We’ve seen a wave of attempts at platform consolidation across the security operations center. But will the unique challenges of the SOC ultimately favor a more modular approach?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Howard Holton, COO, GigaOm. Joining us is Francis Odum, founder, Software Analyst Cybersecurity Research.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Palo Alto Networks
Full Transcript
​​Intro
0:00.000
[David Spark] We’ve seen a wave of attempts at platform consolidation across the Security Operations Center, or SOC. But will the unique challenges of the SOC ultimately favor a more modular approach?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of the CISO Series, and thrilled that we’re bringing on our guest co-host for this very episode, who’s perfect for this conversation. It is none other than Howard Holton, CTO over at GigaOm. Howard, say hello to the nice, friendly audience.
[Howard Holton] Hello, nice, friendly audience. I’m so happy to be back. I love being here, David.
[David Spark] Ah, we love having you on. And by the way, if you have not checked out our other programming on CISOseries.com, go do so. We’ve got lots and lots of wonderful programs. And actually, by the time this drops, our new show should have dropped as well. All right. Our sponsor for today’s episode is Palo Alto Networks.
They have a brand-new solution you’re going to want to hear about. It is the Cortex Cloud, defining the code-to-cloud-to-SOC future through real-time security. It’s pretty darn cool. More about that a little bit later in the show. But first, I’m going to actually introduce our guest early. Usually, I wait till we bring in the topic, but since our guest is responsible for the topic, he’s really probably the best one to sort of answer my initial question about it.
So, our guest is the founder of the Software Analyst Cybersecurity Research Group, none other than Francis Odum. Francis, great to have you here.
[Francis Odum] Thank you so much for having me, David, and nice to be with you and Howard today.
[David Spark] Awesome. Now, let’s get to this topic. Let me set this up. If you ask any of the big cybersecurity vendors, you’ll hear about the value of cybersecurity platformization. But Francis, you recently posted on LinkedIn that the SOC won’t be heading for a more consolidated approach any time soon.
Instead, you argued that the SOC will maintain a more modular approach built around best-of-breed solutions for core SOC functions. Just set us up a little bit. Walk me through your reasoning here.
[Francis Odum] Absolutely. I got a lot of hate from the big guys, obviously, because as you know, and I think everyone knows in the industry, there’s a whole push towards platformization and big platforms and vendor consolidation. However, based off my research, I found that that’s actually not what’s really happening within enterprises, and in a nutshell, there are three fundamental problems across multiple areas of the SOC.
We try to bundle the SOC into one, and there are three different problems around the data ingest layer, the detection layer, and the response component of it. And I think we need to untangle each of those to really get at the heart of why there’s not a vendor consolidation in the future of the SOC.
[David Spark] All right. That’s a really, really good point to bring up, and thrilled that you did this analysis as well. Well, we’re going to jump into this conversation right now.
Is anyone happy with the solution?
2:59.561
[David Spark] Andrew Armstrong of ServiceNow said, “Industry’s still way too lopsided focus on detection versus response/remediation, and the AI automation SOAR tools on the right are only used by cybersecurity. At the end of the day, security needs connective tissue to work with IT on many response functions.
In many cases, you can increase the risk in automatically changing/responding to a security issue than the risk of the issue itself.” And Erik Bloch of REVSOC AI said, “I don’t think a modern platform solves any of the issues facing today’s SecOps and SOC teams. From my experience, how we have set up SOC and SecOps teams to begin with is broken.
From process to tooling, no platform can solve for that. Silver bullets do not exist.” I’m going to lean on Erik’s comment at the end there, Howard. I think people’s concerns are just the actual makeup of the SOC, and there are lots of great tools out there. It’s just maybe people just aren’t getting their processes in place.
Do you think that’s where the real issue is?
[Howard Holton] I don’t think it’s that simple, but I don’t think they’re wrong either.
[David Spark] Okay, I would agree with you on that statement. All right, go ahead.
