Palo Alto Networks recently conducted a global security survey with over 1,300 C-level executives across multiple industries to assess trends in cybersecurity tooling. They discovered that on average, companies had more than 13 vendors and 31 different security tools.
All things being equal, most organizations can comfortably execute their InfoSec functions with fewer tools. But companies buy specific tools to solve specific problems, and no tool is going to solve every problem. So you end up with a glut of cyber tech.
The holy grail in IT security is to get as close to a single pane of glass as possible—in other words, you want to optimize your portfolio, eliminating redundancies and integrating what’s left for one cohesive view of incidents and compliance.
How Do Cybersecurity Portfolios Become Inefficient?
In most cases, optimization doesn’t happen, because vendors are overbought. Organizations want the best in breed tool for each feature or capability. A good example is a tool like Tanium, which organizations may purchase for one particular feature, such as ad hoc threat hunting or endpoint management.
However, Tanium is a portfolio of tools, and it can do things like compliance, policy enforcement, patching, and vulnerability management. But if you looked at it for just one capability, you may not even be aware of everything else that tool provides. You then look to other companies for a capability you already have and end up with tools from three different sources all doing the same thing.
Other times you may have the potential capability in a tool, but it’s module based. You’ll have to purchase additional modules, but that may be more cost effective than going through the process of buying a separate tool and creating a separate relationship with a new vendor.
Very often, these vendors are competitive and there’s not much incentive for them to integrate. So while you might be trying to build a stool where all the legs work together, those legs actually tend to interfere with each other.
Imagine you’ve got two antiviruses trying to do the same thing. They may be trying to scan the same files or the same folders at the same time. The machine will be slow and sluggish for the user, because things are getting blocked. The competing softwares may not effectively find malware because they keep interfering with each other.
A lot of businesses will try to fix a problem by throwing money and vendors at it. Unfortunately, we have to remember that in the IT world, it takes people, process, and technology.
Buying a tool only solves the technology part. How does your process change if you bring in a particular tool? Is a tool going to force you to change your process, or will the tool conform to fit your existing process?
Even more importantly, your people have to use and interact with these tools. Have they been trained? Are they receptive to changing tools or are they going to resist? I’ve come into organizations before and seen millions of dollars of tools that were purchased, just sitting there unused because the team wanted to use their old tools.
Poor Integration Is a Security Risk
In the security world, when your security tools aren’t talking to each other, it means you’re not correlating events from your various tools. As a result, you’re likely going to end up with false positives. One tool is going to complain about something when you have data from another tool that could tell you that it’s not a real problem.
For example, your remote VPN solution notifies you that an employee logged in today from Detroit—that’s their usual location, so everything is fine. But then you notice from another tool that there’s an instance of the same employee logged in from a server in Boston.
And that might trip because they had just logged in from Detroit. But if you were able to correlate events together, you would know that after the employee logged in from Detroit, you saw them open up a remote session and access that server in Boston. So they’re not in Boston, they were remoting.
Looking at individual events without the bigger picture often leaves you with a false interpretation.
But somebody has to investigate that false positive incident, or the tool that’s generating the false positives is going to be ignored and pushed to the side. And then you’re not getting any value out of that tool.
False positives are likely to happen, but by the same token, if you’re alerting on events in that same login scenario, but you’re not correlating location, you may miss a real event by dismissing it as a false positive.
Maybe somebody logged in directly from Boston and the employee is sitting there in Detroit. You wouldn’t know that because you didn’t correlate their Detroit login with the remote logins over the two different systems and two different data sources. If you had an integrated system, it would catch both of those scenarios and would realize when it’s not a problem, as well as realizing when it is.
How Does Poor Cybersecurity Integration Hurt Your Business?
The most obvious effect of poor integration is mean time to detection and resolution. It’s possible you might not be detecting certain events because they were small, innocuous things that didn’t trip in any one tool. But when you put them together, they paint a picture of something nefarious.
It could be little things, like logins from different locations, or the fact that someone was doing operations simultaneously from different machines in different places. Well, how can that be? If your fingers were on the keyboard, you wouldn’t be able to do multiple actions at the same time. Is a script running? If so, why is it running as that user, and not with a service account?
Indirectly, you may spend a lot of time looking at false positives. You may end up overhiring people. It takes a certain number of people to run a tool, and these are security tools — they run 24/7, 365 days a year. And because those people are all security professionals, they’re all pretty well paid.
Imagine trying to train your organization on 31 different tools. The truth is, it doesn’t happen. So you’ve got people who are not trained trying to run and use this technology, and that can harm your organization.
Poor cybersecurity integration also breeds silos. When you have silos, you have parts of the organization not talking to each other and creating blind spots. Threat actors look for those blind spots because that’s how they can sneak into an organization undetected.
If your organization is particularly complex, your incident responder may need to pivot between 5 to 7 different tools in order to capture appropriate data and contain the incident before it spreads. If you properly optimize your integration, an event orchestration tool can make this significantly more manageable.
Integration allows you to initiate actions in all seven of those tools with a single console instead of opening new windows, logging into each tool individually, and then navigating to the screens needed to take the appropriate actions.
By the same token, portfolio optimization may reduce those seven tools down to just two.
Optimize Your Organization’s Portfolio with Black Kilt
Black Kilt has helped organizations of every size optimize their cybersecurity portfolio. For example, we had a major financial institution that needed file integrity monitoring (FIM) at the application level for PCI compliance.
When I first came in, there were over 120,000 events a day being generated in the FIM tool. There were so many events that were essentially being ignored, auditors noticed, and Black Kilt got called in for a FIM engagement.
We were able to take their daily event number down to under 20,000. Even more importantly, we were able to group those events by application.
What was generating 120,000+ alerts a day got grouped on average into less than twelve applications a day. From there, once we knew which applications they were assigned to, we were able to tune those rules and further eliminate a lot of those events because they were false positives.
We reduced the storage being consumed in the event repository, we reduced the number of events, and we reduced the overwhelming amount of work for the incident responders by directing the consolidated events to the individual application teams that were better suited to triage the events.
What Black Kilt Can Do for Your Portfolio
To optimize your cybersecurity tools, start with a portfolio review. Document all your tools and look at where those tools fall from an industry perspective. Review which ones are working, which are not, and look at functionality overall to figure out where there’s overlap between the various tools.
Black Kilt has a wide array of consultants who have worked with a variety of industry tools and we are vendor agnostic. We can evaluate the whole portfolio objectively and make recommendations for your organization.
That’s just on the simplification front — integration is also where we excel. Not only can we help integrate your tools with security incident and event management repositories, we can also help to integrate those tools with the rest of your IT portfolio. Some major players in the security market seem to think integration is where it’s at, and so does Black Kilt.
Is Portfolio Optimization Achievable Without a Third Party?
Employees tend to be protective of their portfolio. It’s not that there’s malicious intent or ill will towards their company, but people get comfortable with their portfolio and they’re very unlikely to be open to changing tools. Black Kilt doesn’t have those allegiances to vendors, and we don’t have any motivations to protect any personal domains that have been built. We’re aware that they probably exist, and our job is to build bridges with each of those domains, break down those walls, and manage the entire initiative as a change management exercise. We get people on board with change and motivate them to want to move in the new direction.