Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Eric Parizo
Eric Parizo
Connect Directly
E-Mail vvv

What's Your Cybersecurity Architecture Integration Business Plan?

To get the most out of your enterprise cybersecurity products, they need to work together. But getting those products talking to each other isn't easy.

Most organizations have dozens of different cybersecurity products and tools because continual innovation is needed to keep pace with adversaries, and well-known vendors are rarely the most innovative. Enterprises turn to new vendors and new types of products in search of something they're missing.

Unfortunately, that strategy can lead to a siloed and constantly growing security architecture, featuring numerous cybersecurity products with their own sets of commands, unique policies, and purpose-built management systems, and often requiring dedicated staff to oversee them. Worse, with all this cost and complexity, organizations fail to get maximum value out of their cybersecurity product architectures. The reason is that the products aren't working together.

Another factor is that many security leaders underestimate the value of an integrated cybersecurity product architecture. Post-mortems on devastating attacks like NotPetya illustrate that worst-case scenarios often could have been avoided if a product that detected the attack had shared its findings with other products that could have taken corrective and preventative action.  

But even simple integration scenarios can seem too daunting to achieve. The most common integration method, API-based connections, require time-consuming trial-and-error configuration with no guarantees. Scripting programs and other manual integration processes are usually non-starters.

Alternatively, many so-called platform vendors tout the benefits of preintegrated ecosystems of so-called best-of-breed products, but reality never justifies the hype. The products are rarely best of breed and weren't actually built to work together, and enablement costs quickly rise beyond projections.

It's time for a new approach to cybersecurity architecture integration. The way for cybersecurity leaders to get started is with a cybersecurity architecture integration business plan.

Creating the Cybersecurity Architecture Integration Business Plan
Omdia believes every organization using more than a handful of enterprise cybersecurity products should have a technology strategy and tactical approach for integrating their product architectures.

That effort should start with a business plan. Like any new business initiative, this should serve as the written rationale for what your integration objectives are, why you want to achieve them, what your desired end result looks like, and how to justify the cost.

This is a great exercise for a cybersecurity architect, the person typically in charge of planning, implementing, and managing an enterprise's cybersecurity technology. Not only is that role typically among those running integration projects, but it also is an opportunity to develop CISO-level management skills and demonstrate leadership.

Start with a list or ideally a visualization of the security and security-related products in your organization, and identify existing integrations. How well do they work? Are they consistent? How deep are they — do they allow simple data exchange, or do they enable complex, orchestrated actions? Do they require ongoing configuration and/or troubleshooting? How many integrations rely on manual processes that are difficult to sustain?  

Next, conceptualize what a fully integrated architecture would look like. Which business processes would be improved, and how would the ROI be quantifiable in terms of time spent, threats averted, or other reduced costs? Which products would need to work together, and how? Which security controls would be improved, and ultimately how would risk be reduced for the organization? What would the cost be of creating and maintaining the integration or set of integrations needed to foster the desired business process changes?

From there, organize each initiative into groups or phases, prioritizing "quick wins" that can deliver significant benefits with minimal effort and cost. Because cybersecurity architecture integration is generally seen as a low-priority effort, early successes that earn stakeholder buy-in are often critical to advancing to more costly, complex integration projects.

Note that the costs associated with some integration projects will outweigh the benefits. This can be frustrating, but the discovery exercise can be beneficial; it can help highlight outdated or underperforming products, uncooperative vendors, broken processes, or even staffing and other resource allocation deficits. Ensure this knowledge is communicated to those who can use the feedback to help improve other aspects of the overall security program.

Enabling Integration with Security Platform Integration Frameworks
While developing this business plan, many organizations will no doubt discover that a patchwork of one-to-one cybersecurity product integrations is unwieldy, unreliable, and ultimately ineffective. For large enterprises with a considerable number of security products, Omdia recommends considering a Security Platform Integration Framework (registration required), or SPIF.

Omdia defines a SPIF as a single, centralized interconnection and messaging architecture that enables cybersecurity and related products from a variety of third-party vendors to distribute data to, and receive data from, other products and services. In other words, a SPIF is an integration hub for cybersecurity products that standardizes and simplifies integration among a wide variety of third-party solutions. By integrating to the SPIF, each product gains the ability to exchange data with any number of other products also integrated with the SPIF.

In a rapid threat-containment scenario involving a SPIF, for example, an integrated endpoint protection product informs the SPIF whenever an infected endpoint is found. In turn, any number of other products connected to the SPIF can receive and act on that data in near-real time. A network access control product can quickly isolate the infected endpoint, a SIEM can determine if the malware has been previously discovered, and an endpoint management tool can begin remediation.

Because the SPIF facilitates the communication among the products, it becomes easier to foster more integrations among a critical mass of products. This allows for a cybersecurity integration economy of scale, as the cost and effort required to integrate multiple products is greatly reduced.

SPIFs, however, are somewhat nascent, are typically tied to other commercial cybersecurity products, and require a long-term commitment in order to realize the benefits. They are best for large cybersecurity organizations with trained, experienced cybersecurity architects.

When employed successfully, a SPIF can serve as the nerve center of a cybersecurity architecture, making complex, policy-driven response actions not only possible, but also repeatable and reliable. A SPIF represents the opportunity for organizations to use their existing solutions to take a significant leap forward in both security program efficacy and ROI.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Eric Parizo supports Omdia's Cybersecurity Accelerator, its research practice supporting vendor, service provider, and enterprise clients in the area of enterprise cybersecurity. Eric covers global cybersecurity trends and top-tier vendors in North America. He has been ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Jack ONeill
Jack ONeill,
User Rank: Apprentice
5/26/2020 | 3:33:04 PM
Re: Your cybersecurity architecture integration experiences
This is an excellent job of shining light on a topic that isn't typically thought about! Integration issues and limitations run rampant in the SaaS space because software providers see integrations as an afterthought. The one-to-one connector approach we've seen as the standard just doesn't work when organizations are constantly adding new platforms into their environments. Take a look at SOFTwarfare. We offer a secure integration platform that connects alll of your cybersecurity solutions, we manage those integrations moving forward to prevent connnector breaks, and give organizations the ability to authenticate user access and manage the flow of information down to the data point level.

User Rank: Author
4/28/2020 | 12:59:57 PM
Your cybersecurity architecture integration experiences
I encourage readers to share their experiences regarding how they've succeded (or failed) in getting their cybersecurity products to work together.  Have you found value in doing so, or is it largely an exercise in futility? Are vendors making it easier, or is it as tough as ever? Are integrated single-vendor platforms now your preference, or do you favor the functionality of best-of-breed products? Thanks!
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.