Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability. In light of these increasing challenges, our cyber defenses have morphed over time.

This is not to say that our arsenal today includes better defenses. Our defenses have morphed because we have seen the headlines, possibly experienced organizational pain ourselves, and we as CISOs have searched out new cyber solutions to address new cyber threats.

In earlier times, we agreed "it's all about the network." Cloud migrations and virtual connectivity, however, have modified that mantra. Now, we agree "it's all about the data." As our cyber defense focus has shifted, so has the array of potential solutions.

Best of Breed vs. Bundle

Cyber solutions are promoted in two primary categories, and the choices CISOs make about these categories matter. On the one hand, some solutions offer—or at least presume to offer—best of breed capabilities. They propose to satisfy a CISO's particular concern directly and completely, whether that concern is about endpoint, detection and response, network, data protection, or any other discrete layer of the cybersecurity stack.

These solutions often operate in silos, are difficult to connect to other parts of an organization's defense stack, and intentionally establish themselves as true one-offs within the cyber arsenal. They are superb at the mission they are intended to serve but, like the proverbial cheese, stand alone.

On the other hand, some potential offerings are bundled solutions, addressing defense for endpoint and detection and response, or network and data protection (think DLP here). Some bundled solutions go further, offering suites of combined offerings that address a wide variety, if not the full gamut, of cybersecurity worries. Some focus on service solutions as opposed to product solutions, but even in these cases the service provider likely offers or prefers specific products.

"It's hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket."

What bundled solutions typically lack is any particular component that is, indeed, best of breed. This may be an unfair blanket statement, because certainly many bundled offerings include very good solutions.

Nevertheless, the components of these bundled solutions are neither discrete in nature nor completely focused. More likely, bundled solutions are solution sets built to inter-operate, to play nicely with each component part, because a bundled solution is probably doomed to fail unless every part works in harmony with every other part of the bundle.

A Place for SOAR

While best of breed solutions are wonderfully capable, they can be onerous to manage. Keeping these solutions current can also be challenging. Additionally, getting these solutions to inter-operate with other parts of the stack may be difficult.

A best of breed solution for example may be strong at DLP, but security teams may struggle to integrate its logs into the organization's SIEM solution. Configuring a best of breed solution can also prove challenging, because the inherent capability of the solution is complicated. A best of breed solution may be difficult even to deploy, given that it stands by itself.

"If best of breed solutions operate in silos (they tend to, it's their nature), then getting each of them into a common management regime via SOAR may be a bridge too far."

Security orchestration, automation, and response (SOAR) solutions can therefore serve a valuable purpose. They provide value by organizing disparate components of the stack into a comprehensible and manageable whole. SOAR assumes that unmanageable, disparate elements exist in the stack but they can be integrated (to some extent) under an umbrella technology that manages them as a single-threaded solution set.

If best of breed solutions operate in silos (they tend to, it's their nature), then getting each of them into a common management regime via SOAR may be a bridge too far. Technology that is meant to be independent tends to resist cooperation and integration. This is not to diminish the value of SOAR solutions but simply to say that best of breed solutions are a breed of their own.

Spend Matters

Cost, too, is always a consideration. Although some organizations have big cybersecurity budgets, most organizations (especially SMBs) aren't so fortunate and must manage costs carefully. A bundle of cybersecurity solutions often can be cost effective because there's leverage in combining purchases from a single vendor.

There is, however, also risk. The consequences could be catastrophic should a bundled solution have a security flaw or other significant operational issue. What if every part of a solution set failed at once? Therein lies the madness for CISOs. A best of breed solution may be vital, but its failure shouldn't engender failures across the stack.

Some of these solutions nevertheless aspire to uber-security. Best of breed—as in dog shows—is special, and that specialty needs to be protected. Their providers pay "special" attention to things that increase customer risk and work to refine and improve the secure state of their offerings. This suggests best of breed solutions may be less likely to fail.

Capability Today vs. Strategic Roadmap

It's hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket. Bundle providers understand their (foundational) role in customer organizations. Their comprehensive solution sets let CISOs solve multiple issues with a single procurement arrangement.

Managing supplier relationships takes time, and every cybersecurity leader needs more time, not less. Fewer critical suppliers in the stack is therefore advantageous for most cybersecurity organizations. After all, CISOs require instant capability in the solutions they deploy. A security gap needs to be closed now, and a purchase will hopefully close it. A fulsome relationship with a bundle provider may achieve early delivery and support for addressing emergent issues.

"Managing supplier relationships takes time, and every cybersecurity leader needs more time, not less."

A CISO also needs to understand the long view of their suppliers, not just what their solutions do now, but what they will do going forward. Where will a product or service be in two or three years? How does the CISO and the organization fit inside a supplier's strategic plan? Knowing where a supplier is heading is a leading indicator. A bundled solution may bring the CISO's organization closer to the supplier, and this may facilitate cross-strategic planning at a deep level.

Best of breed suppliers, by contrast, can be more difficult to get to know. These providers are sometimes smaller with niche offerings. How many employees do they have? Who will answer the phone when a CISO makes a critical call?

Alternatively, it's possible that smaller providers are more intimate and engaging about the specific solutions they provide. A CISO can build a relationship with a supplier's senior leadership, which can prove very valuable, in terms of immediate needs and long-term planning.

