Trellix Public Policy


Interoperability: The Need for Open Platforms

Today, the rapidly evolving cyber threat landscape has driven an explosion of security products, generating an ever-increasing mountain of potentially valuable data and insights. But with that comes the increased complexity needed to make sense of it all and extract real value for the organization. Today, integrating security products into an established operational environment can be extremely resource intensive, time-consuming, and costly, all at the expense of many hours that could be better spent threat hunting and responding to malicious actors.

For too long, many cybersecurity vendors have made life harder for customers by assuring their “secret sauce” was theirs and theirs alone. Customer organizations were not able to get the full value from the purchased tools because of the lack of interoperability, the expense of integration and the potentially valuable data locked away in proprietary silos and data formats. This untenable situation provides the cybersecurity vendor community with a real opportunity.

We have seen this play out before. Prior to the beginning of the Industrial Revolution, tools were mostly handcrafted and not precise or consistent enough to support manufacturing needs. It was widespread standardization that changed the landscape and led to the Industrial Revolution. Interchangeable parts allowed for the easy assembly of new and innovative products, much cheaper repairs and fewer skills and time required of workers. Best of all, it led to dramatically reduced costs across the board, for producers and consumers.

Goals

Trellix believes we need to foster a similar revolution in cybersecurity today. We need to foster a more open cybersecurity ecosystem, where products from vendors and software publishers can freely exchange information, insights and analytics, and seamlessly orchestrate comprehensive responses to our adversaries. As an industry, we urgently need to further develop and promote openly available common architectural components focused on ontology, messaging, data sharing, tooling, APIs, and practices for operational interoperability amongst cyber security tools. In short, the goal is to “integrate once, reuse everywhere", meaning:

  • Organizations need to be able to purchase best-of-breed defensive solutions and integrate them quickly and easily.
  • We must be able to integrate our cyber defense tools in a much simpler and less complex fashion than possible today, making them rapidly operationally useful
  • We cannot continue to put the cumbersome burden of product and data integration on each organization that buys cybersecurity products
  • We must be able to share standardized, robust threat data that can be enriched by multiple tools
  • We must provide the interoperable messaging capabilities that allow for different vendor tools to easily communicate events and situational awareness.

Benefits

For enterprises and security operations staff, this results in:

  • Increased security visibility and the ability to discover new critical insights and findings that may otherwise be missed
  • Connecting data and sharing insights across differing vendor products
  • Extracting additional value from existing fielded products
  • Reduced vendor lock-in
  • Reduced procurement of unnecessary new tools / shelf-ware
  • Enabling compatible vendors to seamlessly interoperate, making plug-and-play integration a reality
  • Facilitating additional security use cases, improving threat hunting and detection, analytics, operations, response and more
  • More rapid deployment and integration into existing organizational security processes
  • Overall reduction of costs for product integration.

For security vendors, the benefits are tangible. They include:

  • Reduced integration costs, improving vendors’ ability to focus on higher-value features and integrations
  • Faster development of new cybersecurity capabilities at scale
  • Improved robustness of data integrations, allowing customers to extract more value from their products and tools
  • Ease of integration for customers, allowing products to be more useful directly out of the box thus reducing support costs
  • No duplication of the messaging and data exchange aspects of products.

Like the beginning of the Industrial Revolution, where interchangeable parts provided the economic incentives and the foundation for true innovation, we believe an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated responses, will lead to real advancements in cybersecurity and provide a foundation for cybersecurity innovation to flourish.

What’s at Stake

The security industry is not delivering the promised protection that people and organizations need, in large part, because of a lack of collaboration at a data and interface level. There are two dominant cybersecurity models: best of breed, where the customer is free to choose any available product but is responsible for integration; and end-to-end, where a single vendor provides a fully integrated solution. Both models come up short, however, because they are based on closed systems of proprietary interfaces that are controlled by dominant vendors and restrict third-party developer participation. This limits customer choice and favors vendor’s development priorities and resources. Attackers have a critical time advantage, and they are able to exploit the inherent weaknesses in these two security models. When a new threat-type emerges, the security industry responds with new solutions to combat this threat, and customers try to determine which is “the best,” which takes time.

Trellix is committed to playing a powerful, constructive role in helping to solve the world’s most complex cybersecurity challenges. To honor this commitment, we are and have been historically a leading open platform cybersecurity company. To support this evolution, we are partnering with standards organizations, consortia and policy makers to push the cybersecurity industry toward broad adoption of this open platform model. This will help ensure innovation and open competition, and enable the entire cybersecurity ecosystem to meet the security challenges of the 21st century.

Key Points

Interoperability is critical and vital on multiple levels, as cyber threats continue to challenge organizations across the globe.

  • For too long, vendors touted their proprietary “secret sauce” to compete on who had the best (yet incomplete) data set. They’d be better off taking advantage of initiatives like the Cyber Threat Alliance’s information-sharing program, allowing them to shift their focus from improving data sets, to the power of their analytics and the tools they develop for understanding the data. Competing at this level and not on the level of proprietary data sets will provide the industry with better insights than ever before, and a more complete picture of the threat landscape.
  • Enabling cybersecurity tools to work together has significant security and operational benefits. In short, interoperability has real-world business advantages, not just technical ones. Giving businesses and organizations, including the federal government, a full suite of interoperable solutions and tools have benefits that extend beyond just security.
  • Major efforts are underway to make widespread interoperability a reality. Active standards work of various standards development organizations, such as IETF, ISO, IEC, OASIS, and others, as well as consortia and industry groups, such as the Open Cybersecurity Alliance, are advancing our integrated interoperability future. Organizations are collaborating to help develop standards, open common communications and data federation capabilities, tools and policies.
    • Driving broad-based industry collaboration and adoption.
    • Partnering with standards groups to drive change towards open interfaces, allowing security products to integrate out of the box more seamlessly.
    • Urging policy makers to use their influence and voice to drive change by favoring open platforms.
    • Reforming procurement rules to enable faster uptake of cybersecurity solutions, particularly those based on open platforms.
    • Focusing government efforts on procurement of open platform solutions to help move the market in a more standardized and interoperable fashion.
  • Recommendations

    The cybersecurity industry needs to change by offering customers solutions that benefit from an open platform model. This is an architecture that makes it easier to deploy and manage a broad set of capabilities, not a business model dictating who and how others can participate. Open cybersecurity platforms increase the rate and breadth of innovation by lowering development costs across the ecosystem. This helps leverage the power of the entire cybersecurity community to help stop the existing and emerging malware, correlate events across the broadest set of threat intelligence, and have compliance solutions appropriate for the largest population of customers.

    Trellix supports:

    Cybersecurity vendors should not be competing on plumbing, rather, the plumbing is the foundation – the common platform — upon which cybersecurity tools are built. Cybersecurity vendors have a real adversary we must defeat, and vendors should not be distracted by each of us having to replicate different ways to provide product plumbing.

    We must find ways to up-level competition between vendors while focusing on defending against the adversary we all face daily. We need to focus on improving security in order to, for example, help hospitals better understand the threat landscape to prevent life-threatening cyber-attacks, help businesses to focus on their missions and not cybersecurity and to help better identify national security threats in order to protect critical national functions. Interoperability makes these things possible, and we must continue to have the important conversations and take actions needed to make true interoperability a reality.