Cybersecurity Collage

Without 3rd Party Security ‘Vendor Brokers’, AWS and Azure May Not Be For You

…at least for PCI anyway. It’s just too damned difficult to get all the security wrappers PCI requires without Vendor Brokers.

Cybersecurity has now be made too complex – by security vendors – to be able to mix-and-match with individual vendors from the AWS/Azure marketplaces. I don’t know of any single vendor who can cover even a majority of the PCI requirements related to platforms.

i.e.

  1. Firewall Management;
  2. Configuration Standard(s);
  3. Anti-Virus;
  4. Vulnerability Management;
  5. Patching;
  6. Access Control;
  7. Authentication Mechanism(s);
  8. Logging & Monitoring;
  9. Web Application Firewall; and
  10. File Integrity Monitoring

There are many reasons for this, one of which is that ever since security became a multi-billion £/$/€ a year industry, hundreds of companies have started up to try bring us the ‘silver bullet’ appliances.  Not only do silver bullets not exist in cybersecurity – and you should be shot for using the phrase in any way that’s non-derogatory – but where are the overwhelming majority of those companies now?

They either failed, or have been ‘collected’ by larger companies who have tried to duct-tape the disparate products into silver-bullet solutions.

Which have also failed.

It’s not that the original products didn’t work, some of them actually did, it’s that;

  1. Organisations threw technology at business problems without knowing why they were doing it;
  2. The big companies that collected the smaller ones tried to integrate the individual products together under one GUI, instead of unifying the functionality under a single code base; and
  3. There has never been, and there never will be, a one-size-fits-all solution to security.

But the market is still ripe for innovation, and there will continue to be companies starting up with the goal of bringing a single product to market that will catch the latest security hype/wave/buzz and make them their fortunes (UEBA for example).  They may even succeed, but only if they make their impact in the first year or two, otherwise the market will have moved on.

And if they’re VERY lucky, the larger companies will be naive / ignorant enough to buy them and save them the trouble.

Don’t get me wrong, I am not against combining single products into a larger solutions. In fact it’s the only way to go, but only if it’s done correctly.  Single product companies have 100% focus, which gives them drive, short-term goals, and a dedication to making their one product the best. The second you absorb that company however, every one of those attributes that put them on (or near) the top, are lost in the larger mix.  The functionality is diluted, innovation ceases, and the the whole thing quickly becomes obsolete.

True integration of functionality can only be accomplished with a single code base, and a single platform, which means that any organisation that absorbed the smaller companies better have a plan in mind to migrate not only the applications over to their growing solution, but they will need to consider all of the clients who bought the product prior to the M&A.  These guys often suffer from a total lack of customer service and support, and there’s no way they’ll buy into the larger program.

In my experience, the due diligence necessary to combine product companies is not overly abundant, and until it is, we should all be VERY careful when we look to resolve our security issues with multi-function solutions.

I call these Vendor Brokers ‘collage companies’, as the picture might be pretty, but it’s in no way whole.

Here are a few questions you might want to ask your potential providers;

  1. Can your solution replace some / most of my current functionality?
  2. Do you provide a consultancy ‘wrapper’ around these solutions to help us manage them against our business goals?
  3. Will the output from your solution feed into my current collection mechanism, or can my current output feed into yours?
  4. Are the various aspects / functions of your solution ‘home grown’, or obtained through acquisition?  If acquisition, how have you unified the back end code and platforms?
  5. How do you ensure that the different functions of the solution receive a similar attention to what the single product vendors provide?
  6. Do you have a single customer support process to handle all functionality questions?

Regardless of the shenanigans going on in the security product market, your choice of Vendor Broker should only be driven by what your risk assessment and gap analysis said you need, and your due diligence should cover any requirements you may have regarding integration and ongoing maintenance.

If is doesn’t, don’t expect Vendor Brokers to help, they have enough problems keeping their own houses in order. 

[If you liked this article, please share! Want more like it, subscribe!]

Security RFPs: You Must Ask the Right Questions

Whom would you want interviewing prospective specialist Doctors if a family member was sick; your plumber, or your GP?

Why then, would any organisation without in-house expertise try to write their own Request for Proposal (RFP) for security services? Or worse, hand it off to the procurement department who know even less, and only have two remits: 1) meet company policies, and 2) get the best price.

As simple as security is, getting the right services (whether consulting, managed, or product) by finding the right help to MAKE it simple, and hopefully, as easy as possible, is probably the most complicated, and the most necessary, thing you can do. It takes an expert to make things simple. Get THAT right and you’re well on the way to a cost-efficient and above all sustainable security programme appropriate for your business.

Taking PCI as an example, here are the steps that organisations take more often than not:

  1. CEO gets the letter from their acquirer stating that they must achieve PCI compliance.
  2. CEO MAY get as far as DSS Requirement 1: Firewalls etc. and glazes over. They hand this off to the IT Director.
  3. IT Director looks at it in a little more detail, but only enough to realise that they’ll need help. He gets budget for a QSA.
  4. Procurement receive the requirements from the IT Director who wrote them based on many assumptions.
  5. Procurement packages up a sub-set of the requirements along without their own standard requirements out to the QSA ecosystem.
  6. Answers come back to the questions asked and no more, along with a quote based on an inaccurate scope.
  7. Procurement throw out the top and bottom, choose a few in the middle for the next stage and make no effort to refine the selection criteria.
  8. The QSA company who has the best answers to all the wrong questions and is near the bottom in price gets the gig

And what do they end up with? They get what they asked for, and invariably not what they need.

OK, so this is a completely worst case scenario, but you would be as horrified as I am if you actually knew just how close to reality this is. In almost 10 years I’ve been asked for details of my pre-QSA security experience twice, and only once have I been asked to provide personal references. I can get my dog through the SSCs QSA training, and I can sell her to you for a lot less than any of my competition can sell their people, but guess what kind of service you are going to get? About the same actually.

You don’t buy a Smart car then expect it to drive like an Aston Martin, yet you’re shocked and pissed off when your QSA is as much use as hubcaps on a tractor? No offence, but you literally got what you asked for.

Your job as the IT Director (or equivalent) is to do your homework to find the person(s) best placed to then find the services best suited to your business, because they have done it dozens of times for organisation much like yours. And they can do so without any conflict of interest. There are consultants out there who have been in security LONG before they were QSAs, then performed QSA services for many years helping literally hundreds of clients in every industry sector and potentially globally.

These consultants will define the RIGHT questions for your RFP, and then analyse the results before inviting the few decent QSA companies to offer up both their assessment methodology and personnel for appropriate review and interview respectively.

Every service provider out there is trying to maximise their profits – with which I have no problem – but if they are doing so at your expense by giving you inadequately experienced QSAs, tick-in-the-box managed services, or utterly pointless technology then quite frankly you have no-one but yourselves to blame.

The right skills are out there, go find them, or find someone who can.