The Inevitable Doesn't Have to Be

If CISOs believed all suppliers will be successfully targeted and victimized, they'd quit and drive trucks for a living; it's an honest job that depends only on the certainty of sources and destinations. Cybersecurity depends on much more: the intricacies and inter-relationships of networks, hardware, software, user behavior, the cooperation of cloud providers, the partnership of suppliers and customers, and the complicated demands and expectations of stakeholders. A CISO's job is undeniably hard, and it's only getting harder.

"How does the CISO and the organization fit inside a supplier's strategic plan? Knowing where a supplier is heading is a leading indicator."

And that's just the business side. Cybercriminals of every variant have figured out that there's money to be made, heartache to be transferred, and chaos to be raged whenever they identify a vulnerability.

Every decision a CISO makes therefore matters. Every increment of cyber strategy should be based on thoughtful examination of facts from internal and external intelligence, providing the CISO with purpose and reasoned choices. Risk can't in most cases be eliminated, but it can be mitigated and managed. CISOs don't wait for the bad thing to happen. They work every day to delay the inevitable and to diminish its consequences.

The choices we CISOs make in what we buy, and how, also matter. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore. Regardless, every CISO knows that what matters most is the good we do. That is not a choice. It is our nature.

About three minutes into planning this post, I had one of those "god, I am old" moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a Big 3 working for the U.S. government through one of the world's largest law firms. Yes, it was complicated.

Back in those days (said in the voice of an old man,) cybersecurity wasn't even cybersecurity. It was just security. Information security wouldn't become a thing until the early 2000s. Networking of computers was just getting off the ground. See what I mean? I started a long time ago.

The point of this is that even back when computers were just being networked, and cybersecurity wasn't a thing, and the position of CISO would be considered witchcraft, there was a principle in IT architecture named "Know Your Computer" (KYC) or later "Know Your Network" (KYN). This principle's origin was from the 1990s finance industry.

Basically, to sell more products to their current clients, they would attempt to learn everything they possibly could. Remember this is at the VERY beginning of the internet. The huge databases about users and their likes, dislikes, and purchase habits after midnight were decades away.

KYC or KYN, as illustrated, are old principles that have been around for a long time. Now they have morphed into many things over the years, and today they are called Zero Trust. It would be unfair and unjust to compare the complexity and technical detail of today's IT versus yesterday's. On the other hand, there are lessons learned from a simpler IT time that still have value today.

KYC or KYN

They are old concepts, but the principles still are relevant in today's IT environment. Frankly speaking, Zero Trust is the latest iteration of the KYN concept. See below:

I could go on, but the point seems pretty clear. Now, KYN doesn't line up perfectly with the Zero-trust model. The threats and complexities of computer networks simply did not exist in the 1990s.

What Is Zero Trust Anyway?

We have all been in the industry for years. Even if you have been in the industry for only days, you have read, been sent emails, been called by vendors, been invited to webinars, seminars, or drum circles selling Zero Trust.

Every vendor, no matter what technology, is selling their product as the latest Zero-trust miracle cure. There have been many of the industry fads, and that is not the point of this post. This post is to explain Zero Trust and different strategies to deploy it affectively and economically.

Zero Trust is a philosophy. Simply put, do not allow anything to occur on the network that you are responsible for that you do not already know about. Like all philosophies, that is a simple thing to say, easier to understand, and hard to implement.

You may be asking, yourself "I have 5k endpoints, 40 cloud providers, 800 servers, and 600 applications. Does he expect me to swim lane all of that? He is an idiot." I too said those words to myself regarding my first steps into Zero Trust. I too called someone an idiot.

Then I started to think about how I would answer the questions that I would be asked by some business development exec who read the words Zero Trust on the back of a magazine while flying cross country. "Quick question XXX, what is our Zero-trust Strategy? I need to understand it, so create a quick three-slide deck explaining why we are world class at it." I started with what our crown jewels were. Others call it the High Value Asset (HVA) List. Whatever you call it, that is where you start.

Step one is documenting the Who, What, When, Where, and How the HVAs are used. This will most likely take the form of interviews with the business users. NOT the business leaders. You need to get their blessing, but the actual people using the HVA are the ones that you need to work with. Artifacts of these interviews will be computer workstation names, usernames, applications, business process documentation, and data flows.

Now that you have answered those questions, you can build a Zero-trust Strategy around that HVA. If it is not accessed remotely, then you can remove that access. If only a limited number of users need access, remove all the rest. If a limited number of computers need access, remove the rest. If the process doesn't transfer data via email, then put in a DLP block to eliminate that data transfer mechanism. You are just building walls around the business processes.

You are not changing it, and that is a point that needs to be stressed when you work with the business. You are not going to make their day-to-day experience worse. Each time you put in the control, make sure you have alerting to changes. If you access groups for user access, then if that group membership changes, make sure you have an alerting strategy to notify both the business and cybersecurity operations of the change. Perhaps it was not expected or approved, and you have uncovered something before any damage occurs.

Your program may not have the controls in place to implement that needed control on that HVA. You have now documented your business justification for the new control. I would suspect that your program probably already has the technical capabilities to implement the needed controls.

A Zero-trust Strategy only allows you to do two things. Number one, use the new-fangled lingo to describe your efforts and needs. Number two, focus your teams' efforts on the HVA list. Trying to deploy Zero-trust Strategies across an entire enterprise at once is a fool's errand. Start with the most important assets in the organization first.