orchestration. Your staff will waste less time on tactical and manual tasks and your security environment will become less complex.

 

Introduction

Back in 2003, a number of network defender luminaries published an essay in a Communications Industry Association Report regarding the dangers of Microsoft becoming the de facto computing platform for the world. [1] Respected thought leaders like Dan Geer and Bruce Schneier, among others, pointed out that Microsoft’s monopoly position as the globe’s operating system of choice has dire implications in terms of future cybersecurity protections.

Indeed, they were not the only people worried about Microsoft’s power position in the market, and the most famous Microsoft case occurred back in 2000 when a federal judge found against Microsoft that it "violated the nation's antitrust laws through predatory and anticompetitive behavior" and kept ''an oppressive thumb on the scale of competitive fortune.” [2] These days we see similar “monopoly” and “antitrust” accusations being thrown at major vendors like Google and Amazon, too.

In terms of cybersecurity, Geer et al. made a good point. If the entire world runs on the Microsoft platform, when a hacker discovers a new vulnerability, the sheer volume of potential victims becomes exponential; and the network defender community should do something about that.

Last year, I wrote a white paper called, "The Next Board Problem: Automatic Enterprise Security Orchestration – a Radical Change in Direction.” [3] In it, I described the short history of network defender philosophies from Defense-in-Depth to The Cyber Kill Chain [4] and how we all thought the Cyber Kill Chain model was going to become the silver bullet against cyberattacks. It didn’t. Although I still think it is the right model, what the network defender community has to work with from security vendors is point products – thousands of them. In my paper, I advocated that network defenders should change their thinking around the purchase of point products that do not easily talk to each other. Instead they should reduce their maintenance burden by adopting a security platform from a vendor they trust that performs most of the point product functions under a single interface.

Does the Geer Paper Pertain to the Security Platform?

At first glance, this position seems to be the very thing that the Geer paper was warning about. Concentrating on a single vendor to accomplish most of the security tasks would be a version of the Microsoft situation. In fact, though, it is the exact opposite.

In my role as the chief security officer at Palo Alto Networks, I talk to a lot of network defenders. From my informal survey during the past five years, I have discovered that even small organizations have deployed anywhere from 15-20 security tools. Medium sized organizations deploy from 50-60. Big organizations like banks and the U.S. intelligence community have deployed well over 150 tools. Instead of a better security architecture, what we got was the management nightmare of maintaining all of these tools in an era where we have to adapt to prevent attacks faster than ever. By 2017, all of us have so many tools deployed that we cannot abide adding even one more.

As I note in the paper, the old best practices of vendor-in-depth and best-in-breed that emerged in the early 1990s in security are probably not best practices anymore. Indeed, they have caused us to reach a tipping point in terms of deployed products. I advocated that we should jettison these old best practices in favor of a new one: seek security vendor platforms that integrate. Find a security platform that you trust will do most of the work you need. For the things the platform doesn’t do, make sure that the responsible vendor integrates with the other products you need so that you and your staff do not have to do the integration work yourselves.

 

Change Is Hard

This idea is hard for most network defenders. For their entire careers, they have been trained that vendor-in-depth and best-in-breed are golden principles in cybersecurity. When all else fails, follow the golden principles. You hear them make similar arguments that Geer and friends made in the 2003 monopoly paper – that if you put all your chips down on a single vendor, when something bad happens, the sheer volume of potential damage becomes exponential.

Ironically, these same network defenders have missed the point advocated by Geer’s monopoly paper. In it, the authors advocate several actions designed to limit the attack surface of the Microsoft operating system platform [1]:

  • Publish interface specifications to major functional components of its code, both Windows and Office.
  • Foster development of alternative sources of functionality through an approach comparable to the highly successful "plug and play" technology for hardware components.
  • Work with consortia of hardware and software vendors to define specifications and interfaces for future developments in a way similar to the Internet Society's RFC process to define new protocols for the internet.

What Geer is describing is an operating system “platform" that entrepreneurs, IT admins and network defenders can use to easily add functionality and diversity of products without adding an undue management burden. Because, let’s face it, once your organization commits to a single vendor’s operating system, replacing that operating system with a competitor's down the road is practically in the too-hard-to-do bucket. That situation is the same for security platforms, too.

Network defenders should seek security platforms from vendors they trust that will act as a base to accomplish the same thing advocated by Geer. The security platform will do most of the work you need done down the Cyber Kill Chain but will provide the hooks to add in other functionality with other products as needed. In this model, we completely change the consumption model for cybersecurity products. Instead of network defenders maintaining a cornucopia of point products that they have to integrate themselves, they use a security platform that does most of the work for them but allows them to easily incorporate other functionality as needed.

Palo Alto Networks Application Framework does just that by providing customers with the security they need through cloud-based apps developed by Palo Alto Networks and today’s most innovative security providers. This frees up the network defender team so they can perform a more strategic role. They can use emerging philosophies like DevOps to automate and orchestrate their work streams instead of spending endless hours at the tactical level manually maintaining, patching, and consuming the data from individual systems.

 

Conclusion

At first glance, my 2017 position paper seems at odds with what Dan Geer, Charles Pfleeger, Bruce Schneier, John Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann advocated in 2003 to solve a similar problem. But when you read the recommendations of that paper, you will find that adopting a security platform that integrates with other vendors is exactly the same solution. In other words, my orchestration paper advocates for the same general actions recommended by Geer and his colleagues back in 2003.

In truth, there are at least five security vendors that offer this kind of security platform in one form or another today. Pick a security vendor platform that you trust will stay on top of the technology and continue integrating with other vendors. By doing this, you come closer to the goal of automatic integration and orchestration, which will cause less wasted time for your staff and reduce the amount of complexity you have in your environment.

 

Sources

[1] "CyberInsecurity: The Cost of Monopoly: How the Dominance of Microsoft's Products Poses a Risk to Security,” by Daniel Geer, Charles P. Pfleeger, Bruce Schneier, John S. Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann, Computer & Communications Industry Association Report, September 24, 2003, archived on Schneier on Security, last visited 10 February 2018

https://www.schneier.com/essays/archives/2003/09/cyberinsecurity_the.html

[2] "U.S. VS. MICROSOFT: THE OVERVIEW; U.S. JUDGE SAYS MICROSOFT VIOLATED ANTITRUST LAWS WITH PREDATORY BEHAVIOR,” by Joel Brinkley, The New York Times, 4 APRIL 2000, last visited 10 February 2018

http://www.nytimes.com/2000/04/04/business/us-vs-microsoft-overview-us-judge-says-microsoft-violated-antitrust-laws-with.html

[3] "The Next Board Problem: Automatic Enterprise Security Orchestration — a Radical Change in Direction," by Rick Howard, Palo Alto Networks Chief Security Officer, 2017, last visited 10 February 2018

https://paloaltonetworks.box.com/s/k6m23dfdjhzm0hq4pb4brjscub3c15di

[4] E.M. Hutchins, M.J. Cloppert and R.M Amin Ph.D., “Intel-ligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Proc. 6th Int’l Conf. Information Warfare and Security (ICIW 11), Academic Conferences Ltd., 2010, pp. 113–125


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.