Platform of Platforms

Recently, Richard Stiennon took Palo Alto Networks (PANW) to task for extolling the virtue of their security platform.  If you missed this, it is a great article with Stiennon’s classic insight and wit:

Stiennon is right to criticize PANW’s platform strategy.  As Stiennon correctly states, “No CISO in the world is going rip out Wiz or Orca because their hardware appliance vendor has a similar product on sale.”  PANW is also not the first to try the platform approach.  Cisco (CSCO), Symantec, and McAfee all tried and all failed.  Microsoft (MSFT) is trying the platform strategy as well right now.

It is a flawed strategy. However, it is not a flawed idea.

PANW is right that security people need a single platform.  Where they are wrong is how they are doing it.

PANW is building a Platform for Products. The PANW platform only manages PANW products, which makes it inherently limited. This is flawed.

What they should be building is a Platform of Platforms (PoP). 

What is a Platform of Platforms?

In an ideal world, cybersecurity teams would have a single portal where they could go to interact with their entire information security environment.  This is a Platform of Platforms.  A PoP would not necessarily manage every aspect of all those disparate products, but rather provide a simplified way to see their status, access key data, and perform routine functions.  A PoP unites the entire security infrastructure into a single portal.

With a PoP, security teams could integrate any security product, whether it is PANW, Cisco, Wiz, Crowdstrike, etc. into the platform.  Those products would then publish a set of capabilities to the platform.

For example, the PoP would not manage an endpoint security product like Sentinel One.  Yet, it could show a list of endpoints not secured along with other useful reports, such as malware blocked.  It might also perform some common management functions, like kicking off a network-wide scan or search for a specific file-hash value.

The PoP is a window into endpoint security, but does not replace Sentinel One’s native management tools.

Now before you dismiss this idea, have you looked at ServiceNow or SalesForce lately?  They are essentially PoPs.

PoP Drop

Naturally, you are shaking your head saying this is impossible.  Ten years ago the management portals companies built for their products were completely closed.  Now everybody uses an API, and those APIs are published (some publicly.)  APIs are insanely powerful.  They open up a product’s possibilities in ways most vendors cannot even imagine.

PoPs could use these APIs to interact with each product, to obtain data and execute functions.  SIEM and XDR platforms have been building huge databases of functionality to accommodate a vast library of third party tools.  This effort would only be slightly more complex than those efforts.  Moreover, this is exactly the kind of problem AI could help solve.

Sounds like a SIEM

SIEMs are the closest relative to a PoP.  The challenge with SIEMs is that they are focused exclusively on managing data from products.   A PoP would go a step further to actually interact with a product’s native API.  However, a SIEM would make a logical starting point to build a PoP.  Some of the larger SIEM products are rapidly approaching a PoP-like functionality.

Who Runs PoP Town?

Naturally, the question is who owns or runs this PoP.  No single security vendor could do this.  Building a PoP would require a company with vast resources and a reasonably neutral position to the vast set of security products on the market.

This is why PANW’s platform is unlikely to succeed.  It demands you buy completely into the Cult of Palo Alto Networks.  PANW is not going to build a platform that enables customers to not use PANW products.

The obvious answer to who could do this is the cloud service providers: AWS, Microsoft, and GCP.   They have the resources and are reasonably neutral to security products.  AWS is already partially there with their Security Hub product.  Azure has a security console now, but it is a clunky mess.  And GCP has not been acquiring security companies for fun.  They obviously have big ideas as well.

A PoP was part of my own vision for a product years ago.  I envisioned a platform that could not only build itself but configure a disparate set of tools and provide a single management interface.  My vision was too big for my funding, so I downgraded it into a compliance product.

PoP Benefits

The single greatest challenge in cybersecurity is and always has been complexity.  The more complex a system is, the more difficult it is to protect it.  Modern enterprise environments are insanely complex and insanely complex to secure.

The ultimate purpose of a PoP: create a simpler, more streamlined way to interact with the security architecture.  Provide a single place where a diverse group of people, from leadership down to operations can access and interact with the security environment.

A PoP would not replace existing management consoles.  Those would still have a place in a PoP environment.  There are plenty of use-cases where administrators would need to drop down into a native console to perform administrative functions.

I fully admit that a PoP is a bit of a pipe-dream at this point.  The effort necessary to build a viable, working PoP is extreme.  However, this is yet another way that cloud providers could continue their consumption of the security industry (see Cloud Eats Security.)


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.