All too often, organizations end up either with missing cybersecurity tools or cybersecurity tools that just don’t meet their needs.
If you have a toolset that isn’t able to effectively protect your organization, you’re vulnerable to threat actors, malware, and more. But you also might not be meeting simple regulatory compliance as well. If you’re not meeting your compliance needs, that can have very serious consequences for your business. As a result, it’s important for you to know how improper security tooling occurs, what it looks like, and how to correct it.
Why Does Using the Right Tools Matter?
One common issue organizations have with cybersecurity tooling is using tools that compete with each other. As an example, some organizations have multiple antivirus tools, and they end up with more than one antivirus on the end users’ computers.
In that case, you have two tools that are trying to do the same thing with the same files at the same time. This competition chews up a lot of resources, and there’s not much left on the machine for the end users to actually do their work. It makes for a horrible user experience.
Another issue is having gaps in your security coverage. A great example is with Microsoft Defender. I recommend Microsoft Defender for our smaller organizations, but the problem with it is that without adding significant cost per endpoint for Microsoft 365 E5 cloud suite, there’s not a single pane of glass where you can look at all the alerts that your users have received.
You either have to go ask the users, which is weird from a security perspective, or you have to build something that collects all of that log information and sends it someplace else — effectively building your own single pane of glass. So now you’re building something on top of a tool, despite the fact that it was a purchased package.
If you’re using bubblegum and binder-twine to scrape that security information, that’s probably a clue that you have a problem. You’re going to be paying your InfoSec people to build and maintain security tools to fill these gaps because the tools you chose don’t meet your needs.
So in the best case, you end up with unhappy users and increased business costs. And in the worst case, you may end up with a very serious security incident that rapidly escalates.
Attackers are pretty savvy and threat actors will quickly figure out how to navigate through your blind spots that are left by piecemeal deployments. That can significantly increase the severity and duration of a security incident.
How Do Organizations End Up Using the Wrong Cybersecurity Tools?
The vast majority of tools that are on the market are effective at some level, but they end up being the wrong tools because people are uninformed about how best to use each tool. Organizations make decisions without actually looking at how the tools work together and integrate.
Vendor Bundling
Vendor bundling is a big reason why people have the wrong technology in place. Let’s say you buy an endpoint detection and response (EDR) tool. Maybe the EDR tool throws in data loss prevention (DLP) for free because the vendor wants to get a foothold.
And then you find out that the DLP portion of the tool is absolutely worthless because it’s not a development priority for the vendor. But you love the EDR tool, so you limp along with the DLP because it was bundled.
This leaves you in a position of using the wrong tool for a critical security function, and it puts your organization at risk.
Sourcing
When sourcing personnel get involved, they usually aren’t very technical. And if your organization doesn’t have a strong vendor evaluation and vetting process, Sourcing will often choose the lowest cost provider regardless of whether it actually fits into the portfolio or even performs the intended function.
Sometimes Sourcing can throw a wrench in the works unintentionally, not realizing that there’s going to be much greater long term cost based on the decision.
Backroom Deals
Unfortunately, it’s common in the industry for people to have vested interests in a preferred vendor, for a variety of reasons. Maybe there’s a partnership, or maybe there’s an interest in money flowing in one direction versus another.
Organizations rarely build their cybersecurity program from the ground up, and during that time, especially in larger organizations, silos and office politics can form. You’ve got teams that are happy with their little piece of the puzzle and they’ve got great tools.
They’re happy with what they have, and they don’t care that there might be something better out there. But while the tooling might work great for one team, it might be inconvenient, clunky, or incompatible for the rest of the organization.
Leadership Disengagement
Unfortunately, it’s possible that IT leadership is either disengaged or distracted, and they really don’t know what’s going on in security. Perhaps they’ve delegated that to someone else in the organization. And when it comes down to the financial decisions, there’s no leadership support for teams to get the tools that they need.
As a result, people are scrambling to try to fill the gaps with shareware, freeware, or other best effort types of tools.
What Are Some Signs That You’re Using the Wrong Security Technology?
Here are 7 signs that your security technology isn’t meeting your organization’s needs.
1) Poor Endpoint Performance
From an end user perspective, when you see poor endpoint performance, that’s a pretty clear sign that there’s a problem. There needs to be a balance between security technology and user capability. Unhappy users or signs of an adversarial relationship with InfoSec are clues that you probably don’t have the right technology — or that you don’t have it tuned or integrated.
Typically, users are going to be unhappy if there are performance issues, but users are also going to be unhappy if security tools and processes are just getting in the way.
2) Poor Implementation
IT is a three-legged stool: you have people, process, and technology. The act of buying a vendor tool only covers the technology piece. If you haven’t worked with your people on how to use and operate the tool, then it’s not going to be very successful.
Maybe the tool’s processes are too hard or incompatible with your business. Maybe your employees aren’t able to work with the tool. In either case, it’s a sign that you need to reevaluate how you implemented the tool and correct the errors.
