Some proponents of cybersecurity platformization claim that an effective security platform must be built from “best-of-breed” or “best-in-class” solutions. The idea is that a perfect cybersecurity platform is possible, just as long as it comprises the correct bundle of point products. But this notion is based on an outdated understanding of security practitioners’ needs—and a misguided vision for the future of our industry.

Unpacking the “best-in-class” claim

It’s not hard to understand why a vendor would insist that everything in their platform is “best in class.”

The case for cybersecurity platformization rests on simplifying security tooling and infrastructure. The goal is to reduce complexity, integration challenges, and costs—and deliver better security outcomes. A comprehensive platform, therefore, promises to replace many point solutions that organizations are currently using. But because of this, vendors feel compelled to reassure potential adopters that they won’t be sacrificing capabilities.

For example, Lee Klarich, Chief Product Officer at Palo Alto Networks (PANW), a major advocate of security platformization, recently told investors:

Prior attempts to [build a comprehensive security platform] generally required a tradeoff for the customer…the capabilities that were delivered on their attempts to do a platform were not industry-leading. And so, the customer had to make a tradeoff between…worse capabilities, but in one place, or best-in-class capabilities. And that’s a hard tradeoff in cybersecurity. That is one thing that we’re not asking our customers to do. We’re making sure that everything we do is industry-leading on its own.

CEO Nikesh Arora has made similar remarks:

What we want is best-of-breed products, so we decided we’re going to do both. We’re going to have phenomenal success in best-of-breed categories. In addition, we’re going to make sure our best-of-breed products were integrated.

The implication seems to be that if a vendor assembles a platform from the best SIEM solution it can acquire, the very best EDR tool, the best automation products, etc., then customers will get something like the platonic ideal of a security platform.

But despite the ostensible newness, this approach betrays a fundamentally conservative view of the security industry.

For Klarich and Arora, there’s an unspoken assumption at work here: Security teams must get the capabilities they need from a product—ideally, one with the right or “best” set of features.

But this is nothing new at all. Whether the capabilities come from multiple point tools, or from a platform made up of acquired, repackaged, and bundled “best-of-breed” security products, the basic model is the same. You buy a product. You get features that give you capabilities.

Product features != capabilities

LimaCharlie was founded to challenge this assumption. We began with a simple question: What if core cybersecurity capabilities and infrastructure could be delivered, not as features of some vendor’s product, but directly through a public cloud-like environment instead?

The SecOps Cloud Platform (SCP) is the realization of this vision. It gives security teams capabilities in the same way that AWS or GCP does for IT: as interoperable, cloud-native primitives, available on-demand and priced pay-per-use.

Think, for example, of the capabilities currently offered by security information and event management (SIEM) products. SIEMs ingest, standardize, and centralize log and other telemetry data; they enable real-time monitoring and coordination of event information; and so on.

But these capabilities don’t have to be delivered as product features. It’s perfectly possible to provide those same capabilities directly and abstractly*—*which is precisely what the SecOps Cloud Platform does. The SCP makes it possible to ingest logs and file types from any source, standardize all telemetry data to a common JSON format, and run everything through a detection, automation, and response engine for correlation, analysis, and alerting. The kind of mature, well-integrated capabilities that were once only obtainable through SIEM products are now available via a public cloud for security.

This change offers enormous benefits. Because it is a public cloud, the SCP enables security teams to utilize platform capabilities as much or as little as they want, and in exactly the way that they want. They also avoid the downsides of legacy security products like integration difficulties, vendor lock-in, rigid long-term contracts, and unpredictable costs.

In the case of SIEM-like capabilities, this means users can reduce reliance on one of their highest-cost tools, customize event management workflows more flexibly than ever before, and take unprecedented control of their security infrastructure.

The SCP offers similar benefits across the spectrum of security operations. Capabilities that any SOC or MSSP would require for endpoint detection and response, historical threat hunting, observability, security automation, and more are now available through a unified public cloud platform that integrates seamlessly with the rest of the stack.

In short, although PANW and others say that they’re building security platforms, there’s a massive difference between their approach and the cloud provider model that the SCP embraces.

Practitioners over products

There are many ways to describe the difference between the SecOps Cloud Platform and the version of platformization pushed by traditional product vendors. But the most essential is this: The SCP prioritizes empowering security practitioners rather than the products they use.

Given the challenges facing security teams, we believe that this approach is the only one that makes sense.

Nearly everyone working in cybersecurity acknowledges that solution sprawl is a serious issue; feels that tooling and infrastructure have become complex to the point of unmanageability. But there’s a good reason for all of that complexity. Modern security operations are inherently complex. Organizations all have different security needs, and those needs are constantly changing and evolving. There is no “best” product—or suite of products—that will fix that problem. The future of security lies in human intelligence, automation, and customization, not in any one vendor’s product.

Platform vendors are correct when they say that simplification and consolidation are necessary. But they’re mistaken if they think a bundle of point solutions masquerading as a platform can ever accomplish that—let alone meet the bigger challenges in our industry.

The way forward is to give security teams direct access to mature, integrated capabilities, allowing them to fully operationalize their knowledge and expertise.

The perfect cybersecurity platform doesn’t exist. But not all platforms are created equal. The future of cybersecurity belongs to platforms that empower practitioners to build the stack and SecOps program they need to ensure the best possible security outcomes.