Tool sprawl is a preoccupation widely shared across the industry. Cybersecurity risks have dramatically increased in the past twenty years, and the increasing costs of eventual breaches have forced enterprises to afford new tools to circumvent potential threats.

One particularity of cyber dangers is that they are rapidly evolving, more often than not ahead of their targets. Consequently, organizations must find solutions to problems quickly—this reactivity stance lacks a global, strategic approach.

Ultimately, this leads to piling up different tools to answer new threats. In the long run, this leads cybersecurity teams to drown under an increasing variety of instruments. On average, organizations use 40 different tools, which can go up to 130 in the most critical cases. It's easy to imagine the disadvantages of using so many unconnected tools: alert duplication, complexity, lack of cohesion, lack of integration, and false positives. Eventually, such a situation will impact the organization's global costs and security strategy efficiency.

From the perspectives of Security Operation Center teams (SOCs) and Chief Information Security Officers (CISOs), the following needs to be fulfilled: the efficacy and efficiency of the security infrastructure with limited resources. To meet those needs, they could and should control the tool sprawl.

Here at Mindflow, we believe that the Security orchestration, automation, and response (SOAR) solution is the perfect fit for optimizing the use of every tool without impeding its efficacy and efficiency.

The current security stack stands out with an uncontrolled tool sprawl.

Years of rapidly evolving threats have enriched organizations' security solutions. Most operate tens of instruments purchased from different vendors without proper integration. The result is tool sprawl, which is inefficient, difficult to apprehend, and expensive—the exact opposite of what was first intended.

The multiplication of risks induced the accumulation of tools.

The variety of uses in cyberspace has increased potential risks. This increase forced enterprises to look for more threats at different organizational points. Each threat can substantially impact the organization's sustainability, so the need for answers was urgent. Over time, it's easy to understand that tools ended up accumulating.

Numerous surveys have been carried out. They all discovered an increasing amount of tools used as the company grew. For instance, the Enterprise Strategy Group (ESG) found that 40% of respondents in a survey on IT and security professionals use between 10 and 25 different security tools, and 30% are between 26 and 50, which equals a global average of 40. One particularity is that most respondents acknowledged that some of these tools were acquired as point solutions to face a specific threat that appeared and needed to be answered quickly. 

Using different tools always increases the overall complexity of the tasks undergone. Analysts need to know which tool is best suitable for which threat, improving the skill barrier required to use the stack efficiently.

In addition to this complexity, the tools are sometimes purchased from, at most, ten different vendors without considering proper integration into the overall architecture of the organization's security. SOCs or SecOps have to switch between different tabs and tools distributed by other vendors, often not entirely designed to integrate a comprehensive stack. Fragmentation between these tools adds even more complexity to the operation. Analysts must get used to different software and layouts to accomplish basic tasks.

This is not to say that you would need to afford all your tools to one vendor or that the best answer would be to afford an all-in-one solution. On the exact opposite, actually. At Mindflow, we believe in your choices to help you in your daily work. Of course, some issues need a specific response that bundles won't ever be able to bring to you. Point solutions are often the only way to answer specific needs. 

The problem comes up when this tool sprawl is uncontrolled. As described above, it leads to the multiplication of risks.

An uncontrolled tool sprawl has the exact opposite impact of the first intended.

Tools improperly configured and integrated tend to over-generate alerts. As a result, teams are in a constant state of information overload. This anarchy in device proficiency leads to chaos, productivity, and security, affecting overall costs. The first answer that comes to your mind would be to restart from scratch and afford a single product—an all-in-one.

This is not the answer that we are bringing to you. Organizations need to shift their minds about two things. Improving security doesn't equal adding more tools without considering their semantic awareness, even if it could sound like a correct syllogism. Too many tools are often counterproductive without added costs and the entire dedicated team's members. Also, the opposite, engaging in a reduction per se, is equally irrelevant. Diversity exists, each company is facing particular issue linked to its industry, its people, its way of doing business. Each company needs tools that answer their specific needs. 

Indeed, no coordination among the toolset on an ever-expanding attack surface widens the gaps, allowing attackers to find a vulnerability and enter without being noticed.

Furthermore, the multiplication of tools is a risk because it can be challenging to manage. As said above, it becomes hard for analysts to know which is best for solving a particular situation.

