As the need for security controls and the associated rise in cybersecurity spending has risen, we have failed to deliver any real progress as an industry, which is particularly evidenced by the continued exponential growth in cyber risks.
The typical information security team today struggles with a simple but frustrating and potentially dangerous problem — an overload of security software that require deployment, operation, and maintenance. These tools generate a flood of alerts that often require manual intervention, all of which often get dismissed by an overburdened security team.
About the author
Stan Wisseman, Head of North American Cybersecurity Evangelist Team, Security, Risk and Governance (SRG) Micro Focus.
To satisfy business needs, reduce cyber risks, and maintain compliance requirements, enterprises are assessing their current security tool portfolios to determine the degree of redundancy or limited capabilities of each tool and alternative approaches. However, to be successful, businesses must first understand what it is they’re looking for.
Types of Security Controls
First and foremost, there are three primary types of security controls that security tools are used to support:
- Protection occurs when an action or control either prevents weaknesses upfront, whether in the design and development, or stops a malware infection or cyberattack before it impacts users or the environment.
- Detection means identifying a bad actor (internal or external) in the environment.
- Response is a reaction to the discovery of an issue that has initiated a malicious action and attempting to contain it before it impacts the user and/or the organization.
From a cyber-risk perspective, prevention focuses on minimizing vulnerabilities and the potential for harm, while detection and response center on minimizing the impact. Additionally, there are three primary approaches to implementing a control:
- Automated control occurs entirely through machines
- Semi-automated control involves some level of human intervention
- Manual control is managed entirely by a human
As organizations mature their capabilities, many will transition from manual controls to semi-automated and automated controls, when appropriate.
“Tool Sprawl” - Creating a False Sense of Security and Frustration
Given consistent and mounting news of data breaches, what companies tend to do is deploy an increased number of tools to prevent and detect cyberattacks in an effort to fortify their security capabilities. Cybersecurity tool sprawl comes from the aftermath of repeated attempts to close evolving security gaps, which results in using too many one-off specialized solutions. However, deploying more security tools isn't the best way to stop breaches — in fact, it can have the opposite effect.
Organizations on average run 25 to 49 security tools from up to 10 different vendors, according to the Enterprise Strategy Group (ESG), and 40 percent of organizations are so taxed that they cannot act upon at least a quarter of their security alerts, according to 451 Research. Unsurprisingly, “tool sprawl” is particularly prevalent at larger companies, especially those who have undergone mergers or acquisitions. It’s reported that these firms have approximately 30 percent more tools than their smaller counterparts.
Organizations that fail to keep cybersecurity tool sprawl under control inevitably end up creating chaos and inefficiencies. A tool smorgasbord leaves enterprises to cobble together a piecemeal security strategy in order to support their distributed environment and business needs, resulting in decreased productivity, inefficient workflows, and higher overall costs. There is also the potential that vulnerabilities could also increase through mismanagement, as resources supporting the tools are overwhelmed and are unable to keep up with upgrades or patch management.
How can we regain control of our security controls?
There are simple measures that can be put in place to curb security tool sprawl, gain operational and cost efficiencies, and to obtain value and expected ROI of tool inventory. Here are several best practices businesses can use:
1. Understand the value of what the business already has: First, businesses need to ensure all its tools are doing what they’re supposed to by ensuring they are deployed and properly configured and upgraded as necessary. Then assess whether the tools are delivering the ROI expected.
2. Leverage existing tools to the fullest extent possible: Assess the capabilities and scope of coverage for the security tools the business already owns and identify opportunities to expand use cases. (Why buy something new if an existing tool can provide the same function?) Typically, a tool is deployed for a set of use cases and never taken beyond that scope. It’s important to review the full feature set and the vendor’s product roadmap to understand what’s coming so that the business can incorporate upcoming capabilities into its program plans.
3. Integrate and consolidate: The days of a single vendor offering a proprietary stack are gone. In this heterogeneous tool environment, integration and consolidation helps maximize the value of the tools used to support programs. While a tool may be best-in-class, if it can’t integrate with other tools the business has deployed, it will result in operational hardship for the team. With the resource challenge most cybersecurity programs face, reducing manual processes is essential. The easier it is for tools to share data and information, the easier it will be to create automated or semi-automated workflows. Tools that can work together will leave fewer gaps, making them better able to protect, detect, and respond to cybersecurity threats.
4. Use a platform approach: Organizations should consider taking a platform-approach or shared service model that offers security services. This approach can offer improved efficiencies, lower costs, and result in greater overall effectiveness. It also enables businesses to have a layer of abstraction that make changes to the technology supporting the services easier.
Yet, organizations still struggle to find the right balance of security tools to prevent, detect, and respond to cyber threats. As the trend to adopt security tools delivered via cloud services and SaaS-based procurement models accelerates, it will become even more important to rationalize security tool inventories to root out the inefficiencies. By regularly evaluating and taking stock of the resources and tools already available to a business, security teams can better meet security needs – both now and in the future – without compromising efficiency and cost.