[Howard Holton] So, effectively, right, you build a raft with the three components, right? It’s a triangle-shaped raft. Just ignore the physics of a triangle-shaped raft for a minute, right? But on each of the corners, you place people in one corner, process in another corner, and tools in another corner.
We are really, really, really good at buying a crap ton of tools. I think 52 is the average number of tools, security tools within an enterprise. So, that side of the raft, no matter what you do, that’s not going anywhere. It is sinking. We then go, “Well, okay, fine, you need more stuff. We’ll throw more people at it,” and process gets very, very, very little work.
Like, we set up some process, it was 10 or 12 years ago. We followed some framework thing, guide thing, analyst recommendation, right, called in a consultant, whatever. And then we probably didn’t do a whole lot to take a look at that and go, “Hey, is this modern?” The connection of all those things creates an operating model that we also give no attention to.
So, no matter what you do, if all you’re doing is concentrating on filling one of those as though they’re buckets and not a balanced raft, you’re just going to weight one side incorrectly and then drive straight to the bottom of the ocean.
[David Spark] I throw this to you, Francis, you talked about the balance as well. Where are you seeing the issues?
[Francis Odum] Yeah. So, I think even Howard, I love the way Howard thinks about it in terms of people, process, and tools, or technologies. And you still see fundamental problems across those areas. However, if we’re maybe even to dig into the process and the two components of this, when we look at the SOC, I have a breakdown for how I think about the SOC in a more highly simplistic model.
I mean, every enterprise is very different in terms of how they operate their SOC, but I have it in three major components where you have the data problem. So, you’re ingesting lots of data from lots of your multiple sources, your EDR tools, your identity, your network security and firewall tools. And companies and SOC analysts, quite frankly, have a lot of work that they have to do in terms of the pipeline work of ingesting all that information, all that data, having some type of enrichment and filtering process before they even push it out to the log.
And that first side of the data problem, there’s a lot of issues there, and there’s a lot of work, and there’s still lots of challenges that SOC analysts face.
[David Spark] Well, many vendors would argue with you that we do solve that problem. How solved is it?
[Francis Odum] It’s not solved, sadly, because it actually gets to the next point of the biggest problem, quite frankly, or one of the biggest problems in the SOC, amongst many, is the cost problem, the ingest cost. And you’ve heard this very well about large vendors. I won’t bring up any name.
[David Spark] I think we know which ones we’re talking about. We did an episode, by the way, called Camry Security because a lot of people sort of sell this Cadillac security theory. Not everybody needs to drive a Cadillac. Most of us are cool with the Toyota Camry.
[Francis Odum] 100%. Because that’s one of the biggest problems, just the cost of there’s so much in tools. I would say the average enterprise uses about 50 or so plus types of tools. And guess what? For every enterprise, every organization, there’s a compliance requirement for you to ingest and have all that data into one centralized location, into your SIEM.
And so, companies have to push that in. But the process of actually filtering all of those data sources into your destinations, which are your SIEM, it’s not as easy because the data is growing at one of the fastest paces ever. But however, the core SIEM platforms that we have haven’t evolved their platforms, quite frankly, to fit in a huge inflow of this data.
And so what you have is companies are complaining of the cost, the ingest cost, the storage cost, the logging cost of these tools. And what we have in the industry is this dynamic whereby the big platforms have benefits of ingesting lots of tools. They have to get a lot of money from the more tools they ingest.
However, the other guys’ companies are like, “Hey, we need to cut down on the cost.” And you’re seeing a lot of the data pipeline companies helping to solve that data problem on the left. So, to summarize this, I think what you have is you have multiple different conflicting odds of what different vendors want to aim for.
And platforms, even though they will pitch you that, “Hey, we’re going to solve all of this,” there’s still broken problems around data storage, and we haven’t even talked about the investigation on response side on the right, and I think that’s where we are in the industry today.
[Howard Holton] The fact is, we don’t look at it from the customer perspective. We look at it from the perspective of how do we make money. It’s the wrong way to look at it. This isn’t about solving a problem. It should be, but it’s not really about solving a problem, and we need to get to what are the problems.
