RSA 2020 and the Future of Cybersecurity Platforms: A Podcast with eSentire’s Chris Braden

On this episode of Early Adopter Research’s (EAR) Designing Enterprise Platforms podcast, Dan Woods spoke with Chris Braden from eSentire. Braden is the head of channels and alliances at the company. He spoke about Woods’ research questions at RSA 2020, which included:

  • What’s blocking comprehensive platforms for cybersecurity? 
  • Have platforms in cybersecurity been slower to develop than in other domains? 
  • Why has the rise in point solutions been so broad and persistent in cybersecurity? 
  • Are we entering a phase in which broad platforms will emerge and take more of the share of spending? And if not, how will all the point solutions be made to work together?

Their conversation covered these questions as well as:

1:30 – eSentire’s approach to cybersecurity
13:00 – What makes developing platforms for cybersecurity different and how point solutions must work together
19:00 – The challenges of integrating endpoint solutions

This is an edited version of their conversation, which can be heard in full on the podcast. 

Woods: The eSentire fabric is called managed detection and response or MDR. What is this adaptive threat fabric that you’ve developed?

Braden: eSentire is a managed detection and response service offering. It’s managed security as a solution. It’s comprised of four core components in our product portfolio that enable us to generate data from different points within a customer’s network or their IT infrastructure, bring that data back to our SOC, or security operation center, where we use a combination of AI and machine learning protocols, along with about 100 security analysts. We process a massive amount of data using the AI and machine learning protocols, and there we look for what we call indicators of compromise. When we believe that we have detected the presence of a potential breach, we’re able to engage the R component of MDR, which is response. We’re able to identify a potential breach and then we can actually contain that breach, freeze it in its tracks, and limit it to one or two devices.

So you all are looking at the entire landscape of cybersecurity as, essentially, a platform that you can both learn from in terms of harvesting data, but then also control and react to an event if something happens.

That’s right.

Have platforms in cybersecurity been slower to develop than other domains? If you go to other enterprise software domains, there are often at least six platform vendors who control the whole market and then niche products that fit in. Why do you think it’s the opposite in cybersecurity?

I don’t know if it’s the opposite. It’s more just where we are as a snapshot in the evolution of the industry. A lot of those other industries have been around longer, and as a natural consequence of their evolution, we see the development of platforms. If you look at an example of those large software platforms, like Oracle, they started with the finance role and then there was an explosion of three-letter acronyms: CRM and SCM. Then eventually, Oracle and E-Business Suite, and SAP brought those into this larger, somewhat integrated umbrella.

If you go back to the beginning, before SAP became what they are today, you start with a lot of point solutions. And the evolution of the model and point solutions led to the development of a platform. But it was typically a platform that accomplished a single purpose. Think of software as a service. Over time, you’re able to add another capability to that platform. From there, the platform grows from a single use case into something that’s much more comprehensive and addresses a wider array of use cases.

Sometimes this happens through acquisition and so it’s not uncommon to see an SAP or an Oracle acquire a company that’s got a particular capability that they desire. Part of the vetting in that process, on the technical side, is to understand, can we take a technology that comprises the current solution that we’re looking at as a potential acquisition target and modify it or develop our way into adding that to our platform? And so over time, you get something that started as a catalyst from a single platform and grew into multiple platforms that now address a much more comprehensive array of challenges or solve a comprehensive array of problems in the IT space.

But it just hasn’t happened as fast in cybersecurity. If you look at the ratio of companies, we’ve got massive growth in point solutions in cybersecurity but a longer phase of point solution growth and dominance than there has been in other realms. So why has the rise in point solutions been so broad and persistent? Would you argue that it hasn’t?

I would argue that it’s just a reflection of where we are as a point in time. And I don’t disagree with you that it’s been slower to develop in cybersecurity than perhaps in other industries. One of the first reasons is that in cybersecurity, unlike in many other industries, you actually have threat actors that are working against you to thwart what you’re building. There’s an inherent complexity that you don’t see in other areas of IT. You may have organizations that are fully on board and aligned with the idea of developing a platform that solves a broad array of problems, but no one is really working actively against it the way that you see threat factors in the cybersecurity space.

What you’re arguing is that the point solutions are forced into existence because any white space that’s out there gets attacked, while in ERP if there’s white space, several people just use spreadsheets to deal with it or create custom apps or whatever. 

Yes. And I think the second component that factors into this is there’s a relative lack of standardization in the cybersecurity space relative to what you see in other IT spaces. As a result, you see a lot of point solutions, but there really isn’t a larger, overall standards body that ensures that the data that’s being collected and aggregated and the way that that data is transmitted and communicated does so in a standard format. As a result, when you look to take a number of these different point solutions and combine them into a broader, overarching platform, you run into challenges around APIs and data formatting, data structure, and metadata.

