A couple of years ago, I had a conversation with a CISO that has stuck with me. His Board of Directors had dramatically increased the security budget without his prompting. Instead of instantly jumping at the chance to invest in new technologies, this CISO first took a step back to analyze his existing security program. What he found was alarming: due to the sheer number of tools being used by his team, each analyst was only performing roughly 45-minutes of raw analysis per day.
This problem is not uncommon. Our networks are changing faster than we can update our security strategies, and in an effort to keep pace we can often get into a vicious cycle of buying tool after tool to address the newest challenge. While this may be a fast fix, expanding our security stack in this way creates new problems as our companies and the threat landscape continue to evolve in unpredictable ways.
With many companies’ security tools numbering into the dozens, it is hardly surprising that all too often security teams suffer from alert fatigue and burnout – while genuine threats slip through the cracks.
So, if throwing more tools at the problem is neither effective, nor sustainable, how do we keep our systems safe and our security teams engaged?
The Right Balance
Globally, there are more than a million cyber security job openings. Security tools can generate hundreds to thousands of alerts each day – if a company has only two security experts, how can they thoroughly investigate each potential threat?
Removing security tools can often feel like introducing a vulnerability into the network. But this very hesitancy could actually be undermining the effectiveness of security programs. The excess of alerts generated by an excess of technologies makes it a challenge for analysts to identify and investigate genuine threats.
Not only is hiring more skilled security professionals a challenge, but it can be just as much of a band-aid fix as adding additional tools without the right core technologies and strategy in place. Appropriately paring down a security stack not only saves money that can be reinvested into the program, but also frees up time that analysts and CISOs alike can dedicate to other important tasks.
Keep it Simple
When evaluating the efficiency of an existing stack, it is critical to think about the types of threats that the network is not protected against. Can you spot insider threat, be it malicious or accidental? What about your organization’s ability to spot and contain machine-speed ransomware or never-seen-before threats? Do you have a tool for detecting stealthy campaigns that often lie quietly in networks? How quickly can you catch a foreign presence that is already in operation on your network?
Perimeter defenses were not created with the threats that are already inside the network in mind. Take insider threat. Forrester research found that 36% of security breaches are caused by the unwitting actions of non-malicious employees. At least one technology needs to be capable of identifying and stopping threats from the inside out.
In recent work with a client, we saw an advanced external actor editing history files in an attempt to hide evidence of their activity. Without a tool tracking network activity and searching for abnormalities in real time, this attack would have gone entirely undetected by the organization. Technologies that can provide real-time visibility into the activity of users and devices are crucial to a well-rounded security stack.
As networks become more connected and complex, AI will also be essential in defending the many moving parts. By simplifying wildly complex networks and making it easier for security teams to triage threats, AI makes it easier for security teams to catch threats and defend their businesses.
It’s critical that we simplify our security programs. Layers upon layers of perimeter tools won’t help to protect a company from a spear-phishing attack or a malicious insider. The focus needs to be on getting the basics right, with organizations deploying a variety of tools that enable their teams to detect any vulnerability or emerging threat.
At the same time that we evaluate, and potentially simplify, our security stacks, it’s critical we look towards technology that goes beyond simply catching known threats. In an age where second-guessing attackers is often futile, AI technology offers the best chance to catch and thwart the threats that have never been seen before, or the ones that have slipped into networks undetected. Without the tools that can detect the threats of the future, security professionals will constantly find themselves playing catch up.
Just as legacy security tools are proving ineffective at detecting novel threats, the current threat landscape is also demanding we adopt a new strategy. By only employing security tools that offer numerous advantages beyond threat detection, you can pare down your program and still ensure the security of your network. It may be time to couple ‘defense-in-depth’ with the understanding that when it comes to security stacks, less actually can be more.