The cybersecurity marketplace is awash with products designed and promoted to keep businesses safe from hackers. It can be difficult to pick “the best” product, so businesses adopted the “defense in layers” approach when choosing technology to protect themselves. Perhaps the layered approach is a sound tactic, or a case of our reluctance to choose a single solution. Each vendor touts a paradigm or implementation superior to others, yet coverage from different products and vendors can overlap and the overall advantage of an additional technology or alternative solution may be lost due to the combined play. A simple question begs to be asked (and consequently have an article written about it):
Omega Cyber Unit – Part 1 “The Question”
What is the most important cybersecurity product for keeping your business safe?
I know the cybersecurity sales engineer will say, “it depends,” and the cybersecurity salesperson will ask, “what are you trying to do?” Well I am asking the questions here, and I am adding that I don’t want it to “depend.” I want the absolute best, and as far as “what do I want it to do,” I want the cybersecurity product to keep my business safe. No reason to muddle the issue with qualifications as that would be a topic for a different article. In this article we are keeping the question simple: What cybersecurity product is best? Of course, I run the risk of oversimplifying the topic and making a mistake when asking this question. For this thought experiment, I’ll only place the two following qualifiers: we keep our existing physical security and data backups in place.
So, one more time, if a well-versed and well-intended Cybersecurity practitioner were only able to deploy a single cybersecurity product into their network, what would it be? Or let’s ask the question the other way around, if you were to remove each security technology from your network, one at a time, which technology would you hang on to the very last? There are so many cybersecurity technology categories to choose from? What are we up to now – 17 Cybersecurity Magic Quadrants? Which product would we pull your cold dead fingers from? What is the very last product standing that you couldn’t operate without? What is the Omega Cyber Unit?
Of course, as already warned, this is an impossible question. Why would we ever get rid of any cybersecurity product, especially if it’s already paid for? Even if a contribution to our overall security is ever so small, or even unknown, we would probably still hold onto our older legacy security solutions, maintaining them, if for no other reason than superstition. In the end, we would likely keep any security product that can potentially keep our business safe.
However, this question means to explore that difficult theoretical space: What if you only had one product left? You choose what goes and what stays and to make this more philosophically pertinent, let’s say you can’t quit your job and have to live with the consequences, perhaps getting fired if you choose poorly. With what is left after making your choices, you are still responsible to maintaining security. Let’s slowly cull the layers of the cyber-defense you accumulated, not in the sense of a cyber strip show, but in order to bare your cyber-soul and reveal your cyber-soulmate.
If you are uncomfortable with the question than I’d say you understand it, because it has an element of “Which child do you love the most?” We don’t love every deployed product, so there would probably be some easy early candidates, such as HIDS and ArcSight, summarily ditched. A passionate cybersecurity specialist would probably give the standard “over my dead body” threat, only to cave in on SEIM, Threat Intelligence, UBA, and Orchestration. We don’t need to worry about any Patch Management products, because we probably don’t have any. The next set of products to be jettisoned include Sandbox, Honeypot, Content Filtering, and DLP solutions. In this exercise, those particular products are demoted to the “nice to have” category. At this gut-wrenching point, we are finally down to our cyber-skivvies. Yes, I know we love our WAF, NAC, IDS, and Secure Email Gateway, but this exercise is quantifying that love, and I say that if we have to choose, then WAF, NAC, IDS, and Secure Email Gateway would be dropped like a mistress on your wife’s anniversary, leaving us nearly nude with UTM, VPN, EPP, and NGFW. In the end, we would fight for our End Point Protection, but when the true cyber triage challenge kicks in, there would be a little dissent in what devices cybersecurity professionals would be white-knuckle gripping on: Firewalls.
Of course, security experts would hate to see their EPP disappear, and the old go-to VPN wouldn’t be surrendered easily, however, under the desperate adversity that this question explores, you have to conclude and, as triage dictates, if end points can’t stay behind the umbrella of the Enterprise firewall, than I just can’t help them. If I have to VPN, I can VPN into my firewall instead of the concentrator.
So here we are, the last line of defense, and after all these years of evolving Cybersecurity technology, in the end, we would hold on to the first device we ever installed: The Enterprise Next Generation Firewall (NGFW). The firewall was the first and the firewall will be the last. Although the fundamental function of the firewall has not changed much since its inception, deep packet inspection just can’t be beat. Throughout the years, NGFWs evolved, tacking on additional functionalities, including stateful inspection in 1999, thoughtful GUIs throughout the 2000s, then multi-ported functionality, network address translation was essential, and nowadays, SSL.
Even with all these enhancements, NGFWs are still the same old primarily layer 4 device that we have always enjoyed. Many vendors add extra capabilities, but the core functions, like DPI and Stateful Inspection, make the firewalls indispensable. The calls for its demise, circa 2010, was overwhelmingly premature. All vendors’ firewalls operate on the basis of having licensed software and purchased hardware, with newer FWaaS offerings being the new exception to the established practice.
So, there you have it, the humble firewall, as the last bastion of security in our cyber mind experiment. In the end, it’s the upgraded enhanced access-list rules that ruled for cybersecurity. However, we have not completely answered the question yet, as we, so far, only chose a technology, Now the question needs a more specific answer. If you stop here, unfortunately you only get 50% credit.
Omega Cyber Unit – Part 2 “The Vendor”
Now I hate to nest a theoretical question inside of another theoretical question, but we have merely revealed the firewall as our most beloved cybersecurity technology. Now we must explore the subtleties in each FW vendor to add depth to this extrapolation. Brand of firewall matters a lot. If your last layer of cybersecurity were a Cisco ASA, for example, then firewalls, might have dropped out earlier in the Omega Cyber Unit pageant, prompting us to keep our EDR after all, so we need to factor in specific vendors to keep this theoretical question less theoretical.