Are we entering a phase in which broad platforms will emerge and take more of the share of spending? 

I think so. There is a challenge in delivering that. We may be entering a phase in which platforms will emerge and take more of a share of the spending. I think broad platforms are going to be a challenge. But I do think that we will see a rise in platforms. When you look at some of the challenges facing the cyber industry today, as a company that’s looking to protect itself by employing technology, they’ve got a series of challenges that most companies face. When you deploy security technology, what gets generated is often a massive amount of data. So you have a data processing problem on your hands. A second challenge that you’re facing is time. You don’t have a tremendous amount of time in which to act upon this amount of data that you’re generating. Many cyber-attacks are over in less than 25 hours and they’re often very discreet. The fastest ransomware today can operationalize in as little as six seconds. Then you add in the fact that a lot of this data is coming in different formats and a lot of these platforms or these solutions lack something like an API interface to enable you to easily and simply ingest this data into this dashboard that you’re theoretically creating with a platform. Finally, another challenge that you have is the lack of a skilled workforce. There are just not enough skilled security people to go around to be able to operate and drive all of this different technology. Particularly in the midmarket sector, there’s about 350,000 open headcount in the United States for people with security skills. The unemployment rate in security spaces is virtually almost zero. You’ve got a challenge with not only being able to implement the technology effectively and to do it against this construct of data and time, but then the people that are actually available to be able to utilize the technology and drive it forward are often hard to come by. When you do come by them, they’re even harder to retain.

So if you could make a platform, it’d be valuable because it would solve many of those problems, correct? 

You have to solve all of those problems. You’d certainly have to solve the data interconnect problem. You also have another paradigm in cybersecurity that you don’t have, typically, in other IT-based industries, which is most IT-based industries are looking to either reduce cost as an output of their product or increase efficiency and therefore generate better margins for their customers. Cybersecurity space is about the absence of loss, you’re trying to negate a negative. So you don’t often see the ability to translate that into an ROI at the board level when budgets are being set. It’s the absence of a loss as opposed to reducing cost and creating greater efficiencies and greater profitability for your company. That’s a conversation that the board level in the United States and companies really needs to start to get their head around. And they’re going in that direction, but it’s not quite there yet. It’s a different paradigm.

If it’s going to be hard for a platform to emerge, then how will all the point solutions be made to work together? For instance, your managed detection and response platform. You said earlier that eSentire’s managed detection and response platform is about integrating all the data, harvesting it from all the different points, and creating a model that has various levels of maturity. It sounds like what you’re arguing is your adaptive threat fabric is a substantial step toward an integrated view of the landscape and that you could consider it a platform in that it delivers a lot of the unified information, ability to orchestrate a response, automation and analytics, and reporting, that we’ve talked about a platform needing.

I think MDR gets further than anything else we’ve seen in the security industry towards becoming a true platform. But it still lacks a unified pane of glass. Even to pull this off, we need over 100 SOC analysts that are trained in-house and that are adept at using our AI and machine learning protocols to process this massive amount of data. When we look at something like the adaptive threat fabric, it’s really a concept, it’s not literally a security fabric. The concept is that no matter what the customer’s environment is shaped like, whether it’s heavily reliant on traditional IT networking and therefore it’s full of firewalls, or if it’s more of a cloud-driven model, or it’s a hybrid model, we’ve got the ability using our four basic services to be able to cover that unique environment that every customer necessarily represents. And so it’s a type of a solution. Maybe an analogy would be a bulletproof fabric, as opposed to a shield or a helmet; you’ve got this Kevlar material that you can actually weave and create into a vest and it can become much more adaptive to the shape of the person that’s employing it for protection.

It seems like implicit to what you’re saying is the MDR product, the M is really important, in that you are not delivering this integrated environment to the customer so they can run it. Part of your product is actually the people who are running it.

Yes, that’s correct.

This is different than other enterprise domains, in that most of them don’t have people running it. Instead, they actually hand you that so that you can run it.

That’s right. They create an efficiency that makes it easier for their customers to run a solution. Think software as a service — you still need somebody to manage it within the customer environment. The customer needs those people to be able to do that, but they probably need far fewer of them than if they were to deploy a locally-based solution with software on physical hardware. Whereas we look at a managed security solution, when we look at all those point products, each of them creates a challenge, in and of themselves, which is you still need the IT people with the skilled security, with the security skills rather, to be able to operate that technology. They’ve got to be able to implement it, they’ve got to adjust the settings, there’s a lot of maintenance that goes on with it beyond just provisioning. And then they have to be able to take that data and use that data to conduct something like threat hunting in order to protect their company.

The boundary of your MDR offering is not that you want all the point solutions for somebody, but you integrate all the data from them and then report on incidents and then either, if you can directly control those systems, use them to stop a response or you could tell somebody else to do so.

