Security Experts:

Keep an Eye on Your Security Technology Portion Size

By Controlling Security Technology Portion Size, Organizations Can Better Address Strategic Requirements and Work More Efficiently

Recently, while out for lunch, I received a larger than expected portion of food.  This is a fairly common occurrence in restaurants, of course.  As someone who has recently lost weight, I am quite conscious of portion size lately.

But what does food portion size have to do with security, and what can we possibly learn from it?  I would argue that the parallels run deeper than most of us realize.  Keeping an eye on our security technology portion size is an important part of maturing a security program and bringing it closer to its goals.

Tactically-driven security technology acquisitions can very quickly result in a tangled web of products that don’t work particularly well together.  These products also may not address the security organization’s strategic requirements, despite the fact that when acquired, they may have scratched short-term tactical itches.  Worse yet, each product acquired requires operations and maintenance (O&M) costs in addition to the budget required to acquire it.  This is a cost that organizations sometimes overlook, unfortunately.  In the long run, it costs those organizations - either financially, or by stretching existing O&M resources to an unhealthy point, rendering them far less productive.  And on top of all of that is the added complexity and uncertainty that having too much security technology brings into the security organization.

While I’m not advocating that security organizations stop purchasing technology entirely, I am advocating that they think seriously about reducing their security technology portion size.  Let’s take a look at a few reasons why shrinking and consolidating the security technology stack is a good idea:

1. Less is more:  There is a lot of wisdom contained in the well-known phrase “less is more”.  When it comes to security technology, having more not only costs more, it also introduces a tremendous amount of complexity into the security organization and its day-to-day operations.  Operating and maintaining numerous stovepiped, overlapping security technologies gets costly and resource intensive.  Partial, semi-overlapping solutions result in unnecessarily large log volumes that slow query performance and shorten retention time.  Increased complexity leads to analyst confusion over where to go to get what data when crunch time comes, rather than being able to focus on what questions need to be asked of the data to analyze, investigate, and converge to a conclusion.

2. Process:  As with any mature business function, a mature security function requires that the proper processes and procedures be in place.  Even in an ideal situation, mature security processes can get rather complicated.  So much so that complicating them even further by not keeping your security technology portion size in check should be nearly unthinkable.  Think about all of the work, switching between tools, and data required to investigate a given incident without an excess of technology.  Now imagine that investigation while inundated with security technologies that don’t play well together and may or may not provide the data and insight required as part of the investigation.  Whenever possible, the goal should be to cover as much of the process as possible with as few security technologies as possible.

3. Strategic requirements:  The strategic requirements of a security organization are generally those that map most directly to the risks and threats it is tasked with mitigating.  Yet surprisingly, security technology purchases are often driven by acute tactical needs.  While it’s tempting, and often necessary, to address a burning operational need, it is best to do such in as calculated a manner as possible.  Mapping risks and threat to strategic requirements, which in turn map to operational and tactical requirements allows the organization to understand how addressing specific tactical requirements maps back to addressing risk.  Approaching technology purchases in this manner allows an organization to optimize the risk it mitigates while still controlling its technology portion size.

4. Gaps:  No matter how much security technology an organization owns, there will always be operational and functional gaps that need to be addressed.  Risks and threats change over time.  Attacker techniques evolve.  The organization’s infrastructure is always in flux and never static.  While it might seem tempting to think that more technology equals fewer gaps, it is often the case that exactly the opposite is true.  Why is this the case?  When an excess of security technology has been acquired tactically, it takes away focus and resources from strategic needs.  And that often results in fewer requirements being addressed, rather than more.  That, in turn, results in more operational and functional gaps remaining unaddressed.

5. Efficiencies:  Studying our processes in depth can teach us a tremendous amount about how we can introduce efficiencies into our respective security organizations.  By understanding where in our processes we spend a disproportionately large amount of time, we can identify areas that are good candidates for introducing automation and other efficiencies.  If we’ve done a good job controlling our security technology portion size, the interconnections between our technologies that are required to introduce the necessary efficiencies will be far easier to implement.  If we’ve gone overboard with tactically-driven security technology acquisition, the complicated web of disparate technologies will make introducing the requisite efficiencies all that much harder.

It turns out that my poor choices in restaurants can teach us a thing or two about security. When an organization controls its security technology portion size, it enables the organization to better address strategic requirements and to work far more efficiently.  In the case of security technology, less is most often more.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.