The Case Against Using a Frankenstein Cybersecurity Platform

by Ana Mezic on October 29, 2020

The cybersecurity industry has flourished over the past decade with thousands of single-point solutions developed only to address functional gaps missing in their predecessor’s solutions.

The formal recommendation from top analysts at the world largest IT and Cybersecurity firms is to use 5-6 separate platforms for threat detection in an enterprise SOC: SIEM, Log Management, NDR, NTA and SOAR.

This has been the accepted best practice. Cyber teams purchase, configure, train, and maintain multiple siloed cybersecurity platforms for threat detection and response. But is this actually necessary when you solve the functional problem with one purpose built next-generation cybersecurity platform?

The cybersecurity market has, simply put, been cobbled together.

A tangled web of non-integrated systems and alerts from siloed systems. Enterprises are now being forced to utilize a “Frankenstein” of stitched together tools to create a platform that might cover their security bases.

Sponsorships Available

Just as Mary Shelley’s Frankenstein was constructed in a laboratory through ambiguous experimentation, chemistry and alchemy, never able to completely “operate” in real-world society, so are internal cybersecurity systems built by stitching together multiple independent tools with reactive, feature-specific rules and algorithms that when operating in a rapidly changing environment require constant oversight and maintenance to actually perform their threat detection duties.

There may be an explanation for this: traditional software development (and the data analysis and machine learning behind it), has been a reactive process. Customers ask for new features, user experiences become glossier over time, and data insights drive feature updates.

But cybersecurity platforms are different in one simple but very important way: they must be proactive in their defensive capabilities against unknown, never-before-seen attacks. Therefore they cannot be maintained by a traditional reactive process.

Today’s sophisticated threatscape requires purpose-built applications that are focused on functional requirements, and most importantly, are data agnostic. There is a majority acknowledgement in analyst and customer communities that the proliferation of security applications has become a big problem.

Here are three ways you can identify if a “Frankenstein Cybersecurity Platform” has stumbled into your SOC environment:

Enormous Human Effort

The general perception many people have about AI – and shiny new platforms in general – is that the primary feature of this technology is its ability to handle tasks free from human intervention. In reality, network security products integrated with so-called AI often require a great deal of oversight and input even if they claim to automate tasks. Most security products have not evolved to the point where they can offer authentic self-supervised learning AI.

Rather than utilizing a self-generated and self-adapting baseline to constantly look at the network for anomalies like an Unsupervised Third Wave AI platform does, analysts’ time is consumed with writing rules and tags for the AI only after the incidents have already happened. Not to mention triaging the onslaught of false positives alerts flooding out of these single-point solutions.

With this time-consuming process, there is no way to stop future hacks if the method of intrusion is previously unknown. It also creates these Frankenstein-esque platforms that are just exponential amounts of rules trying to patch every anomaly that has already occurred on the network.

Proactive vs. Reactive AI

There’s always activity on a network before a break in happens. The network knows, it’s baseline is disturbed, and MixMode’s self-supervised AI will spot it. It’s very very difficult to fool. The attack would have to behave exactly as the network behaves, which gets the bad actor nowhere, therefore making self-supervised AI almost impossible to fool.

Take for example a “Monster in the Middle” attack – we can’t help it, this is a Halloween blog after all! It is a cyberattack where an attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Most algorithms are not able to catch this type of attack because someone gets into the network, then redirects traffic from the victim’s IP to the machine that they have infiltrated. The victim however cannot see this because they are still seeing the network traffic behave normally themselves, it’s just been redirected as well.

The ‘Frankenstein,’ or reactive AI approach, would be to try to figure out if some traffic has been redirected, after the intruder already got in, redirected it, and did whatever damage the bad actor wanted to do.

Having a single AI algorithm, like MixMode’s, applied to all data on the network is a proactive, predictive approach that alerts analysts before a “Monster in the Middle” attack even occurs. This type of attack would most certainly behave differently on a network when the AI compares it to regular daily inbound and outbound behavior.

Frankenstein Platforms = Frankenstein SOCs

Cyber platforms are not the only ones susceptible to patch-happy processes.

Too many enterprise’s SOC have been constructed with a tangled web of tools and processes as well. Siloed lines of business – network operations, security operations, etc – purchase proprietary orchestration engines that are exclusive to a single requirement or one particular vendor.

When evaluating your current technologies as well as new solutions, the best approach is to review and document the functional requirements and intent of the platform. Don’t let vendors or historical perspective from the analyst community dictate the path forward.

Purpose built applications like MixMode can address the functional requirements of traditional siloed approaches like SIEM, NTA, UBA and other solutions. Each of these platforms were introduced to address functional gaps in their predecessor.

Categories like NDR, as an example, are a supplemental category for traditional SIEM to address the near real-time network components. But at the end of the day the intent is fundamentally the same and it’s a data dependency issue.

Wave a big red flag if the new system you are evaluating will take months to years to deploy and require a large number of human operators to perpetually tune the system with data or deployment dependencies that are vendor dependent.

MixMode is independently able to interoperate with all of the leading platforms creating a purpose-built solution that is able to focus on our core competency – the ability to predict what your network will look like in advance, allowing for accurate, lightning fast threat and anomaly detection – rather than traditional SOC areas. This allows our customers to maximize their existing SOC investments without having to provide yet another orchestration platform.