That’s right. There are a lot of elements of the security infrastructure that we don’t manage for our clients — like firewalls, identity access management, dual factor authentication. We can provide valuable and meaningful data on how they could be managed differently, but we don’t manage them today. So, with our network sensor solution which sits behind somebody’s firewall and sees other data going through a firewall, there’s an element of managing the endpoint to be sure, but we’re not just providing an outsourced management of somebody’s endpoint capability. We work with Carbon Black and with CrowdStrike on this because those are the two leading EDR of endpoint detection and response products. Those are products that enable us to pull rich and meaningful data back from the client’s environment that we can then process with AI and machine learning. 

So you must worry about the integration between your capabilities and their capabilities. I’ve heard platform vendors argue that unless you have that inside umbrella of one company, you rarely expose enough data or enough automation capability in a publicly available API in order to get the job done. Do you guys find that you’re frustrated a lot because the APIs that you have to work with don’t give you all the data that you would want and the ability to automate a response?

No, we’re not frustrated, by any means. The industry is what it is, and you’ve got to work within those constraints. We do see APIs with some of the security technology that’s out there. We connect into Sumo Logic’s technology and that was part of the reason for us selecting Sumo Logic for our esLOG+ solution — they already had ready-made APIs to a lot of the leading security technologies that are available today. But when we look at endpoint technology, there’s only two providers that we’re working with today where we can ingest our data. If somebody else has another endpoint solution as a perspective client that’s already in place, we’re not going to be able to ingest their endpoint data because we don’t have a serial bus interface for all the different endpoint providers that are out there. And the process of selecting an endpoint provider to work with, like we did with Carbon Black and then again CrowdStrike, part of that is understanding what the development requirement is to be able to ingest that data into our SOC. 

What are the major systems that you draw from in your MDR offering? 

The primary data that we ingest in the majority of our customers is the network sensor solutions, it’s called esNETWORK. And that’s a piece of proprietary technology that we developed as a form of software. It sits on commercial third-party, off-the-shelf hardware, and that sits next to somebody’s firewall. It’s looking at the data, the traffic that’s already gotten through the firewall. We want to look at what’s getting through that firewall and then, by proxy, what’s also going outbound through an egress mode through the firewall. We take the metadata of that and we send it back to our SOC. We have a number of customers also using the endpoint solution. That’s additive to the network — the endpoint solution would get a lot of access to data before it’s going to make its way to the network. Potentially we’re significantly shortening our time to a recognition of an indicator of compromise and our ability to solve it because it’s exponentially faster. And then we can also pull in content like login data from applications that may be sitting in the cloud. This is the esCLOUD solution that we employ. That gives us the ability to work with things like Azure, Google, AWS, as well as other environments like Office 365. The ability to pull the software as a service login data back into our SOC to conduct real time threat hunting on it, enables us to look at more than just network and endpoint data. We’ve got the ability to generate rich data from other security solutions that are out there and from other non-security driven platforms.

You’ve essentially created your own universal network examination layer.

Yes. What we’re really doing with the network traffic is looking at the metadata. We don’t export the actual data itself anywhere. It’s the metadata, which is a descriptive language that tells us what the traffic actually is. And that enables us to tune the network sensors so that we can ignore legitimate traffic that’s going out on a regular basis for the customer and start to look at the things that stand out as not normal. And based on that, we’re enabled to take a zero-trust approach. What’s so interesting about the network sensor is that it’s not an inline solution, so it doesn’t disrupt live production environment traffic. That’s been one of the challenges historically with network sensors: they are inline necessarily by the design and as a result, because they disrupt live production environment traffic, they’re only able to be employed on weekends or weeknights or holidays. It’s not often when you’re necessarily able to find all of the threats that you’re looking for.

Do you actually take control of the firewalls and tell people? 

The answer is we can do either. We don’t necessarily take control of the firewalls, but what we do is block the signal from a piece of malware or a virus, for example, from getting back to that access. We’ve got a couple of different basic IP tools that we use to tell people what IPs to block. It depends on what the customer wants. We have some customers who say, “If you see something that’s suspicious or malicious, stop it, stop everything, and then let us know.” And we have others, and sometimes it’s driven by vertical who say, “I don’t want you touching anything on my network, you let me know, and then we’ll be the ones who can act on it.” And then we have others who say, “We’re somewhere in-between, if it’s between normal business hours then just notify us and we’ll act on it. Outside of normal business hours or on weekends, we want you to stop it and then notify us.” Or it may be that what we’re seeing needs to meet a particular profile, “Stop what looks like this profile, for everything else, just notify us so that we can act upon it.”

Got it. This has been a really good podcast. I especially like that idea about the hackers playing a helpful role in driving aggressive point solution growth. Thank you.