Archive

Please reload

Tags

Please reload

Dear Vendors, It's Me Kathayra

March 8, 2018

 

Dear Cybersecurity Vendors,

 

Thank you for the information, technology and services you provide. I appreciate all your efforts to bring us the latest and greatest and to make my team better defenders. This letter comes from this place of gratitude, even if it comes across as unsolicited advice.

 

See I need you to change how you operate in seemingly drastic ways. Ways that will require new talent and new systems of operating. Ways that will be more challenging, but I believe will leave you ahead after the cybersecurity bubble bursts.

 

Embrace that soft, fluffy cloud.

 

I know, I know... you think its just someone else's computer. Some glorified VM. I need you to rethink that. It's can be so much more for our industry.

 

Most vendors that support the cloud are currently providing offerings that are basically the appliance just migrated to the cloud, much like a VM. This approach doesn't take into account the scalability and flexibility that are the main reasons your customers are requesting a cloud option. As part of this, you will also need to embrace microservices. They will make it easier for you to separate your offering into the scalable architecture offered by Amazon or Google.

 

I don't want an appliance that has to sit in a datacenter and I don't want to have to maintain multiple systems because of scale issues. There is a multitude of ways to fix the scale issue that doesn't involve patching 6 appliances for operating systems and application vulnerabilities or having to maintain the one appliance "to rule them all". If you can successfully make the switch, then adoption of your product becomes much easier to implement. 

 

Focus more on APIs and less on your UI.

Ok, this one is admittedly going to be more useful for larger organizations. I enjoy a well designed UI that is made to make my life easier, but in truth no UI is worth having to maintain access for an entire SOC, Hunt Team, IR Team, Forensic Team, etc, to over 20 appliances. Most organizations use a SIEM for this reason, we just combine the data with other data to create a more complete picture. The most useful, most awesome thing you can offer us is an easy way to get at the data your tool is collecting for us. 

 

So please, start with the API, use that to build the UI. Make it robust and able to provide the user all the information that is the reason why we bought the tool in the first place. I know you don't want to admit that your tool is just part of our ecosystem for defense, but it's true.  Who knows, you might enjoy having to guess up front every use case we have in mind for your product.

 

Support our environmental diversity

Companies are diverse. There is Windows, Linux, macOS and then there is physical data centers, virtual infrastructure and the cloud.  Help us support it all because diversity makes everyone better. I see vendors continually build new capabilities for a tool that doesn't support diversity and would require me to have multiple tools that I maintain, tune, and support just to get the basic functionality to provide an equal defensive posture. Save practitioners from this terrible plight of too many tools.

 

I know what I am asking sounds simple, but is not easy. The thing is, I need you all to evolve and succeed. Defenders are relying on you to help us keep up. 

 

Happy Hunting,

K

 

P.S. Please stop inventing new buzzwords. I have to spend odious amounts of time explaining them and why they are just a marketing gimmick.

Please reload

Recent Posts

Please reload

Virginia, USA

©2017 by Happy Threat Hunting.  

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.