As breaches have proliferated, so have the technologies designed to stop them — and businesses have deployed them with gusto, with global spending expected to exceed $124 billion this year, according to Gartner.
“There is a proliferation of security tools — more than we have ever had before — but breaches continue to happen,” said Matt Chiodi, chief security officer of public cloud with Palo Alto Networks.
Speaking at RSA Conference 2019 in San Francisco, Chiodi and Sandy Wenzel, consulting engineer for security operations for Palo Alto Networks, stressed that simply deploying more technology is not the best way to stop breaches. Companies need to be smart about how they approach cybersecurity.
Why Businesses Started Using So Many Cybersecurity Tools
Chiodi traces the proliferation of tools inside organizations’ cybersecurity environments to the Lockheed Martin Cyber Kill Chain, a decades-old framework for identifying and preventing attacks. It’s a useful tool, Chiodi said, but it gave security teams too much to manage, leading them to create discrete teams and seek technology solutions for each part of the kill chain.
“What we have seen in our research and talking with customers is each of these teams and data were siloed,” Wenzel said. No one was looking at the entire chain.
“As we look at things, small organizations are using on average between 15 and 20 tools, medium-sized businesses are using 50 to 60, and large organizations or enterprises are using over 130 tools on average,” Chiodi said. “This is just massive!”
But it’s not just about the number of tools organizations have. It’s also about each tool’s hidden costs, which includes the sticker price; the cost for someone to manage it and to make sense of the data coming from it; and the cost for a security operations center, or SOC, to tie it all together. “These four things added together lead to the actual cost of product or the total cost of ownership,” Chiodi said.
How to Declutter Your IT Security Solutions Stack
Wenzel noted that no technology will make any organization breach-proof. Instead, organizations should take a measured approach to selecting security tools, following the below methodology:
Step 1: Create an inventory of existing security tools
- Create a spreadsheet with all tools.
- Determine why each tool was originally purchased.
- Document which available features the organization is using.
- Document how it shares threat intelligence.
“You don’t have to talk to vendors yet on this step,” Wenzel said.
Step 2: Create a tools coverage map
- Determine your critical coverage categories (for example, CIS-20 or Essential 8).
- Analyze how well each tool covers the category.
- Be amazed with how much overlap you have.
“This will help you find redundancy inside your security coverage,” said Chiodi. This will allow you to save money by eliminating different products that are doing the same thing.
Step 3: Compile and categorize your list of incidents
- Work with your SOC/IT team.
- Create or utilize an existing set of actions.
- Track the following for each action: number of occurrences, percentage of total and cumulative percentage.
“If you’re not tracking these types of things, you’re doing yourself a disservice,” said Chiodi. “This helps your organization to focus on what actions have the great risk impact to help you make that risk-based decision”
Step 4: Map your security portfolio to the “vital few” you really need
“This is about reducing the complexity and focusing on the vital few controls that will give you most control effectiveness,” said Chiodi. “Look at your security tools, find the ones that give you the most joy and say goodbye to those that no longer fit.”
“This will also allow you to see not only where you have redundancy but where your coverage gaps are as well,” said Wenzel.