How do we solve them? And how do we prove that the decisions that we make inside cyber are good investments for our company? And those things are not happening currently.
What needs to be considered?
9:11.166
[David Spark] Danny W. over at FinTech & Financial Funding said, “While there are some good moves by a few companies to consolidate, the reality is there are always compromises and gaps. The consolidation journey will always lead to less competition and failures with no easy way out. One main argument for consolidation is reduced administrative burden, but that does not usually work.” And he provided examples with vendors, it’s his opinion.
But he goes on to say, “Approaching the issue by identifying and grouping into a handful of areas that allow consolidation can be beneficial to reducing the stack, while still applying best of breed across a similar subset will provide more benefits and make it easier to switch vendors over time.”
And Yakir Golan of Kovrr said, “Some consolidation is definitely necessary. There’s no point in gathering all the data if it can’t be efficiently analyzed. At the same time, no single platform nor vendor will ever be able to ‘do it all,’ making cyber risk quantification an extremely valuable addition to the SOC.” So, I’ll go to you, Francis, because he references what you’re saying.
The issue is getting that information in so it can be efficiently analyzed, and that seems to be a problem right there. I mean, is that really holding up this whole conversation?
[Francis Odum] 100% always starts with the data. Everything starts from the data. If you get your processes right, pretty much from the data source, you pretty much could eliminate a lot of things down the process. But I love one of the key points that was mentioned there about, so I should maybe caveat or maybe step back a little bit and say, look, I’m all for simplification of the tool stack.
I ideally want a scenario or future whereby we have one person who could actually solve all of these multiple problems. Right? And the key point I was even trying to say is there are so many distinct problems that require best of breed. But hey, look, if someone comes up in the future to actually solve that and actually is able to provide a simplistic view that meets both operators and solves the real problem, I’m all for it.
But for my research and the folks that I talk to, the analysts, the SOC leaders, they’re telling me, “Look, there’s no one who really does this today, and these are the problems that we’re facing today,” and we don’t see that happening anytime soon. So, I’m all for that in the future.
I think another problem we also have to address is even just analyst experience. I mean, fundamentally, it’s the SOC analysts who use these tools day to day and who are facing a lot of these challenges. The false positive alerts, the whole wrangling the detection rules, the investigation and having to respond to these tools, and I think we don’t talk a lot about what their experience actually is managing through a lot of these things.
And I think eventually, whoever solves this problem has to meet them where they’re at precisely.
[David Spark] And this goes back to what you were saying, Howard, is they’re looking at it from how do I sell rather than what does the customer need? But then again, good salesperson and a good company tries to meet the customer where they’re at. So, where are we at?
[Howard Holton] I think there’s a fundamentally massive problem in this entire discussion, and that is it’s still a tools discussion. The reality is platforms don’t work when you don’t have an operating model that can deal with platforms.
[David Spark] This goes back to Erik Bloch’s comment earlier on saying that there’s a whole process messed up here.
[Howard Holton] But I think it’s more than that.
[David Spark] Yes. And by the way, we’re agreeing this problem is not simple.
[Howard Holton] But let’s look at EDR. Most fundamental tool, minus a spam filter, I guess, is probably EDR. If I have a platform that also does EDR, then there’s two issues. The first is that platform is going to be substantially more complicated, and my role as a security architect that’s in charge of the design and care and feeding of these things is substantially more complicated.
But also, the role of the people using the tool is more complicated. If your job is to look at the interface of the EDR and focus on endpoint, I can actually be fairly specific in your skill set, in your day-to-day tasks, and I can write an operating model, like a manual for you on how you do your job, that’s relatively constrained.
But if I take seven tools and collapse them down into one, what does that manual look like? What do those operations look like? What do those integrations look like? And how does that change your job? And am I at all remotely prepared for that as a team leader, as a business runner? I think we need to get there.
But fundamentally, we haven’t designed the entire team, the entire department, the entire organization to run with that model. Frankly, we haven’t designed it to run as a data model, which is fundamentally what it needs to be. The first place that we look is a tool. The fifth place we look is the data model.
