The primary objective in information security is to reduce the risk exposed through cyber threats towards an organization. To achieve that, security leaders aim to make informed decisions that allow their organization to best protect, detect, respond, and recover from cyber threats. Therefore, when looking into reducing risk, security leaders often choose to reduce significant dependencies in their enterprise architecture and procedures towards a particular vendor or capability.
That strategy makes good sense, but what about when you are considering security software? Some believe that OS vendor-supplied security software must be “safer” or less risky than that of 3rd party vendors. After all, this line of thinking goes, who knows the OS better than those who developed it?
Yet choosing security software sold by your operating system vendor increases your dependency on a single vendor, and in some of the most security-critical areas, too. In this post, we’ll review the pros and cons of relying on your OS vendor for security software, and we’ll take a look at what 3rd party vendors offer that an OS vendor cannot.
It goes without saying that the developer of any software knows that software best – they are after all, the owners of the source code – but we are where we are in cybersecurity in no small part because developers frequently fail to understand the security implications of their own products.
Responsible software companies implement bug bounty programs to invite external security specialists to audit their software, and this is no less true of OS vendors like Microsoft, Google, Apple and Red Hat Linux as it is of developers of browsers, and indeed, security software vendors, too. The more complex a piece of software, the more likely there are to be vulnerabilities, a fact borne out by recent CVE statistics in Microsoft Windows, for example.
While this data refers to the most recent vulnerabilities, it’s also important to understand that many old vulnerabilities are still actively exploited by threat actors.
Operating system software is, and always will be, riddled with security vulnerabilities. Across Microsoft products, it is the Windows operating system where most security bugs are being found. Additionally, Microsoft has the highest rate of zero days compared to any other operating system vendor. Even more alarming is that most of these vulnerabilities relate to elevation of privilege or remote code execution: high risk vulnerabilities that threat actors can and do use to compromise organizations.
When a vendor is dealing with such an overwhelming amount of CVEs affecting so many different product lines, increasing your dependency on more products from that vendor requires a moment’s thought.
How much time and effort can the OS vendor extend to ensuring vulnerabilities in their security software offering are found and dealt with in a timely manner? A 3rd party vendor with a much smaller portfolio and expertise in security itself may be much-better placed to provide a reliable and effective security solution than an OS vendor with other priorities.
Moreover, with such a huge code base containing potentially vulnerable code, code dependencies in OS vendor products can present attackers with unexpected opportunities. For example, in 2021 SentinelLabs discovered a simple privilege escalation bug in Windows Defender that had been in the code since 2009.
CVE-2021-24092: 12 Years in Hiding
A Privilege Escalation Vulnerability in Windows Defender
As we have seen, just because an OS vendor knows their own product better than anyone else, it doesn’t follow that they are best placed to understand or even deal with the security implications of that software. And the bigger and more complex the software, the more true that is going to be.
When you add all this together, it raises a troubling thought: is the vendor that is likely the source of the most vulnerabilities in your environment really the vendor you want to select for cybersecurity?
Nonetheless, perhaps there is another good argument for preferring security software from an OS vendor rather than a dedicated security solutions specialist: If one were looking for a turnkey solution, perhaps the OS vendor’s own security offering should be less hassle than installing a security solution from a third party vendor?
There are a number of issues to consider here; installation, licensing, cost, ease-of-use, integration, and, ultimately, the effectiveness of the protection.
Among the major OS vendors, Microsoft is unique in having chosen to develop and sell a product to protect its own operating system software. Arguably, there is a conflict of interest in a software company looking to build revenue by marketing a security product to protect its other products, and potential customers might wonder whether the engineering effort expended there would have been better spent on directly securing those products.
Even if organizations choose to pay the premium and procure Microsoft 365 E5 Security, Enterprise Mobility and Security E5, or Windows E5 licenses, they often discover after the fact that they end up requiring additional 3rd-party products to cover the gaps of Microsoft’s security portfolio:
Many customers evaluating Microsoft alongside SentinelOne consistently say that the “With E5 you have everything you need” claim of Microsoft turned out to be inaccurate. Once they began their evaluations, the gaps became significant, and over time compounded by the fact that Microsoft tends to introduce additional niche products.
For example, Microsoft recently made the decision not to support Kubernetes clusters and containers with Microsoft Defender for Endpoint; instead, they announced Microsoft Defender for Containers, yet another product which is not included in E5 and which again requires additional licenses, procurement, and deployment.
Beyond that, the procurement process can quickly become very complex as all the different products are spread across dozens of different licensing models in Microsoft Azure, Microsoft Windows, and Microsoft 365.
Some of these licensing models are per endpoint, others per user, and still others are pay-as-you-go. This plethora of offerings can make it extremely difficult to predict the actual cost of the platform for a business with multiple, complex needs.
In contrast, a solution like the Singularity platform has a very simple, straightforward licensing model where customers can choose between:
All three options are licensed in a subscription model per agent/month, with no hidden costs.
It’s a natural and expected consequence of using software from one vendor that, where they have other offerings, they will try to encourage take up of their other products. But one of the most important things for an enterprise when choosing security software is how it can reduce risk, decrease dependencies, and easily integrate with the rest of the security stack.
With Singularity XDR, organizations are able to gain unified visibility across their technology ecosystem, and benefit from unparalleled data analytics with centralized cross-workload response actions.
With this approach, SentinelOne customers have the flexibility they need in order to choose a best-of-breed strategy while being able to centralize into a unified security platform.
In contrast, Microsoft’s methodology pushes organizations into a closed ecosystem, which means increasing the dependency to a single vendor that can quickly become a single point of failure.
Every vendor will tell you they are better than the competition, and it’s vital for security leaders to look at independent 3rd-party evaluation like when comparing security products.
The most recent MITRE Engenuity ATT&CK Evaluation is a good place to start.
Despite the fact that the simulation took place predominantly on Windows, Microsoft’s own security product still had 23 missed detections. During the test, they paused the evaluation 35 times to perform configuration changes, including for their detection logics: a luxury an organization does not have in the real-world during a cyber-attack.
In comparison, SentinelOne had zero misses, zero configuration changes, and 100% visibility.
Security leaders aware of the pitfalls we’ve mentioned above are choosing a best-of-breed approach and bringing in security-first vendors to partner with for their security requirements.
With Singularity, SentinelOne provides a best-in-class Extended Detection Response (XDR) platform that extends protection from the endpoint to beyond with visibility, proven protection, and unparalleled response:
SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.
Cybersecurity is all about managing risk as effectively as possible. There is no organization in the world that is immune to cyber threats. Over the years, security leaders have been required to make a choice between best-of-suite or best-of-breed approaches for their technology stack.
With the increasing complexity of cyber threats, the continuous increase of cyberattacks, and the increased dependency on operating system vendors, organizations are looking to partner with security-first companies that can provide a holistic approach to security.
If you would like to learn more about how SentinelOne can reduce cyber risk across your entire organization – Windows, Linux, macOS, IoT, mobile and cloud workloads – contact us or request a free demo.