Threat Intelligence Blog

Posted September 25, 2019

For all the money pouring into the cybersecurity industry, here’s an honest summary of the current “state of the art” in cybersecurity.

It’s not working.

Enterprises keep expanding budgets, hiring cyber talent (when they can find any), and purchasing more boxes, feeds, software and services. Yet every day, more breaches happen, cyber attacks are launched at ever-larger scales, and more identities, money, and intellectual property are stolen.

In response, vendors keep bringing more widgets to the table, adding cost and complexity to the client, requiring one off integrations resulting in a far leap from true interoperability. Shame on us.

How Should We Approach Cyber Network Defense?

We know how we got here. We all lived through, or even helped create, the gradual accretion of point solutions that evolved to defend the network as attackers and tactics matured.

Firewalls were never intended to be a threat mitigation device, but a controlled interface that enforced connection policies between different networks. Organizations needed technology that provided deeper inspection of those permitted connections, and thus IDS’s (Intrusion Detection Systems) surfaced. But the IDS’s couldn’t actually stop the malicious things they saw, so they evolved into Intrusion Prevention Systems (IPS) to actually do something.

Firewall vendors then added IPS capability packages so you didn’t need two products at the perimeter of your defenses, but enabling that capability greatly impacts firewall performance, resulting in organizations pouring more money into cyber security, buying more or higher throughput than what’s actually needed. Not a great bargain.

The same arose with threat intelligence feeds – IPs and URLs, even further impacting performance and cost. Enter the Secure Web Gateway and emerging Threat Intelligence Gateway, yet other appliances whose key job was to address the inefficiencies of the ones that preceded them.

That’s independent of mail security gateways, network traffic analysis, endpoint security, and Data Loss Prevention (DLP), and on and on it has gone, yet the results each year have grown worse, not better.

 “The cybersecurity industry is a thousand points of light and no illumination.”  – William Crowell, former Deputy Director of the National Security Agency

This begs the question to both the vendor-verse and the clients we serve – to paraphrase Peter Drucker, “if you weren’t already doing it this way, is this the way you would do it?”

Hell. No.

What Can Be Done to Improve Your Network Defensive Strategy?

What’s needed now is what Drucker called “systemic abandonment”, the deliberate, planned reduction of resources around old technologies and methods to make way for what cybersecurity needs today – a fundamentally new approach to the problem.

Our take? Security should not be a set of point solutions at all, each independent and ignorant of the others. Cyber security should be integral to the infrastructure, woven into the network itself. The security layer should be ubiquitous, aware, integrated, and scalable so you don’t have to buy two, three, or twenty of every widget. We need less integration and more interoperability within modern defensive strategy.

How we Can Help with Your Network Defense

At LookingGlass, we’ve spent more than a decade thinking and working on this problem. We haven’t done this in a vacuum, but in the real-world aiding and defending some of the world’s largest networks against some of the world’s most sophisticated adversaries.

The result of these years of experience and tradecraft is our new enterprise security solution: CloudShield Eclipse. CloudShield Eclipse is a software-based solution that can be placed at any point in your enterprise network to provide comprehensive visibility, advanced threat response, and automated mitigation across your entire network. CloudShield Eclipse requires no specialized hardware, deploys and scales easily, and the cost model isn’t bound to connection interface speeds or the rigidity of hardware models.

This single, interoperable solution can replace both signature and behavior-based IDS and supplants traditional IPS with far more advanced mitigation options than just “block or allow.” We understand the value of response options and CloudShield Eclipse enables the defender to respond in a manner best suited for a specific attack. It also completely eliminates the need for indicator-blocking on your firewalls and provides network traffic analysis and passive asset inventory as fundamental capabilities.

Put another way, the first release of CloudShield Eclipse  can potentially replace four or five things you probably pay for today, with significant savings in the process. Our longer-term goal is nothing short of a fundamental rethinking (and shrinking) and simplifying the security tech stack.

Less complexity. Fewer products. Advanced security. Lower cost. 

We are part of a vendor community that, with the best of intentions, helped make this mess. It’s time we start giving customers better ways to clean it up. If you are looking to bring modern cyber network defense software into your organization, see more about CloudShield Eclipse.

Additional Posts


Join LookingGlass Experts at ZeekWeek in Seattle this October. LookingGlass has taken the Zeek ...

LookingGlass® Cyber Solutions Launches Industry’s Most Adaptive Software-Defined Threat Response Platform

LookingGlass® Cyber Solutions Launches Industry’s Most Adaptive Software-Defined Threat Response ...