The recent security reference architecture document recently released by Microsoft is a glaring indictment of where the Cyber Security industry is in 2021. A Sprawling cityscape of Vendors Spruking their “Better Mouse Traps” (Thanks Bryan).
Organisations have massive spaghetti junctions of interconnecting applications, services, users and platforms.
Familiar with the below? this was my life for years, in some cases I was getting on and off between Tube stops that were literally 200 metres apart above ground because I did not realise! Around a corner of course!
Add alt text
Above: The London Tube map as seen by millions of Commuters
Add alt text
Above: The real London tube map.
Add alt text
Above: The Microsoft Cyber Security Reference Architecture
Add alt text
Above: The real Microsoft Cyber Security Architecture (I kid!)
The London Tube map Architects and the Microsoft reference doc is closely related, in that they are both attempts to make the complex look palatable to their respective audiences: Commuters for the London Tube Map and Microsoft Architects for the Microsoft Architecture document?
Microsoft Cybersecurity Reference Architectures – Security documentation | Microsoft Docs
This Cyber Security Reference architecture document is over 50 pages in length, with no “how to”, lots of Microsoft Visio diagrams and “Marketecture”.
There is also some good information contained within its pages.
Add alt text
Q: Many vendors are guilty of this very thing in the above image, what if the client wants to improve “Cybersecurity” and reduce their risk of Breach?
A: What products are actually necessary to protect against a Lateral movement Attack?
- Defender for Office 365
- Defender for Endpoint
- Azure Identity Protection
- Microsoft Cloud App Security
- Azure Sentinel
- Azure Defebder
- Defender for Identity
Feel free to correct me
The above list is Seven products! Seven!
- Several Products overlap in functionality
- Several Products are not integrated, separate management portals, different GPO’s and different rules, overlapping rules.
- Some of these Products require their own agents, meaning multiple agents on endpoints. Multiple agents means conflicts as well as collecting and sending the same telemetry data to the SIEM/SOAR.
- The integration with SOAR/SIEM is not a simple one line connection task, maybe you want some 3rd party here?
- The Correlation of the telemetry data is not an easy task from all 7 data sources and the human element of managing these is insanely complex.
- Many of these products are separately “billed” and for the business what do I actually need to do to be secure?
In summary, none of this helps the Business leaders in an Organisation fix their Cyber Security issues, none of this maps back to best practise or providing the best protection for an Organisation based on what that organisation must do to be secure.
This type of material also does not help Technical consultants and Security Operations staff translate the language to board level where they can get buy in.
Microsoft is not the worst offender here, most large vendors have their own complex Marketectures that do not help the business address their risk profile, instead helping the Vendor sell a solution that the customer may not be able to implement successfully or even use correctly.
The Cyber Security Industry needs to rapidly embrace the available internationally available TRUE Cyber Security Frameworks, an architecture that is developed by Organisations/Nations that do not have a product to sell.
To do this the Vendor industry needs to understand what the objective is for a business/organisation and provide informative insight into how the vendors solutions resolves the client problem.
You know when we in Sales are to give a price to a customer? me too, know why? Because when we do not understand the value of what we can do to solve the customer problem, we haven’t listened to the customers problem to understand the Why well enough.
The reasons that almost all Cyber Security Budget Requests are rejected is simple:
- The cost/risk/effort benefit was not apparent to the decision maker.
The client needs to know that what the vendor is providing actually gives the business value in reducing more risk that the cost of solving the problem. The vendor or Reseller needs to be able to map any solution to something that can be understood and tangible to those outside the Cyber Security specialisation.
To do this as an industry we must listen to the client to understand what is most important to them before “pitching”, then adopting an approach that a SecOps person can translate for their management as a Risk/cost/effort proposal relating to a real real threat to their organisation, otherwise we are simply selling Snake Oil in the 1800s.
Leave a Reply
You must be logged in to post a comment.