The top dogs in NGFW are generally considered to be (in alphabetic order): Check Point, Cisco, Force Point, Fortinet, Juniper, McAfee (Intel), Palo Alto, Sonic Wall (Dell), Sophos, Watch Guard, and zScalar. Definitely not meant to be a comprehensive list of firewaller vendors, this is just putting out the usual suspects. Furthermore, to keep this analysis under a couple of pages, I propose we reduce the candidates to the top four NGFW market share holders: Checkpoint, Cisco, Fortinet, and Palo Alto.
Yes, I heard that scream of injustice and I don’t blame you blaming me for tossing out all of the up-and-comers, however, true to this experimental question, up-and-comers are not what you want protecting your network when reducing your security arsenal to a single product. And I say that despite current loyalties; a customer is going to feel better with a tried, tested, and true long-term solution. These four vendors led the market over the last four to five years and have been rewarded with sales and market share from very savvy cybersecurity shoppers. Seeing how most large security vendors tend to stagnate after bouts of success, they show the difficulty of being large and innovative at the same time. However, this analysis is looking for what is bullet-proof with vendor longevity being a measure of that toughness. So how do we choose among the industry’s giants? Perhaps we can start with these five standard types of metrics: Performance, Implementation, Management, Support, and Value.
- Performance – This one is easy. Fortinet consistently outperforms the other three vendors, and that performance dominance is documented in several, if not all, NSS Lab results for NGFW performance. Afterall, what is security if it isn’t served up in heaping doses of on-demand, wire-speed connectivity. There are a lot of performance parameters to apply our attention to, but no single vendor is dominant in all, However, for the performance benchmarks most often touted, such as Overall Throughput, VPN Throughput, and Total Connections, Fortinet is the top performer. Being a clear winner here, and by a significant margin, Performance benchmark in Enterprise firewall goes to Fortinet. As for runners-up, this contest is for the single Omega product…second place is last, and still is a losing position.
- Implementation – Check Point and Palo Alto are “pureplay” vendors, confining their product line to their own vaguely defined category of cybersecurity. For different reasons, Cisco and Fortinet successfully fold connectivity into the cybersecurity realm. Cisco is able to offer its customers complete solutions, combining cybersecurity and connectivity products into custom packages. As an industry juggernaut that assimilates companies and technology, Cisco ensures that a business will never want for choices of others’ products. Of course, this is a strength and weakness at the same time; having so many products and different ways of implementing them is an issue Cisco is burdened with. In fact, some of the differences between Cisco’s sister product lines are as different from each other as are products from completely different companies. Fortinet also offers a complete product line for security and connectivity, however, Fortinet has taken the “fabric” concept and made it a reality. Fortinet gets a lot of praise for its all-in-one management paradigm, where switches, routers, firewalls, and Wi-Fi are centrally managed by its FortiManager. It is now possible to simply deploy a switch into production and instantly implement it. In that respect, the Implementation benchmark in Enterprise firewall goes to Fortinet.
- Management – I wasn’t sure at first, but I had to look into what the industry is saying, or at least look into what the five prominent companies sampled were saying, before rendering judgement. Some solid, above-average things are going on at Cisco, and who cares if Cisco has different management platforms for each of their firewall product lines. Cisco customers know which platform they need. So, after reading through the lists of “suggestions for improvement” (formerly known as the complaint box), users widely criticize about all the management interfaces across all vendors. More hopeful than frustrated, the tone of criticism is collaborative, insistent and specific. For example, one commenter says, “the Cisco interface is pretty good, except I wish they would have …. [specific feature mentioned,]” so, it’s clear users want more out of the management platforms. As for Check Point’s management, it seems to be less disliked than the other vendors. however, not finding any negative comments deserves praise for sure, and it doesn’t mean that Check Point is great, but it may be superior. Since Check Point users seem to get what they want, I’ll choose Check Point as the firewall with the best overall management solution.
- Support – As stated above, firewall users expect a lot from their management interfaces, and the same is true for Support. They may be non-irate, even content with the delivered service, but are always expecting undeviating top shelf delivery of service and performance. That said, all it takes is a few hiccups, like shipping issues, support hours, or dishonored SLAs, to tarnish a vendor’s reputation. When it comes to support, maintaining customer satisfaction is not easy. Vendors need to be consistent over a long period of time and need to exceed expectations, not just meet them. As vendor’s include more and more features to meet the demands of what is expected in the “base offering” of any product line, many cyber security niches become homogenized, with products from the different vendors becoming more similar. Because of that, Support remains one of the only areas where vendors can truly differentiate themselves. Once again owing to the comments of users, some loyal and some not, it does appear that there is a slight perception that Palo Alto is able to consistently deliver successful support services to its community. The Support benchmark in Enterprise firewalls goes to Palo Alto.
- Value – This is easiest category to comment on because for every RFP after RFP, Fortinet is documented as consistently offering the best ROI, feature per dollar, and bang for the buck, however you want to measure what you pay for with what you get. There’s really no need for a lengthy examination here; simply help yourself to the product comparisons charts, work your eyes up and down the columns and you will find that you get more speed, feed, feature, coverage, for less dollars with Fortinet.Thus, the Value benchmark in Enterprise firwalls goes to Fortinet.
The Omega Cyber Unit being described in this article is the cybersecurity product that if you had to wittle down your compilation of cybersecurity technologies down to a single product, what would that product be. We can expand this debate, and thoughts for expansion are welcome, but in accordance with this briefest of assessments, we can reach a conclusion. Without further ado, the award for the Omega Cyber Unit goes to the Enterprise Firewall from Fortinet, theFortiGate. So, folks out there in Cyberland, hang onto your FortiGate, as it may be the single most effective and respected product in the cybersecurity marketplace.