The Next Board Opportunity: Automatic Enterprise Security Orchestration: A Radical Change in Direction

Commercial boards of directors and senior government officials are in a prime position to kick-start a new and absolutely necessary direction in the evolution of cybersecurity: the adoption of the security platform.

The reason board influence is needed is that the idea of using a single vendor to do most of your security is anathema to many network defenders. Many network defenders are locked into a set of best practices developed over 20 years that make it almost impossible to veer away on a radically new path that goes against everything they have learned in their careers. And many boards are used to letting those best practices continue, with security considered a cost center that’s “IT’s problem to solve.” Let’s look at how we change both ways of thinking.

Orchestration Challenges with the Legacy Approach

The Cyber Kill Chain, described by Lockheed Martin in a 2010 paper, revolutionized the way network defenders think about securing the enterprise. The model is sound, but many struggle with the management of the system. These challenges include:

Too Many Tools to Manage

Network defenders have to buy the point product. Then they have to buy a person who can maintain the point product. Then they have to buy a person who understands the data coming out of the point product. Finally, they need to buy somebody who can stitch the data from all of their point products into something coherent.

Too Much Complexity for Security

The more complex a security architecture is, the easier it is for network defenders to make a mistake in the deployment. Leveraging those mistakes is what hackers do.

Too Much Wasted Time

Followers of the Cyber Kill Chain model have found themselves within an infinite loop of security vendor assessment. Many believe that they not only need to deploy security controls at every link in the Cyber Kill Chain, they also need the best-of-breed for that class of controls. To accomplish this, they arrange head-to-head competitions for every point product class that they own or plan to add to their Cyber Kill Chain model. These can take months to orchestrate.

Too Inefficient Crossing the Last Mile

As cyber adversaries crawl through victim’s networks, they leave clues in their wake. The industry calls these clues indicators of compromise. Security vendors and white hat researchers are in a continuous state of seeking new indicators of compromise. Once found, security vendors convert them into prevention and detection controls that they deploy to their customers in the field. The trick then for network defenders is to get these new controls installed in their deployed toolset down the Cyber Kill Chain as quickly as possible. This is called crossing the last mile. In other words, crossing the last mile is the process of finding new indicators of compromise, converting them to prevention and detection controls, and then deploying those controls to an already installed system in the environment. Security vendors do this for their products fairly well but when a new indicator of compromise indicates that controls should be deployed across multiple products not owned by a single vendor or when independent white hat researchers discover new indicators of compromise on their own, that is when things slow down. And if the network defender has more than a handful of tools deployed across the enterprise, keeping track of the status of each tool and whether or not that tool has the most updated controls deployed for the latest intelligence is a nightmare.

Benefits of Automatic Orchestration through a Security Platform

A true platform approach is what’s going to help all network defenders realize the value of the kill chain model. Here’s why:

Complexity Reduction

Adopting a platform approach is the solution to a simple math problem. It reduces the number of deployed products that network defenders have to manage from 10-15 down to a handful, including the platform itself and the partners associated with the platform. That handful of products is so tightly integrated that they are much more easily managed compared to the old way of managing them separately as deployed best-of-breed solutions.

The simplicity that the security platform offers also has another benefit: more efficient utilization. Because the independently deployed point products are so hard to manage, it is likely that network defenders rarely get them fully configured to their maximum potential. Think fewer products to manage, and more time to manage them.

Completing the Last Mile is More Efficient

Simplifying the orchestration of the previously mentioned last mile problem is no minor accomplishment. Converting indicators of compromise into prevention controls is important, but deploying those new controls to existing systems is the gas that fuels the entire operation. Without an efficient way to do that, cyber adversaries will continue to run circles around their victim networks because the responsible network defender’s will be unable to move fast enough to counter them. Automatic orchestration is the key to crossing the last mile with any speed.

Potential Buying Leverage for a Single Vendor Solution

This is a difficult conversation for any organization, because choosing a single vendor with strong partner ties is counter to everything the network defender has been doing for the past 20 years. But once that decision is made, organizations can leverage that decision to simplify the buying process. Organizations can now get their security staff off of the security vendor assessment treadmill. They no longer have to assess a class of security products every two or three years. Since they have decided on a one-vendor approach, they have by default chosen that vendor as a trusted partner. Instead of buying new point products every three years, network defenders can look for longer contract times and get better deals. For example, if an organization commits to a specific platform vendor for five years instead of three, sales people are willing to give substantive discounts for a guarantee of a long term relationship. Further, since the relationship is now trusted, partners and resellers are willing to bend over backwards to accommodate specific asks.

For example, a CISO of a very large American Insurance company was able to negotiate a lease for the security platform’s hardware. He did not want to own any of it because in his company, CAPEX was a drain on the financial statement. By leveraging his trusted partner status to get a lease of the equipment, his entire purchase became OPEX which was much more acceptable.

Start the Conversation

Change is hard. Even when almost everybody in the room agrees that a change is required, people resist it. It is tough for the network defender to go against best practices that have been defining your career for over 20 years; things like Defense-in-Depth or deploying best of breed point products down the Cyber Kill Chain. But a change in thinking is required here. The Cyber Kill Chain model provide absolutely the right theory for how organizations could regularly defeat cyber adversaries attacking their networks. But our first attempts at orchestrating those concepts in the real world have not really worked that well for most network defenders.

In order to reduce the number of security tools deployed in your organization’s networks, to reduce the architectural complexity that makes it easier for hackers to leverage your organization’s security weaknesses, and to re-direct company resources away from an endless cycle of security vendor assessments, board members should have a serious conversation with their CIO/CSO/CTO about the benefits of adopting a security vendor platform in order to accomplish efficient orchestration. The network defenders in the organization may eventually come around to the idea, but if the board would like to expedite the process, they may want to influence the decision from the top down.


The security platform automates enterprise security orchestration from a single vendor with some key and essential trusted vendor partners. It effectively reduces complexity in extremely entangled environments, reduces vendor assessments that are consuming your network defender staff, and changes a tedious and manual process of converting indicators of compromise into prevention and detection controls into an efficient and automatic process. Because of these things, the single vendor model significantly reduces the Total Cost of Ownership in your material risk mitigation efforts.