[Francis Odum] Just build upon that very quickly is one other thing I have also heard from lots of SOC leaders as well. I was speaking to one who led a really massive customer experience company the other day, and he also told me, “Look, there’s no standardized playbook in the industry to guide us through how we actually design that operating model for how a 2024 SOC should be.” It still feels like many companies are operating on the early 2000 or 2005 type SOC model built around just maybe firewalls and the like.
And so, to your point, I think there’s that brother industry conversation of what does that model look like, the processes we need to put in place, and then how do the tools and technologies kind of fit into that framework.
Sponsor – Palo Alto Networks
14:40.633
[David Spark] Before I go any further, I do want to tell you about Palo Alto Networks, and more importantly, their brand-new announcement, and that is Cortex Cloud. Let me set you up here. To play your best cyber defense, you need enterprise and cloud data within a single unified platform. Now, without AI-powered detections, rapid investigations, and the ability to respond or remediated speed, well, security teams are left reacting to threats rather than outmaneuvering them.
Cortex Cloud by Palo Alto Networks rewrites the rules of engagement. As the world’s only code-to-cloud-to-SOC platform, it prevents cloud threats in real time with industry-leading runtime protection. This is what it’s all about here.
So, the rise of AI has accelerated cloud adoption, creating complexity that bogs down security teams. Cortex Cloud cuts through the noise by unifying the data, automating workflows, and delivering AI-driven insights that let you see, stop, and shut down attacks before they become headlines. Security shouldn’t be a patchwork of disconnected tools but built as an open platform.
Cortex Cloud is designed to integrate data from third-party tools to provide centralized visibility, full-context intelligence, and end-to-end remediation across the entire cloud ecosystem. You want to learn more about Cortex Cloud and how Palo Alto Networks is defining the code-to-cloud-to-SOC future through real-time security?
You’ve got to visit this site, paloaltonetworks.com/cortex/cloud. Remember, paloaltonetworks.com/cortex/cloud. Go check them out.
How can we automate this?
16:23.643
[David Spark] Ahmed Hamza of the University of Colorado, Boulder, CS Department said, “You can only really get these to work if they are intimately consolidated, even trained together, with the data science involved in some of the higher-level autonomous attempts. The results shown in vendor demos in analysis are based on the training on detections/EDR, and the results of the EDR/XDR demos are based on their tuning on telemetry, which is going to depend on what they used for data lakes.
They will not perform the same with different solutions or, really, different distributions with them.”
Omer Singer of Anvilogic just said, “All-in-one platform consolidation is incompatible with the widespread adoption of data lake technologies in the SOC.” Interested to know your takes on that, and I’ll go to you first on that, Howard, but let me first mention Jon Oltsik, who used to be an analyst himself.
“ESG has been suggesting SOAPA, security operations and analytics platform architecture, since 2016, along the same lines. The key is integration. I’d like to see standards to make this easier. Gartner is also on board with its cybersecurity mesh architecture, CSMA, and single-vendor platforms will work in the SMB market, as will MDR/MSSP services, but not the large enterprise.” So, I’ll start with you, Howard.
This take that Omer says, does data lake work with consolidation?
[Howard Holton] I mean, no, but that’s not necessarily a bad thing. The consolidation is just another data platform. Like if it’s Palo or CrowdStrike or whoever, it’s their data platform.
[David Spark] Why can’t I consolidate the data lake into whatever platform they’ve got, right?
[Howard Holton] That’s kind of where I’m going with it, right? Like you have to settle on one data platform in the SOC that is your record of authority, whether that’s CrowdStrike’s or Palo’s or an independent snowflake for all I care, right? But none of that is actually the problem. The data lake isn’t the problem.
The problem is what do I do with the data? What value do I get from the data? And how do I align that to the people that I have? Walk into any SOC and get a tour, and what you’re going to see is, cool, you have 9,000 alerts. What are you doing with 9,000 alerts? Well, we get through about 30 a day. Cool.
