June 17th, 2024
Platformization in cybersecurity: Dueling visions for the future of security
Maxime Lamothe-Brassard
The platform approach in cybersecurity is gaining traction. However, it’s becoming clear that two very different models of platformization are in play. In this piece, we’ll talk about platformization in cybersecurity, the two major approaches to security platforms, and what it all means for the future of cybersecurity.
Behind the drive for cybersecurity platformization
We can define a cybersecurity platform, in provisional terms, as a solution that delivers a wide range of security functions and features through a single interface.
The move to platforms—both on the vendor and the user side—is motivated by the increasing complexity of the cybersecurity vendor market. To put it in a nutshell: It’s no longer feasible for users to purchase, manage, and integrate the dozens or even hundreds of cybersecurity point products required to implement modern security operations (SecOps).
The argument for switching to a cybersecurity platform is compelling. Platforms promise to reduce vendor sprawl and integration challenges—and thus deliver cost savings, greater efficiency, and streamlined SecOps workflows.
What does a “real” cybersecurity platform look like?
So far, so good. But all of the above raises a fundamental question: What counts as a cybersecurity platform? If a vendor in the EDR space acquires a SIEM, an observability tool, and some automation software, and then slaps a web portal on top of it all, that’s hardly a unified cybersecurity stack—and is likely to produce the exact kinds of integration headaches currently afflicting security teams. If the term “platformization” is to have any meaning at all, it must be more than this.
Palo Alto Networks (PANW), the biggest industry name to embrace cybersecurity platformization, agrees. In the company’s Q4 2023 earnings call, CEO Nikesh Arora said:
"Prior attempts to do this generally required a trade-off for the customer…the capabilities that were delivered on their attempts to do a platform were not industry-leading…We're making sure that everything we do is industry-leading on its own. The second thing we're doing is making sure that when we integrate it, they're actually integrated together and solving hard problems that can't be solved as stand-alone capabilities…It's not just about consolidation, although that's a clear value; it's about delivering technical outcomes through the integration that cannot be achieved otherwise."
Or as one commentator on Palo Alto’s platformization initiative summarized it:
"Just because you're buying multiple cybersecurity products from a single company doesn't mean the products are integrated or work well together. Platformization goes beyond consolidation. It's an intentional set of activities to integrate products and unlock value that isn't possible without the integrated platform."
A true cybersecurity platform, then, is not just a hodgepodge of point products sold by a single company. Rather, it is a gestalt—one that is well-integrated and engineered to enable better security outcomes.
However, not everyone is convinced that Palo Alto is building such a platform. Another major proponent of cybersecurity platformization, CrowdStrike CEO George Kurtz, dismissed PANW’s shift as “not new,” calling it nothing more than “discounting, bundling and giving products away for free” (a characterization that Arora disputes).
Cybersecurity buyers are left with more questions than answers. Is it a platform? Is it a bundle? Do we believe Arora, or Kurtz?
We’d argue that all of these questions miss the point—not because they’re unimportant, but because they overlook something essential:
There’s another type of platform that can give security teams what they need—and better than the sort of platform legacy vendors are pushing.
Salesforce for cyber—or a different approach?
That second type of platform will be immediately familiar to anyone who has worked in general tech: the public cloud provider model. Examples include Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
The public cloud approach has been massively validated in the world of IT over the past decade—but is strangely absent from discussions of cybersecurity platformization. In media think pieces as well as high-profile CEO spats, the issue of platformization is invariably presented as a binary choice: Stay with an expensive, unmanageable patchwork of point solutions, or move to a large vendor’s platform product.
In our view, this is a needlessly limited and limiting way of looking at the problem: a kind of false dichotomy. The alternative? A public cloud platform for cybersecurity operations: the approach that LimaCharlie is pioneering with the SecOps Cloud Platform (SCP).
It’s an approach that is badly needed in the industry, because while vendor-centric cybersecurity platforms may solve some of the problems caused by fragmentation in the security solutions market, it does nothing to address the problem of being locked into a traditional cybersecurity vendor, with all the drawbacks that entails: lack of customization, inflexible pricing, restrictive licensing, mandatory long-term contracts, cumbersome sales processes, and, for service providers, the prospect of relying on a vendor that is also a competitor.
The cloud provider model, by contrast, is intended to give users freedom and flexibility. Capabilities are delivered on-demand and API-first. Pricing is pay-per-use. Everything can be scaled up or down as needed, without penalties or negotiations. Most importantly, a cloud provider is just that: a provider of core capabilities and infrastructure—not a vendor trying to sell a one-size-fits-all product.
Today, there are two competing visions of cybersecurity platformization at work. The first is the one championed by large vendors like Palo Alto and CrowdStrike. To borrow a comparison made by Kurtz years ago, it’s the “Salesforce of security” model. The second is the public cloud provider model that we’re building with the SecOps Cloud Platform: a kind of “AWS for cybersecurity.” We believe that there are clear advantages to the second approach—and that this is the future of our industry.
SecOps public cloud platform vs vendor cybersecurity platforms
We’re still in the early days of the shift to cybersecurity platforms, but general trends are already apparent. For enterprise security teams considering a shift to platform-based security, here are some important points of contrast between our approach and what they will likely experience with platform vendors:
SecOps public cloud | Vendor security platforms |
Capabilities Core security capabilities (EDR, security automation, data routing and optimization, retention) delivered as best-in-class, cloud-native primitives. Single, lightweight agent that offers feature parity across operating systems and bi-directional communication. Focus is on giving teams the capabilities to build the stack they need, rather than a suite of fixed solutions. Security operations driven by the skills and ingenuity of security engineers. | Capabilities delivered as modules or sub-solutions. Security operations may be constrained by the quality of the point solutions that comprise the platform. |
Integration All capabilities built from the ground up for integration and compatibility. | Integration will vary by vendor. Vendors that take an acquisition/portfolio approach to building a platform may pass their integration challenges on to security teams. |
Flexibility API-first access to primitives means that teams can customize their security infrastructure and tooling to suit their needs. The SCP is built by security engineers, for security engineers. Flexibility and customizability are foundational assumptions. | Dependent on vendor, but likely to be limited by the need for companies to protect proprietary technology, resulting in hard-to-customize or “black-box” modules within the platform. Vendors that build platforms by acquisition may only offer the degree of customization provided by the solutions they’ve purchased. |
Scalability Built for modern, scalable SecOps. Enables mature enterprise cybersecurity operations through multi-tenancy, infrastructure as code (IaC), security automation, and detection engineering capabilities. | Will vary by vendor. Some parts of the platform—especially if acquired or based on a vendor’s own legacy technology—may take an outdated approach to security operations. |
Pricing Pay-per-use, with no fixed minimums. Everything in the platform is available to try for free. Users choose only the parts of the platform they want without being forced to pay for capabilities they don’t need. Annual, multi-year, and volume discounts are available to users, but not required. | Likely to follow existing cybersecurity vendor practices: lengthy negotiations, sales gatekeeping, bundling unneeded products, mandatory long-term contracts, price modeling, and capacity planning. |
Taking the long view on platformization
At LimaCharlie, we believe that platforms are the future of cybersecurity—and that the cloud provider platform model offers the most promise to the industry as a whole.
To learn more about how the SCP offers a better approach to security platformization, see:
The Future of Security Operations: An Inside Look at the LimaCharlie SecOps Cloud Platform
SecOps Cloud Platform Guide for Enterprise SOC Teams
To experience the SCP for yourself, book a demo with our team.