Most organizations have dozens of different cybersecurity products and tools because continual innovation is needed to keep pace with adversaries, and well-known vendors are rarely the most innovative. Enterprises turn to new vendors and new types of products in search of something they're missing.

Unfortunately, that strategy can lead to a siloed and constantly growing security architecture, featuring numerous cybersecurity products with their own sets of commands, unique policies, and purpose-built management systems, and often requiring dedicated staff to oversee them. Worse, with all this cost and complexity, organizations fail to get maximum value out of their cybersecurity product architectures. The reason is that the products aren't working together.

Another factor is that many security leaders underestimate the value of an integrated cybersecurity product architecture. Post-mortems on devastating attacks like NotPetya illustrate that worst-case scenarios often could have been avoided if a product that detected the attack had shared its findings with other products that could have taken corrective and preventative action.  

But even simple integration scenarios can seem too daunting to achieve. The most common integration method, API-based connections, require time-consuming trial-and-error configuration with no guarantees. Scripting programs and other manual integration processes are usually non-starters.

Alternatively, many so-called platform vendors tout the benefits of preintegrated ecosystems of so-called best-of-breed products, but reality never justifies the hype. The products are rarely best of breed and weren't actually built to work together, and enablement costs quickly rise beyond projections.

It's time for a new approach to cybersecurity architecture integration. The way for cybersecurity leaders to get started is with a cybersecurity architecture integration business plan.

Creating the Cybersecurity Architecture Integration Business Plan
Omdia believes every organization using more than a handful of enterprise cybersecurity products should have a technology strategy and tactical approach for integrating their product architectures.

That effort should start with a business plan. Like any new business initiative, this should serve as the written rationale for what your integration objectives are, why you want to achieve them, what your desired end result looks like, and how to justify the cost.

This is a great exercise for a cybersecurity architect, the person typically in charge of planning, implementing, and managing an enterprise's cybersecurity technology. Not only is that role typically among those running integration projects, but it also is an opportunity to develop CISO-level management skills and demonstrate leadership.

Start with a list or ideally a visualization of the security and security-related products in your organization, and identify existing integrations. How well do they work? Are they consistent? How deep are they — do they allow simple data exchange, or do they enable complex, orchestrated actions? Do they require ongoing configuration and/or troubleshooting? How many integrations rely on manual processes that are difficult to sustain?  

Next, conceptualize what a fully integrated architecture would look like. Which business processes would be improved, and how would the ROI be quantifiable in terms of time spent, threats averted, or other reduced costs? Which products would need to work together, and how? Which security controls would be improved, and ultimately how would risk be reduced for the organization? What would the cost be of creating and maintaining the integration or set of integrations needed to foster the desired business process changes?

From there, organize each initiative into groups or phases, prioritizing "quick wins" that can deliver significant benefits with minimal effort and cost. Because cybersecurity architecture integration is generally seen as a low-priority effort, early successes that earn stakeholder buy-in are often critical to advancing to more costly, complex integration projects.

Note that the costs associated with some integration projects will outweigh the benefits. This can be frustrating, but the discovery exercise can be beneficial; it can help highlight outdated or underperforming products, uncooperative vendors, broken processes, or even staffing and other resource allocation deficits. Ensure this knowledge is communicated to those who can use the feedback to help improve other aspects of the overall security program.

Enabling Integration with Security Platform Integration Frameworks
While developing this business plan, many organizations will no doubt discover that a patchwork of one-to-one cybersecurity product integrations is unwieldy, unreliable, and ultimately ineffective. For large enterprises with a considerable number of security products, Omdia recommends considering a Security Platform Integration Framework (registration required), or SPIF.

Omdia defines a SPIF as a single, centralized interconnection and messaging architecture that enables cybersecurity and related products from a variety of third-party vendors to distribute data to, and receive data from, other products and services. In other words, a SPIF is an integration hub for cybersecurity products that standardizes and simplifies integration among a wide variety of third-party solutions. By integrating to the SPIF, each product gains the ability to exchange data with any number of other products also integrated with the SPIF.

In a rapid threat-containment scenario involving a SPIF, for example, an integrated endpoint protection product informs the SPIF whenever an infected endpoint is found. In turn, any number of other products connected to the SPIF can receive and act on that data in near-real time. A network access control product can quickly isolate the infected endpoint, a SIEM can determine if the malware has been previously discovered, and an endpoint management tool can begin remediation.

Because the SPIF facilitates the communication among the products, it becomes easier to foster more integrations among a critical mass of products. This allows for a cybersecurity integration economy of scale, as the cost and effort required to integrate multiple products is greatly reduced.

SPIFs, however, are somewhat nascent, are typically tied to other commercial cybersecurity products, and require a long-term commitment in order to realize the benefits. They are best for large cybersecurity organizations with trained, experienced cybersecurity architects.

When employed successfully, a SPIF can serve as the nerve center of a cybersecurity architecture, making complex, policy-driven response actions not only possible, but also repeatable and reliable. A SPIF represents the opportunity for organizations to use their existing solutions to take a significant leap forward in both security program efficacy and ROI.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.