So, why do you see 9,000 alerts? I don’t know. It’s not useful. It’s not helpful. It doesn’t make me feel better. It doesn’t lower my anxiety. It doesn’t make me feel like I’m doing my job well. How about if you just saw the 30 alerts that you should deal with? No platform does that today. None that I’m aware of, I’ll put it that way.
[David Spark] Well, one of the things that we brought up is if your SOC is only equipped to handle, let’s say, 50 alerts a day, just making up a number, and yet you’re pumping out 100, guess what? You’re going to have problems. Simple as that. It’s the easiest math you could possibly do.
[Howard Holton] The problem is it’s actually deeper than that. It’s not only the easiest math, but you’re always at a deficit. There is no SOC team I have ever seen that has zero alerts. None. Sure, if they turn all the systems off, they’ll get to zero alerts eventually, but no one that’s actively doing the job has zero alerts.
[David Spark] Also, if you have zero alerts, there’s something wrong with your SOC setup. [Laughter]
[Howard Holton] Correct. There’s 10 critical issues a day. There’s 10 new security alerts a day. So, you never have zero. But how do I know that the 100 that I can work on in a day or 10 or whatever the number is you’re working on today, how do I know those are the ones that I should be paying attention to?
Where’s the business context that tells me this is what I should be paying attention to?
[David Spark] That’s a key thing.
[Francis Odum] Exactly. And I love the fact that we haven’t even brought up AI or the whole AI in the SOC conversation around automation and whatnot because to the point we’re discussing, it all starts from the fidelity of those alerts and solving that data problem. Because I actually think if we solve that initial problem, like detection rules that are meant to flag this alert, if we get that fine-tuned better, if we have a much better model around behavioral analysis that helps us actually flag the most relevant alerts, guess what?
You could then, first of all, cut down on the number of alerts, and hey, if you cut down on the number of alerts to the most actionable, most important alerts that an analyst should be dealing with, that actually reduces the need for all of these automation-type solutions that we’re talking about.
Because a big part of why we are in a situation where everyone’s excited about AI SOC, and I’m not bashing any of those companies, is guess what? It’s because we’re getting thousands or hundreds of alerts, and guess what? Teams are just dying. They can’t keep up with these. And so, we’re trying to push this off to AI to help manage this.
But hey, guess what? How about we solve it? First of all, as we’re getting all this data from our sources and whatnot, EDR tools, our network-type tools, let’s flag the highest-fidelity alert. And that comes to building a better data model. And then, hey, we could cut down on the number. We’re always going to have alerts coming, but hey, you know what?
They could be the highest-fidelity cases. And then you’re pushing this out to your tier two, your tier three analysts who are doing more advanced investigation as needed, and then you’re cutting down on even how much you need to automate. So, actually, I do think it starts from there.
To your initial point about Omer Singer’s comments about with more data lakes in adoption, it’s harder to see an all-in-one platform. And that’s correct because the nature of the SOC, at least 2024, is companies still standardize on the SIEM because of compliance reasons. And companies are using things like data lakes like Snowflake, like Databricks, and some of these platforms for storage reasons because you get cheaper storage on those platforms.
And what’s happening is there’s a bifurcation of, hey, I still need to keep my Splunk or whatever, but I need to ship out some stuff to the data lake. But the problem is now you have different datasets going to different places and you don’t have a unified threat hunting across all of those to help inform whatever threat decision you’re making.
And so, to his point, I completely agree. As companies have multiple of these platforms, it’s really hard to see that consolidation all coming into one because you need to build rules for different tool sets.
What do most people think it is, and what’s the reality?
22:23.240
[David Spark] Cole Grolmus of Strategy of Security said, “This makes me think of a famous Jim Barksdale, former CEO of Netscape, who said, ‘There’s only two ways I know to make money, bundling and unbundling.’ We call bundling different things, and that’s what is happening here. I think the market feels confusing because bundling and unbundling are happening at the same time.” Cole goes on to say, “The large cohort of companies is trying to make money from bundling the security operations domain.