Each tool purchased from different vendors is also challenging from a skills point of view. Analysts may need training and dedicated skills to operate a specific device properly. This forces organizations and employees to adapt, which costs time and money, adding to the already complicated state of cybersecurity (notably shortages and over-exhaustion). Teams will have trouble keeping tabs on what's happening in each channel and figuring out how effective they are for generating leads.

Also, a survey by Check Point found that as much as 98% of companies manage their security tools with multiple consoles. It is prone to the creation of silos, impacting the general visibility.

Paradoxically, the will to answer the growing and multiplying threats by affording too many different tools increases the risks.

You don't have a tool sprawl problem; you have a control problem.

Organizations must control their environment, not reduce it to the extreme unicity. Answer your needs and choose the tools you wish to use by having a Best of Breed culture. The one thing to keep in mind is control. Different issues require various tools and unique solutions among organizations for different infrastructures. That’s a fact. But, as said above, the problem comes up when all of these are managed in silos.

CISOs have to take back control of their security stack.

Indeed, different issues sometimes need various tools to be remediated, and organizations need other solutions for different infrastructures. That’s a fact. But, as said above, the problem comes up when all of these are managed in silos.

A holistic view is needed in terms of management. Uncontrolled tool sprawl favors the widening of the attack surface. To ensure a good security architecture, one must reassess how they manage the tool stack security operations use.

This means that the persons in charge, such as Chief Information Security Officers (CISOs), must start by rethinking the organization's security architecture. They need to reassess each tool or point solution acquired and evaluate its utility, opportunity, and potential overlaps between some of these, keeping the following questions in mind: Is each one answering an issue that cannot be otherwise answered, such as the cost of maintaining multiple tools from different vendors?

This belief is shared across the industry. The SANS " Network Visibility and Threat Detection" report found that 67% of respondents want to minimize the number of tools used.

Furthermore, it's understandable that budget is an issue across most companies, and the need to contain their growth is shared, especially after the stress induced by the pandemic. As such, unused functionalities illustrate a lack of efficiency that needs to be addressed, especially when the total cost of ownership (TCO) surges as the number of tools increases. To contain the budget allowed for security operations, a CISO ought to control expenses. Between different costs, some are easier to maintain than others. TCO, driven by the accumulation of tools, could and should be reduced in most cases.

Finally, security teams cannot keep up with updates across their entire security stacks. Consequently, Tech Target reported that almost 50% of functionalities end up being unused, which adds to the inefficiency of security operations.

To meet these problems, when planning to rationalize their information security solutions, you should look for a way to oversee the future stack to have visibility of the whole architecture. Such an approach would help you reassess security operations tools-stack structure and decide which tool is redundant and should be removed from the stack. A solution is designed to answer these very needs.

SOAR is the perfect fit solution

Organizations should consider orchestrating tool sprawl in a single platform to rationalize it. If having a stack of devices is the go-to solution to prevent incidents at every point of interest in the organization, they have to tackle the fragmentation issue with a solution that can unify overall management in a single, easy-to-use platform while allowing the people working to choose the tools they want.

SOAR solutions aim to answer those particular needs. A SOAR looks forward to limiting the friction between using every tool. Connecting the tools used prevents the lack of cohesion among different devices. Risks of overlapping, duplication of alerts, and false positives are reduced. These strengthen the organization's security and minimize the chances of a breach.

By connecting the different tools, you can create streamlined workflows to automate and better orchestrate their security stance across the organization. Automating minimizes the risk of letting known threats breach their systems. Threats are detected and remediated according to the processes built into the playbooks found in the SOAR.

Such a platform would also have the advantage of unifying the skills needed to operate it. This point should be important to CISOs since security teams face difficulty dealing with a chronic talent shortage.

The result frees crucial time for teams that can reorganize their schedules to more rewarding tasks.

Moreover, collecting and correlating data among the different tools used also helps for those more complex tasks. In terms of Tactics, techniques, and procedures (TTPs) or Forensics, collecting relevant data from every tool is a significant advantage as it reduces the complexity of the collecting steps.

Conclusion

Too many different security tools are unconnected, resulting in a fragmented security architecture prone to breaches. The issue concerns control: control of which tool is in the stack, what is used or not, and how everything is connected. This can be achieved by orchestrating them into a single platform.

For those who think the all-in-one approach is the magic solution, we wrote an article to share our vision about why we think you should choose a best-of-breed culture.