Undifferentiated heavy lifting for cybersecurity?
How cyber startups and MDRs can focus their efforts on their core value and differentiators.
I keep coming back to the idea of undifferentiated heavy lifting when trying to communicate to folks what we do at LimaCharlie.
"Undifferentiated heavy lifting" was how Amazon introduced AWS to the world. The other day, I found an old video of Jeff Bezos discussing the idea during a keynote talk at MIT. This was way back in September 2006, when AWS was in its infancy, and EC2 was still in public beta!
It's a fun moment from the history of technology. But what struck me most was how fresh of an idea AWS was back then, and how well Bezos explained its value to his audience of technologists.
He pointed out that a lot of businesses struggled with the infrastructure challenges of developing web-scale computing applications.
He cited technical challenges like server hosting, bandwidth management, and scaling physical growth. He also noted the administrative and managerial overhead that infrastructure tended to produce: buying decisions, contract negotiations, and the challenges of managing a mishmash of hardware and maintaining legacy software.
All of this created an untenable situation in which companies were stuck doing the hard work of infrastructure building and management instead of focusing on their core value and differentiators.
To quote the man himself:
Your major bottleneck in developing your ideas, in developing your successful products and service offerings turns out to be something that is not unique to your business at all. It's completely undifferentiated. And the dirty secret is…that at least 70 percent of your time, energy, and dollars go into this backend heavy-lifting infrastructure.
That's the origin of the term “undifferentiated heavy lifting.” It's undifferentiated because it literally does nothing to differentiate you and your business. But it's heavy lifting because it's both very hard and has to be done very well in order for you to have any hope of success.
The value proposition behind AWS was to take over undifferentiated heavy lifting for companies by offering them what they needed as cloud-based primitives instead. That was the genius of AWS: Foundational services to solve the complex challenges of IT infrastructure and computing—delivered in a way that was independent of physical infrastructure, well-integrated, on-demand, pay-per-use, and completely scalable. In one stroke, Amazon solved many of the infrastructure and technology management challenges holding businesses back.
Nearly 20 years later, we can see that the AWS model has been a massive success in IT and general tech. Now it's time to apply the idea of undifferentiated heavy lifting to the cybersecurity industry as well.
The case for "muck" in cybersecurity
In cybersecurity today, far too many organizations are handling their infrastructure challenges like it's still 2005. Teams tend to take one of two (equally unpalatable) approaches:
Either they collect dozens of point solutions, paid and open-source, and then try to assemble everything into a coherent security stack. Result: tool sprawl, high costs, visibility gaps, and excessive time spent on infrastructure management and integration.
Or they look for an all-in-one platform that promises to solve every problem for every user. Result: vendor lock-in on steroids, lack of customization, and the need to rely on a vendor that is likely competing with you.
To put it mildly, neither of these are good options.
At LimaCharlie, we've been building a better option for cybersecurity teams. We’re attempting to do for our industry what AWS did for IT: offer foundational infrastructure and capabilities via a public cloud provider model.
Bezos’s tongue-in-check expression for all of that stuff, collectively, was “muck.” Our basic thesis is that all cybersecurity teams need access to the same infrastructure muck of security operations (SecOps) to handle their undifferentiated heavy lifting.
There’s no need for them to outsource these capabilities to an endless series of point products or to a monolithic tool vendor. Neither is there any need for teams to reinvent these capabilities themselves every time they need to offer a new service or develop a new product.
So, what does undifferentiated heavy lifting for cybersecurity look like? Here's a representative (though not exhaustive) list of the kinds of capabilities we give teams through our SecOps Cloud Platform (SCP):
Agent: Collect endpoint telemetry from any source and take action on it.
Automation engine: Automation in the abstract. Gives teams the ability to say: "When X happens, do Y." Bidirectional capabilities make it possible to automate actions on third-party tools and platforms as well.
Data routing and optimization: The ability to bring in data from any source and route it to any destination. In combination with the automation engine, this data can be transformed, enriched, or pruned in flight to enable better security outcomes and control costs.
Telemetry retention: Teams can store all telemetry data for the cost of ingestion for one year.
Extensibility: An ecosystem of adapters and extensions makes it possible to manage third-party tools from within a single platform and using a common data format.
I'd argue that every cybersecurity team needs these things in one form or another. The idea behind LimaCharlie was to build these heavy-lifting capabilities and then make them available to teams through a public cloud provider model (i.e., everything API-first, on-demand, pay-per-use, scale up or down as needed, and so on).
Our mission is to be a pure infrastructure provider for the cybersecurity industry. We want to free teams from tool sprawl, oligarch vendor lock-in, and the need to build infrastructure themselves—and enable them to innovate and differentiate in areas where they can genuinely add value.
Focus on SecOps, not on infrastructure
If you're an MSSP, MDR, cybersecurity builder, or even a top-tier enterprise security group, you know that basing your security operations on an endless series of point solutions is unsustainable.
You also know that you won't differentiate yourself by being the most proficient user of some vendor's product—much less by building the world's latest and greatest endpoint agent!
Your value lies in what you can do that no one else can: in the things that truly differentiate you. When you don’t have to worry so much about the heavy lifting of cybersecurity infrastructure, you can better focus on that core value instead.
And to be clear: This isn't just a vague possibility, or an idealistic vision of the future. We're already seeing the approach work with our SCP users. Blumira, a cloud SIEM provider, took their XDR from concept to GA in just five months by letting the platform take over some of the heavy lifting for them. An MDR provider improved response times and eliminated scaling concerns by using our "muck" instead of struggling with its old DIY stack.
This may be the best way to explain what we're doing at LimaCharlie, and also the difference between our vision of platformization and what PANW and others have been pushing. We're not trying to be a one-stop shop for all teams. Rather, we're taking over the undifferentiated heavy lifting of cybersecurity infrastructure so teams can stay on mission: building better SecOps, taking the fight to the adversary, and keeping organizations and users safe.