The early-stage companies are trying to make money from unbundling components of the SIEM.”
And Jay Davey of Planet said, “Even this won’t solve alert fatigue. In fact, technology won’t solve it. It starts further downstream and in line processes.” Going back to what we said at the very beginning. So, I’m going to start with you again, Howard, in that this is confusing. Both sides are trying to sell their unique take on this that it’s the better way to do it, isn’t it?
And that’s what’s throwing everybody. And this is something we’re bringing up. Is this a false dichotomy?
[Howard Holton] It’s absolutely a false dichotomy because the problem isn’t we have a platform. We don’t have a platform. The problem isn’t we have a bunch of tools; we have one tool. The problem fundamentally is none of the tools, none of the platforms address the things that I need to address. Give me the best platform in the world.
Now show me the interface that tells me how to report to the board whether I’m successful at my job or not. Oh, it doesn’t exist. Cool. Then I need to. Can’t have one platform, got to have two then.
[David Spark] [Laughter]
[Howard Holton] Show me the one that takes into consideration context about my business so that I am focused on the right thing. Oh, well, it’s missing 278 other features that I need. Okay, so I can’t have that as the one thing. The second I have two tools, now I have two records of authority. Three tools is three records of authority and four is four, which means I can’t ignore automation, I can’t ignore integration, I can’t ignore artificial intelligence.
The reality is we have to fundamentally think about cyber differently as cyber leaders and force vendors to address the needs of the organization and not, “We came up with a cool tool.” There’s too much cool tooling in cyber.
[David Spark] I think what you said is how do business priorities get attached to the SOC? Are we seeing any of this, Francis?
[Francis Odum] No.
[Laughter]
[David Spark] No, I don’t think there are. I mean, I’m just throwing it out there. I don’t think there are, but has anyone?
[Howard Holton] Well, look at how the tools are made. The tools are made because an engineer worked at a company, whether it’s a vendor and they started another company or they worked as an end user, as an analyst, or an engineer and went, “I have a better mousetrap as an engineer.” Cool. Engineers have no idea how to solve business problems.
It’s not their job. The number of CISOs that go, “You know what? I’m going to go get back in front of the keyboard. I’m going to start with whatever development framework, and I’m going to build a tool,” is relatively small. And all these companies, when they add a CISO, they add a CISO way late. Also, CISO is the least business focused C-level executive, C-titled executive.
Most of them are director level, which is another problem we should discuss on another podcast and throw things because it’s a terrible thing.
[Francis Odum] And even just to build upon that, I mean the fundamental problem, at least how I look at it and based off the experts I speak to in the SOC, which is like beyond tooling, is generally about maybe four problems you want to solve. Number one is how do I keep my company enterprise business safe following the triad model, right?
Continuity, integrity, and availability. How do I make sure? That means making sure you have good monitoring processes in place, making sure you’re detecting whatever threats are to your environment, and having appropriate response controls. Second thing is just keeping costs down, right? Every enterprise has budget constraints, and every tool is fighting for each.
Keeping costs down is an outcome. Number three is making sure the people, right, like fixing the same people problem, it’s fundamentally a lot. How do we make that simplified for security professionals? And lastly, to Howard’s point, meeting those business outcomes at the fundamental level.
Those are the three – safety, cost, the team or the people behind these, and meeting business outcomes or objectives. Fundamentally, whatever types of tools or technologies that we have in the industry need to solve those fundamental basic problems in security operations. And I think that should be the bigger question.
And how do we build a process or model that brings the people side and the tooling part together is really where we need to go as an industry.
[David Spark] Very good.
Closing
26:59.098
[David Spark] And that brings us to the portion of the show where I’m going to ask both of you, but I’m going to start with you, Francis, which quote out of all these quotes was your favorite and why?
[Francis Odum] I think going back to Cole Grolmus’ comment, I think that’s just a good way of describing where we’re at today.
[David Spark] Both are trying to make money, bundling and unbundling, which was quoting the Netscape CEO.
