Security Operations: You Are Doing It Wrong
Rant On > Recently I have been part of many RFP(s) (Request for Proposal). Most of them simply list a litany of features they expect from a device.There is little or nothing about WHAT the company wants to accomplish. I will discuss the RFP\RFI with the involved Sales Engineers and ninety-nine percent of the time we will be able to pick out which manufacturer heavily influenced the request. Following the returned request will be discussions about, "Is it "the best" at this feature?", or "Such and such thinks these are the best.". My favorite though, "We know you guys are the most secure, we just have such a large investment in X company." I remember a time when having effective equipment wasn't about manufacturer loyalty, but rather what worked best.
Playing for the name on the front of the jersey. That is the beginning of the solution to this problem. Too often many engineers become management only to increasing deploy technology that they are comfortable and trained in. Instead of searching out unique solutions, or finding best of breed technologies they simply go with what they know. Typically the first vendor that was "in the pool", so to speak, for the type of technology is the one management will stick with. Working for a relatively unknown security manufacturer (3rd largest in the world) I run into this all the time. Just the other day I came across a newly minted director of IT. His security people picked our equipment in a large head-to-head bake-off. Every time he met with us after, he talked about their incumbent switching\routing manufacturer and how we were not like them. Never once did he mention what we could do for him or relationship management that would increase his ease with our product. There didn't seem to be any aim to create an effective partnership. Which team was he playing for?
I might see him in the news.
Do not plan your tactics around vendor features. Vendor features are a dime a dozen. If it does not conform to IETF procedures, or have a IEEE or RFC written for it, consider it proprietary and high risk. One of the biggest risks that is underplayed in Information Technology is vendor lock-in. I will openly admit that most vendors will create features that sound cool, and specific to their solution set. Beware. Cost of entry may be market level, but the renewals will not be. This will create weaknesses in your organization not just in CAPEX, but in OPEX as you wait for upgrades, vendor bug fixes, and possible incompatibilities with newer and possibly better technology. Remember, the best thing you can do for the company might be invisible.
Keep it simple (lex parsimoniae). That does not mean that you hold down head count, deprecate or ignore effective tactics, and generally ignore that which may be hard to do (like forklifting tech). Those are opportunities to become more flexible and a better organization. Keeping it simple is a practice that makes heavy use of Occam's Razor. If the vendor does not have a preset solution for you to follow or does not fit effectively into your current strategy, is it worth the headache to put it in? The answer could be yes.
This decision making routine helps management develop a weighted scale of technology benefit. If vendor A catches 96% of viruses and hacking attempts is it worth putting it in? If your current vendor has a device that only catches 40%(effectively) the head count required to rebuild laptops, the extra equipment required for spares, and the down-time business customers suffer for security will definitely tip the scale. This weighted scale can only be developed through an effective testing process that management creates internally or farms out. A co-worker and friend wrote an article earlier on this specific matter. Create a simple flowchart that helps create that weighted scale for you. Once you have that in place, you can calculate the value you add for the company.
Remember, you can be your own worst enemy. Vendor lockin and indoctrination can be a good and bad thing. If you are not effectively testing, and creating a paradigm where only your favorite vendor wins, this can lead to disaster. Creating value, and looking out for the company, is a job well done. One of the most effective strategies for management is to keep an open mind and inquisitive heart.
Cheers and Good Luck,
James Cabe
SDN presents a huge opportunity for us because of the East/West requirements. SDN itself isn't ready for security is the real problem.
I remain strictly vendor agnostic since my clients ask me to make vendor assessments and they rely upon my agnosticism. From my recent analysis, there are three major issues with ALL firewall vendors. 1) they provide no framework for security policy risk management out of the box. 2) API's, ITSM, and reports for orchestration and automation are arcane, proprietary and poorly supported in general. 3) the firewall vendors are avoiding the SDN push because it scares the pants off their product managers. Your point about performance in VM SDN is valid. No firewall vendor has an NSX service module that has acceptable performance. The NSX API's and x86 architecture are the problem there - for now. Happy Birthday!
Michael Hawkins and @lorenz you both make good points. I think there may be a bit of message misinterpretation. I agree that integration issues are the prime reason customers 'go with what they know'. But telling me the vendor I work for doesn't integrate shows that you haven't engaged like the customer in my story. We have Algosec integration, Fortigate VMX or NSX and VM versions of Fortigate, Fortiweb, etc. As for top right, top right of Gartner? We are there in UTM, NGFW is a branding farce. If you want us to push more VM infrastructure, quite honestly, 'it isn't there yet' x86 processors struggle to get 10Gbps without running a hypervisor. It half's the bandwidth again. 5Gbps flow rates are not data center speeds and does not get a performing zero trust network. I would like to have a deeper discussion because you are very intelligent and keep the customer first. Thank you for responding. I hope to talk soon.
You have a good point, I agree that all the RFP and RFI asking for features and not achievments is a pain! However, you seam to work also for a vendor and your company is also telling customers to buy boxes with feature a-z to be more secure, what might be true in a sence. What are we really missing here? IT Security is an inmate field and the customers are even worth (in terms of maturity of course only). So lets compair the RFP / RFI situation we face in the security field with - lets say - you want to build a new house. Nobody would just buy some bricks, plumbing, windows, cable, stoves and pull them together without experience and and overall plan and hope to get a good house. Right? You would ether buy a standard house or consult an architect who first would clarifies your basic requirements such as whether you want to build a hospital, prison, bank or private residence. Then a basic blue print is created BEFORE the first brick is moved. In IT we just believe the marketing information of all major vendors and relay on the magic quadrants and the buzz words that change every year. Are you prepared for the next buzz? We are investing in Network and Endpoint Threat Management Solutions. Are you familiar with the leading edge feature sets and threat feeds? What should we do? Before complaining that the client is not mature we as security professionals should suggest concepts and building blocks how clients can protect data reliably and detect breaches fast end effective rather then just telling them to buy every year a new box without achieving more security at the end.
I think pointing the finger of blame with a rant aimed at the customer is misdirected; when the problem is with your own product. Firewalls simply can't do what Algosec, Firemon, RedSeal, Tufin and Skybox (sorry if I missed the dozens of others) do and until they do, you can expect to see more and more firewall RFP's that simply ask which firewall feature or function does your firewall have or not and how well does it do it or not. And that doesn't only apply to Fortinet, it applies to all of the firewall vendors that haven't given much if any attention to policy risk management as well as automation and orchestration (puppet integration, VCAC integration, NSX integration? only two firewall vendors in the upper right quadrant do much of this). There is a whole industry grown up around you because no firewall vendor stepped up and addressed it. Someone else filled the void. But you rant at your potential customers? Educating customers is hard but lecturing them is not the way to a signed PO nor is it a better way to get your clients into a security posture.