Connect with us

Hi, what are you looking for?


Incident Response

The Diminishing Returns of Our Constantly Growing Security Stacks

A couple of years ago, I had a conversation with a CISO that has stuck with me. His Board of Directors had dramatically increased the security budget without his prompting. Instead of instantly jumping at the chance to invest in new technologies, this CISO first took a step back to analyze his existing security program.

A couple of years ago, I had a conversation with a CISO that has stuck with me. His Board of Directors had dramatically increased the security budget without his prompting. Instead of instantly jumping at the chance to invest in new technologies, this CISO first took a step back to analyze his existing security program. What he found was alarming: due to the sheer number of tools being used by his team, each analyst was only performing roughly 45-minutes of raw analysis per day.

This problem is not uncommon. Our networks are changing faster than we can update our security strategies, and in an effort to keep pace we can often get into a vicious cycle of buying tool after tool to address the newest challenge. While this may be a fast fix, expanding our security stack in this way creates new problems as our companies and the threat landscape continue to evolve in unpredictable ways.

With many companies’ security tools numbering into the dozens, it is hardly surprising that all too often security teams suffer from alert fatigue and burnout – while genuine threats slip through the cracks.

So, if throwing more tools at the problem is neither effective, nor sustainable, how do we keep our systems safe and our security teams engaged?

The Right Balance

Globally, there are more than a million cyber security job openings. Security tools can generate hundreds to thousands of alerts each day –  if a company has only two security experts, how can they thoroughly investigate each potential threat?

Removing security tools can often feel like introducing a vulnerability into the network. But this very hesitancy could actually be undermining the effectiveness of security programs. The excess of alerts generated by an excess of technologies makes it a challenge for analysts to identify and investigate genuine threats.

Not only is hiring more skilled security professionals a challenge, but it can be just as much of a band-aid fix as adding additional tools without the right core technologies and strategy in place. Appropriately paring down a security stack not only saves money that can be reinvested into the program, but also frees up time that analysts and CISOs alike can dedicate to other important tasks.

Advertisement. Scroll to continue reading.

Keep it Simple

When evaluating the efficiency of an existing stack, it is critical to think about the types of threats that the network is not protected against. Can you spot insider threat, be it malicious or accidental? What about your organization’s ability to spot and contain machine-speed ransomware or never-seen-before threats? Do you have a tool for detecting stealthy campaigns that often lie quietly in networks? How quickly can you catch a foreign presence that is already in operation on your network?

Perimeter defenses were not created with the threats that are already inside the network in mind. Take insider threat. Forrester research found that 36% of security breaches are caused by the unwitting actions of non-malicious employees. At least one technology needs to be capable of identifying and stopping threats from the inside out.

In recent work with a client, we saw an advanced external actor editing history files in an attempt to hide evidence of their activity. Without a tool tracking network activity and searching for abnormalities in real time, this attack would have gone entirely undetected by the organization. Technologies that can provide real-time visibility into the activity of users and devices are crucial to a well-rounded security stack.

As networks become more connected and complex, AI will also be essential in defending the many moving parts. By simplifying wildly complex networks and making it easier for security teams to triage threats, AI makes it easier for security teams to catch threats and defend their businesses.

Look Ahead

It’s critical that we simplify our security programs. Layers upon layers of perimeter tools won’t help to protect a company from a spear-phishing attack or a malicious insider. The focus needs to be on getting the basics right, with organizations deploying a variety of tools that enable their teams to detect any vulnerability or emerging threat.

At the same time that we evaluate, and potentially simplify, our security stacks, it’s critical we look towards technology that goes beyond simply catching known threats. In an age where second-guessing attackers is often futile, AI technology offers the best chance to catch and thwart the threats that have never been seen before, or the ones that have slipped into networks undetected. Without the tools that can detect the threats of the future, security professionals will constantly find themselves playing catch up.

Just as legacy security tools are proving ineffective at detecting novel threats, the current threat landscape is also demanding we adopt a new strategy. By only employing security tools that offer numerous advantages beyond threat detection, you can pare down your program and still ensure the security of your network. It may be time to couple ‘defense-in-depth’ with the understanding that when it comes to security stacks, less actually can be more.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...