Platform of Platforms
Recently, Palo Alto Networks (PANW) released a platform strategy that was widely panned in the security industry. The prevailing view (which I share) is that no sane CISO would rip out their existing best of breed security products to go all in on Palo Alto’s platform.
Palo Alto is not the first to try this strategy. Cisco (CSCO), Symantec, and McAfee all tried, and all failed at building a platform of security products. Microsoft (MSFT) appears to be pursuing a similar path, albeit more discreetly.
PANW’s strategy may be flawed, but the idea is not.
PANW correctly identifies that companies can benefit from a single, unified interface for security monitoring and management. However, their approach is misguided.
PANW is building a Platform for Products. The PANW platform only manages PANW products, which makes it inherently limited. This is makes their platform inherently limited and constraining.
What the security industry really needs is a Platform of Platforms (PoP).
What is a Platform of Platforms?
In an ideal world, cybersecurity teams would have a single portal where they could go to interact with their entire information security environment. This is a Platform of Platforms. A PoP would not necessarily manage every aspect of all those disparate products, but rather provide a simplified way to see their status, access key data, and perform routine functions. A PoP unites the entire security infrastructure into a single portal.
With a PoP, security teams could integrate any security product, whether it is PANW, Cisco, Wiz, Crowdstrike, etc. into the platform. Those products would then publish a set of capabilities to the platform.
For example, the PoP would not manage an endpoint security product like Sentinel One. Yet, it could show a list of endpoints not secured along with other useful reports, such as malware blocked. It might also perform some common management functions, like kicking off a network-wide scan or search for a specific file-hash value.
The PoP is a window into endpoint security, but does not replace Sentinel One’s native management tools.
Now before you dismiss this idea, have you looked at ServiceNow or SalesForce lately? They are essentially PoPs.
PoP Drop
Naturally, you are shaking your head saying this is impossible. Ten years ago the management portals companies built for their products were completely closed. Now everybody uses an API, and those APIs are published (some publicly.) APIs are insanely powerful. They open up a product’s possibilities in ways most vendors cannot even imagine.
PoPs could use these APIs to interact with each product, to obtain data and execute functions. SIEM and XDR platforms have been building huge databases of functionality to accommodate a vast library of third party tools. This effort would only be slightly more complex than those efforts. Moreover, this is exactly the kind of problem AI could help solve.
Sounds like a SIEM
SIEMs are the closest relative to a PoP. The challenge with SIEMs is that they are focused exclusively on managing data from products. A PoP would go a step further to actually interact with a product’s native API. However, a SIEM would make a logical starting point to build a PoP. Some of the larger SIEM products are rapidly approaching a PoP-like functionality.
Who Runs PoP Town?
Naturally, the question is who owns or runs this PoP. No single security vendor could do this. Building a PoP would require a company with vast resources and a reasonably neutral position to the vast set of security products on the market.
This is why PANW’s platform is unlikely to succeed. It demands you buy completely into the Cult of Palo Alto Networks. PANW is not going to build a platform that enables customers to not use PANW products.
The obvious answer to who could do this is the cloud service providers: AWS, Microsoft, and GCP. They have the resources and are reasonably neutral to security products. AWS is already partially there with their Security Hub product. Azure has a security console now, but it is a clunky mess. And GCP has not been acquiring security companies for fun. They obviously have big ideas as well.
A PoP was part of my own vision for a product years ago. I envisioned a platform that could not only build itself but configure a disparate set of tools and provide a single management interface. My vision was too big for my funding, so I downgraded it into a compliance product.
PoP Benefits
The single greatest challenge in cybersecurity is and always has been complexity. The more complex a system is, the more difficult it is to protect it. Modern enterprise environments are insanely complex and insanely complex to secure.
The ultimate purpose of a PoP: create a simpler, more streamlined way to interact with the security architecture. Provide a single place where a diverse group of people, from leadership down to operations can access and interact with the security environment.
A PoP would not replace existing management consoles. Those would still have a place in a PoP environment. There are plenty of use-cases where administrators would need to drop down into a native console to perform administrative functions.
I fully admit that a PoP is a bit of a pipe-dream at this point. The effort necessary to build a viable, working PoP is extreme. However, this is yet another way that cloud providers could continue their consumption of the security industry (see Cloud Eats Security.)
NOTE: Since writing this blog in February of 2024 I have started seeing actual products making a run at this concept. These technologies are still nascent, but they are evolving quickly.
This article originally appeared on the Zenaciti Blog: https://zenaciti.com/platform-of-platforms/