[Francis Odum] That’s the dilemma. That’s the fight. Every industry goes through this wave because early 2021, when the economy was going through a dip, 2022, right? Well, actually, let’s go back, 2020 explosion of COVID and then the economy started to deepen in terms of, oh, we’ve got to bond. Defensive conversation is number one, right?
And then now we’re kind of at this stage where we’re seeing that unbundling because again, people problems, process problems, and technology and tooling processes haven’t been really put in. So, I do think we’re constantly going through this bundling versus unbundling, and I always say predictions are hard to make, but that’s just the state of where we’re at, and I think that quote really does describe it.
And you have this also dynamic between the vent latch [Phonetic 00:28:02] platforms versus the emerging startups you have, and then fundamentally the dichotomy between both vendors as well as what operators are actually looking for, and I think we need to all come together to some centralized model.
[David Spark] All come together. All right. I’m with you on that. Howard, your favorite quote and why?
[Howard Holton] Do I have to pick a different one? Because that was my favorite quote.
[David Spark] Well, you can agree with that. Yes, you can agree with it. It was a good quote.
[Howard Holton] It’s a good quote because it gets to the undercurrent, which is there are two ways to make money, not listening to the customer doing what you want and not listening to the customer doing what you want. Like, that’s what I took from it. The reality is it wasn’t a problem. Cybersecurity wasn’t not solved because we didn’t have platforms.
So, platforms aren’t going to solve it.
[David Spark] I will say this. It’s a simple concept to understand, but the way it has historically, and we did not hit the historic ways that this has been sold to us, which is the platformization solves the integration problem.
[Howard Holton] Mmm, maybe.
[David Spark] Maybe not. Best of breed, you get the best solution. And it was sold to us very black and white and simplistically. And as we have discovered from your research, Francis, and this discussion now, far from simple.
[Howard Holton] Well, I mean, also, okay, you call it a platform, but how many of those tools did you acquire, and how many of those tools did you actually build? How many of those tools that you built did you actually build using the same fundamental development structures, development ideals, right?
How much is it an actual unified architecture versus how much of it is glues and staples with an interface that you built to layer it all together? I’m not saying that that makes it terrible by any means, right? But it also means the definition of the term platform in this industry is so incredibly fungible.
And at some point, the reality is, are we doing cybersecurity just wrong, and no matter how much of this we do, we’re not going to fix it? In which case, at what point do we pause, stop in our organizations, and go, “Hey, our plan is actually an entirely new strategy”? We’re going to build an organization within an organization.
We’re going to run this looking through the lens of modern threats, looking through the lens of modern capabilities, looking through the lens of modern offense because it’s an offense versus defense, and it’s an unequal playing field. Are we going to address these issues correctly, and are we going to do it as an industry?
Or are we going to continue to kind of play the back-and-forth game?
[David Spark] All right, well, that brings us to the very end of the show. I want to thank our sponsor Palo Alto Networks, with their brand-new Cortex Cloud, defining the code-to-cloud-to-SOC future through real-time security. Go check out their website, visit them at paloaltonetworks.com/cortex/cloud.
Remember, that’s paloaltonetworks.com/cortex/cloud. I want to thank both Howard and Francis. Howard is with GigaOm. He’s the CTO. They are a research outfit themselves. They do awesome stuff. It is actually very, very affordable and they do pump out some pretty amazing research. So, if you’re not reading and consuming great analysis by GigaOm, you should be.
And also, Francis does the same darn thing over at the Software Analyst Cybersecurity Research. Anything you would like to plug about your organization, Francis?
[Francis Odum] Yeah, no, thank you again for having me. But primarily, you could find my research at the softwareanalyst.substack.com, or you could find me at Francis Odum. I generally put out my research there in public. And then if individual vendors want to work together on putting individual company-specific type reports on one of these categories or topics, always happy to have that conversation.
Feel free to reach out.
[David Spark] Awesome. That is awesome. Well, I want to, as always, thank our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.