Pruning the Security Technology Tool Sprawl
In mid-November 2019, Tanium and Forrester released a study suggesting that the employment of stand-alone or best of breed security solutions — often one thing for IT and another thing for OT — could lead to strained relations between the two, and reduced security posture overall.
Their conclusion was that organizations need a unified endpoint management system. “IT leaders,” said the report (PDF), “today face pressure from all sides… To cope with this pressure, many have invested in a number of point solutions. However, these solutions often operate in silos, straining organizational alignment and inhibiting the visibility and control needed to protect the environment.”
In early December, Tampa FL-based security services firm ReliaQuest, released a separate report (PDF) discussing the effect of this tendency to purchase individual stand-alone tools to solve newly discovered issues. It surveyed 400 security decision makers at companies with more than 1,000 employees, and found that most consider themselves to be less secure because of too many tools.
Problems include more tools than company capacity to productively use them (71%), and a burden of maintenance forcing security teams to spend more time managing the tools than defending against threats (69%). Fifty-three percent of the respondent “say their security team has reached a tipping point where the excessive number of security tools in place adversely impacts security posture.”
“The problem,” Tanium CISO Chris Hallenbeck told SecurityWeek, “is that when a company suffers an attack or a breach, it tends to throw money at the problem. It is easier to buy a new tool than to find, attract, train and retain skilled analysts.” Underlying this is the difficulty for CISOs to find the time for strategic rather than tactical thinking, and the reality that issue-related budgets can disappear if not used quickly.
“The impetus,” he continued, “tends to be to go and buy something real quick while the money is available, and figure out how you’re going to use it later. The devil in that detail is that rarely do the organizations figure out how they are going to leverage those tools effectively. It becomes difficult [as shown in the ReliaQuest report] when you have too many of them.”
If this is the problem, what is the solution? Hallenbeck’s suggestion is Venn diagrams of product functionality to highlight overlapping and redundant security product. Overlapping security is a waste of budget and human resources while adding nothing to security. It is completely different to layered security.
“Where you have two or more products providing swathes of identical functionality,” he told SecurityWeek, “you have overlapping [bad] security. Where you have the different products just slightly clipping into each other, you are more likely have layered [good] security. Large overlaps are just duplicating effort, and you should be questioning why you’re doing that.”
He continued, “I advise companies to use Venn diagrams and look for the large overlaps. This is the opportunity to consolidate down to a fewer numbers of tools. If it leaves gaps, that’s when you go out and buy a niche tool just for the gap. It requires time to take this step back and do a strategic analysis, but in the long-term it will reduce the number of tools. It will reduce costs — not just the cost of maintaining the tools but the infrastructure needed for the tools to run on, and the training of analysts to allow effective use of the tool.”
This is not a quick fix — it requires careful and long-term or strategic planning over several years. It shows where the waste exists, but the CISO still has to plan the solution. What, for example, if two very good products provide a very large overlap of functionality? “It’s not just a case of maybe I’m getting rid of one tool or the other,” said Hallenbeck. “Maybe I should get rid of both and go to market to find a solution that meets 75% of my requirements; and then go buy a niche product that gives me the other 25%. It’s not just a case of deciding which of these tools I throw out, it may be a decision that I go back to the drawing board and push both those tools out and get a new tool that meets a larger total percentage of my needs.”
If two or more products are replaced by a single product, then their licenses need to be aligned as closely as possible to prevent additional and unnecessary cost. This itself could take a couple of years. It argues for limiting future licenses to a single year to make future pruning less costly. “It requires a strategic view if you decide to replace 2 products with one,” said Hallenbeck. “You have to try to align their renewal dates; but while waiting for the sunset, you can research, locate and implement the replacement product so that there is no gap.”
And don’t forget to mind the gap. You will still need to use the more traditional forms of gap analysis to ensure that your Venn pruning doesn’t create a new gap. But if the process is done carefully and strategically, the result is likely to be fewer tools used more efficiently at lower cost.