The world’s largest security conference, RSA, came and went earlier this month at its normal home in the Moscone Center in San Francisco. There was some speculation the show might be canceled due to Verizon, AT&T and IBM pulling out, but the show went on with more than 40,000 people, myself included, coming to learn what’s new in the world of cyber-security.
My big takeaway from the event was that the concept of security platforms is finally taking hold. Historically, security buyers evaluated products on an individual basis in which firewall vendor A would have a bakeoff against firewall vendor B, and endpoint detection and response (EDR) vendor C would be compared to EDR vendor D. Conceptually, this might make sense, because the thought of having “best of breed” everywhere should offer the best protection.
This has led to a number of problems, the biggest of which is security tool sprawl. My research has found that the average number of security vendors in an enterprise is 32. Cisco’s research has found it’s over 70. Whatever the number, it’s too many, because keeping policies consistent is almost impossible.
Earlier this year, I had a discussion with a security engineer who wanted two distinct firewall vendors at every point of ingress and egress. Conceptually, this makes sense, because it provides protection from any kind of vendor-specific issue. In practicality, the engineer told me that the process of ensuring rules and policies were consistent was so difficult that he fell back to a single vendor. This is just for two vendors; imagine the havoc 32 or 70 vendors bring.
Security platforms or XDR provide better visibility and find threats faster
The solution to this is the security platform where data is gathered and correlated across the environment at a macro level as opposed to trying to correlate data from point products at micro level. In the past, I’ve referred to this as XDR, which is the evolution of EDR. In fact, EDR perfectly highlights the problem with a non-platform approach. EDR solutions are great at finding issues on the endpoints, but rarely is the problem limited to the endpoints. EDR won’t see the root of the problem, but XDR will.
Palo Alto Networks has been the most aggressive vendor running with the XDR concept, but other vendors such as Stellar Cyber, Trend Micro and others also have embraced the term. Also, Fortinet’s Security Fabric and Cisco’s SecureX Platform are essentially XDR solutions, but those vendors have maintained their own messaging.
The shift from point product to platform/XDR should change the way customers evaluate and think about security vendors. One CISO I recently interviewed who had embraced XDR said she recently realized that best of breed everywhere does not lead to best-in-class security. In fact, the opposite can happen, where there are so many vendors that it’s impossible to see the gaps.
Gartner needs to rethink its security MQs
This underscores the problems with my industry. This includes the decision tools that analysts create, which tend to be very siloed in their development. Not to pick on the good folks at Gartner Research, but the company’s Magic Quadrants, which many consider to be the “gold standard” for decision tools, look at the world very narrowly. There’s an MQ for Endpoint Protection Platforms (EPP), Secure Web Gateways, Network Firewalls, SIEMs and more. Each one does a nice job of evaluating that particular market but does not help customers shift to a platform.
For example, Cisco Systems, Palo Alto Networks and Fortinet all score in the lower left-hand quadrant of Gartner's EPP, while a vendor like Crowdstrike is in the upper right. But that doesn’t tell the whole story. The three platform vendors use the EPP data as well as network data to enable their platform to see more and protect better. Crowdstrike is a fine vendor, but it doesn’t correlate data from other sources. Analyst firms like Gartner need to stop being so rear-looking and change their evaluation criteria to be more in line with where security is going.
Cloud, network and endpoint are the pillars of XDR
From an evaluator’s perspective, it’s unlikely any vendor will have the entire security landscape covered. The three “must have” pillars for security platforms/XDR solutions are cloud, network and endpoint. Anything else adding to it makes the platform stronger. The vendor should also have a partner program to integrate third parties to take the data from existing tools. It should leverage AI engines to analyze the data and automatically correlate data from different sources. The previously mentioned Stellar Cyber is a security vendor born in the AI era and has designed its product around the concept of XDR.
During the next several years, we will see more of the security industry embracing the platform approach. It enables customers to find threats faster and, more importantly, locate the source and fix the problem quickly. RSA 2020 was a watershed event for security because the platform became real.
Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.