It was not that long ago, in the late 1990s, when plug-and-play appliances were the exciting “next generation” of specialized software applications, and the cybersecurity market was caught up in that shift. A visit to RSA 1999 – the theme was “Better” as in how do you deliver better security – and one way was to prepackage your network traffic analysis, unified threat management, DLP, and firewalls – sometimes all in one appliance.
As I set up my booth to prepare for the show, I watched racks being installed, appliances plugged in, and colored lights blinking all around me.
Yet, here we are, 23 years later, and some cybersecurity tools are still being delivered in those same appliances. In some cases, like network firewalls, the on-premise appliance still makes sense, but in others, there are clear advantages to moving away from this traditional form factor.
A case in point is Network Detection and Response (NDR). A new generation of NDR tools are on the market, and these tools are cloud-native and delivered via software as a service (SaaS).
Why cloud-native NDR?
Here are four reasons
1. It is easier to collect Netflow and packets and send this data to the cloud than it is to build, ship, receive, rack, install, and configure an appliance. In most cases, you need an appliance and a tap in every physical location and for every subnet. If you have 15 offices, then multiply these steps and complexity by 15.
Modern firewalls, routers, and switches are all able to collect and send network traffic to the cloud for analysis. In 2022, it will be less complex and a whole lot faster to connect to existing network hardware and collect the required data.
2. The cloud is part of your network already, so have your NDR tool collect both. If you have Azure, AWS, M365, etc., you have a hybrid cloud network. The data logs (e.g., VCP Flow) are also easy to collect in a cloud NDR system, but they are not so easy for your on-premise appliance to collect. Legacy NDR vendors have had to produce second and third products to cover cloud data for threat detection, and you will have to pay extra for them. On top of that, with some compute occurring on-premise and some in the cloud, correlation becomes a challenge.
Cloud-based NDR easily collects on-premise data from existing infrastructure and cloud-related logs directly from the cloud platform being used. Equally important, the data is all collected, enriched, analyzed, and correlated in the same AI engine, improving detection accuracy and efficacy (reducing false positives).
3. Networks create a lot of data, and so do cloud systems. You will either need powerful on-premise hardware or a system like AWS to do all the machine learning and correlation work. You will also need additional hardware to store all that data. It makes a lot more sense in the heavy compute environment of network traffic analysis to do the work and store it in the cloud.
4. For all of the reasons above, the total cost of ownership (TCO) of an on-premise NDR solution is about 3x to 5x higher than a cloud-native SaaS solution. The number depends on how many locations your organization has. Most on-premise NDR deployments run in the six figures, while most cloud-native NDR deployments run in the mid-five figures.
A case in point is the Orders of St John Care Trust or OSJCT, one of the UK’s leading not-for-profit care providers. OSJCT had been using the Darktrace Enterprise Immune System, an appliance-based, on-premise NDR tool. Darktrace’s product was an essential part of the Trust’s security stack. NDR allows the IT and security teams to see risks and threats across the network as an attack unfolds and is particularly effective in finding ransomware attacks.
While much of the OSJCT network was moving to the cloud, COVID and the need to offer work-from-home capabilities accelerated the move.
“Our existing solution was hardware at each site, and added cloud tools, the costs associated with that became intolerable,” said Lewis Carrington, IT Manager. “CyGlass won us over through simplicity, better reporting, and ease of integration while lowering our cost by two-thirds.”
If your organization has been looking at an appliance-based NDR tool and it is too expensive, or if you have a renewal coming up, listen to Steven Pumford, the Infosec Mgr at OSJCT.
“My advice to others is to embrace the change and see how easy, secure, automated, and cost-effective CyGlass is.”
VP Marketing, CyGlass