3) Filling Gaps with Custom Tooling
I mentioned custom tooling earlier. If you come into InfoSec and see a lot of custom tooling and bubblegum and binder twine holding the shop together, that’s probably a clue that you don’t have the right overall portfolio.
The whole reason for buying purchased packages in the first place is to push indemnification and support issues onto a third party and pay them for that service. It’s redundant to be building onto a package that’s supposed to already do everything for you.
Plus, it’s very rare that organizations have the appropriate maintenance and control structures in place for their custom code. It just kind of works until it doesn’t. Then you’re left scrambling to figure out why it doesn’t work and who can fix it.
4) Lacking Comprehensive Visibility
Not being able to see what’s going on in the whole business is especially common after mergers and acquisitions — the acquired company’s IT doesn’t look anything like the IT for the acquiring company. Tooling can then become a problem because you want to have that single pane of glass.
So you really have to think hard about what you can and can’t disrupt. You bought the acquisition because you liked what they were doing. You don’t want to upset the apple cart too much and change that business.
But by the same token, you still need to be able to secure it because they’re now part of your organization. A breach for them is a breach for you.
5) Lack of Reporting
Another very clear sign of poor tooling is if there is no reporting for a given tool or set of tools. This could include health monitoring, endpoint health, incident tracking, etc. If there’s no way to know where you stand with that tool at any given moment, you could be in trouble.
If the tool is really lacking reporting in your environment, that’s a clue that it might not be the right tool for your environment. Your tools need to be producing useful, actionable reports.
6) Your Tools Can’t Talk to Each Other
Another warning sign is if your tools aren’t able to talk to each other, or at least to a centralized event management solution, like a security incident and event manager (SIEM) tool. These are log aggregator tools like Splunk, which can send all of your events to one place, and then run something against that one place that pulls together all the security intelligence from across your entire organization.
If you can’t get your tools to integrate with your SIEM, or with any of the other tools in your environment, then you probably don’t have the right suite, and you have to look at swapping some of those out.
7) Vendor Unresponsiveness
Lastly, if your vendors aren’t responsive when you have issues, or they’re not working to resolve concerns in a timely manner, that’s a sure sign that you don’t have the right tools. Your vendors and cybersecurity space need to be partners. And because of the nature of this business, they need to be very responsive.
One vendor out there has created a large portfolio of phenomenal individual security tools through acquisitions and integrated them into their own portfolio. But while the tools are great, the vendor is very unresponsive to customers.
A lot of customers that I’ve worked with are walking away from that vendor because they just don’t like them as a company, even though they’ve got some industry leading tools. When they have an issue, it takes days, weeks or even months to get a response.
That’s not acceptable in the security space. Depending on what the nature of the issue is, you’d better have a response almost immediately. If the issue isn’t related to incident response, then the vendor should at least acknowledge the issue and provide an expected resolution timeline within 24-48 hours.
With a lot of these vendors, inquiries just sit. They’re not offering technical account managers, so there’s no way to call. You submit a case and it goes into a black hole, and then you don’t have a status update until they feel like getting around to it. It’s especially common with some of the bigger vendors.
Understand what your support models are and get them written into the contracts with your vendors. You should have SLAs (Service Level Agreements).
What Should You Do if You See These Signs?
First and foremost, be the squeaky wheel: you need to speak up. But you also need to do so carefully. If you don’t understand the office politics that are in play, you could be walking into a den of vipers.
A lot of times, organizations get into these situations entirely by accident. Tooling happens over time and grows organically. Gaps happen. As you recognize these gaps, highlight them in a friendly, non-confrontational manner. As a best practice, approach leadership with solutions, not problems.
When it comes to fixing your security technology problem, it might not simply be an issue of having the wrong tools. It may be that they were implemented poorly. Perhaps you didn’t talk about processes or neglected to train your people. Sometimes just reimplementing tools can be a fix to fill the gaps. When you implement your security tools correctly, often they can do what the vendors claim.
Other times, you’re going to have to reevaluate your portfolio. You may have to look at new vendors or other capabilities. There’s no silver bullet with portfolio reevaluation.
Some companies prefer to pick the best tool for everything. That’s a great strategy, until those tools don’t integrate. Others want to build everything in-house, but it takes a really long time to build all these functions when there are already turnkey solutions out there.
Again, there is no perfect answer that fits every organization. The key is to look at the portfolio holistically, break down the silos, and make conscious decisions based on what works best for your organization.
Black Kilt Provides End-to-End Consultancy and Implementation to Meet Your Organization’s Needs
This is where Black Kilt is different. Our staff has decades of experience across a wide array of security tools and vendor portfolios, and we’re vendor agnostic — we don’t push one vendor over another. We don’t have any backroom deals on the table with cybersecurity vendors that would motivate us to recommend one over another.
We can provide a truly honest assessment from an outside perspective of what’s working well, what could benefit from reimplementation or better integration, and what just needs to be replaced.
Not only will we help you select the right vendors, but we’ll take it all the way through to implementation, training, and transition to operations. We’ll train your people. If you don’t want to run it, we’ll help you find a company that fits your needs and your budget that is capable and can run that security tool successfully for you.
