Tool sprawl is a preoccupation widely shared across the industry. Cybersecurity risks have dramatically increased in the past 20 years. The increasing costs of eventual breaches forced enterprises to afford new tools to circumvent potential threats.
One particularity of the dangers in the cyber world is that they are rapidly evolving, more than often ahead of their targets. Consequently, organizations need, more than usual, to find solutions to given problems fast—this reactivity stance lack of global, strategical approach.
Ultimately, this leads to piling up different tools to answer new threats. In the long run, this leads cybersecurity teams to drown under an increasing variety of instruments. On average organizations use 40 different tools and it can go up to 130 in the most critical cases. It’s easy to imagine disadvantages to using so many unconnected tools: alerts duplication, complexity, lack of cohesion, lack of integration, and false positives. Eventually, such a situation globally impacts the organization’s costs and its security strategy efficiency.
From Security operations centers’ teams (SOCs) and Chief Information Security Officers’ (CISOs) perspectives, there are needs to be fulfilled: the efficacy and the efficiency of the security infrastructure, with limited resources. To meet those needs, they could and should control the tool sprawl.
Here at Mindflow, we believe that the Security orchestration, automation, and response (SOAR) solution is the perfect fit to optimize the use of every tool used without impeding the efficacy and efficiency.
Years of rapidly evolving threats enriched the security solutions of organizations. Most of them operate tens of instruments purchased from different vendors without proper integration. The result is a tool sprawl, inefficient, difficult to apprehend, and expensive—the exact opposite of what was first intended.
The variety of usages in cyberspace has increased potential risks. This increase then forced enterprises to look for more threats on different points of their organizations. Each threat can substantially impact the organization’s sustainability, so the need for answers was urgent. Over time, it’s easy to understand that tools ended up accumulating.
Numerous surveys have been carried out. All of them found out an increasing amount of tools used as the company grew. For instance, the Enterprise Strategy Group (ESG) found that 40% of respondents on a survey on IT and security professionals use between 10 and 25 different security tools, 30% between 26 and 50 which equals as a global average of 40. One particularity is that most respondents acknowledged that some of these tools were acquired as point solutions to face a specific threat that appeared and needed to be answered fast.
Using different tools always increases the overall complexity of the tasks undergone. Analysts need to know which tool is best suitable for which threat, improving the skill barrier required to use the stack efficiently.
In addition to this complexity, the tools are also sometimes purchased to, at most, ten different vendors without considering proper integration to the overall architecture of the organization’s security. SOCs or SecOps have to switch between different tabs and various tools distributed by different vendors, often not entirely designed to integrate a comprehensive stack. Fragmentation between these tools turns out to add even more complexity for operation. Analysts need to get used to different software and layouts to accomplish basic tasks.
It is not to say that you would need to afford all your tools to one vendor or that the best answer would be to afford a all-in-one solution. On the exact opposite actually. At Mindflow, we believe in the choice you make to help you in your daily work. Of course, some issues need a specific response that bundles cannot and won’t ever be able to bring to you. Point solutions are often the only way to answer specific needs.
The problem comes up when this tool sprawl is uncontrolled. As described above, it leads to the multiplication of risks.
Tools unproperly configured and integrated tend to over-generate alerts. As a result, teams are in a constant state of information overload. This anarchy in the proficiency of devices leads to chaos, productivity, and security end up affected. In the end, it induces higher overall costs. The first answer that come to your mind would be to restart from scratch and afford a single product. A all in one.
This is not the answer that we are bringing to you. Organizations need to shift their minds about two things. Improving security doesn’t equals adding more tools without any consideration to their semantic awareness, even if it could sound like a correct syllogism. Most of the time, too many tools are counterproductive without added costs and the entire dedication of teams’ members. Also, the opposite, engaging in a reduction per se, is equally irrelevant. Diversity exists, each company is facing particular issue linked to its industry, its people, its way of doing business. Each company need tools that answer their specific needs.
Indeed, no coordination among the tool-set on an ever-expanding attack surface widens the gaps, the opportunities for attackers to find a vulnerability and enter without being noticed.
More, the multiplication of tools is a risk because it can be challenging to manage. As said above, it becomes hard for analysts to know which one is best for a particular situation to solve.
Each tool purchased from different vendors is also challenging from a skills point of view. To properly operate a specific device, analysts may need specific training, a specific set of dedicated skills. It forces organizations and employees to adapt, which costs time and money, adding to the already complicated state of the cybersecurity field (notably shortages and over-exhaustion). And, in any case, teams will have trouble keeping tabs on what’s happening in each channel and figuring out how effective they are for generating leads.
Also, a survey by Check Point found that as much as 98% of companies manage their security tools with multiple consoles. It is prone to the creation of silos, impacting the general visibility.
All in all, paradoxically, it is the will to answer the growing and multiplying threats by affording too many different tools that increase the risks.
Organizations have to control their environment, not reducing it to the extreme unicity. Answer your needs and choose the tools you wish to use by having a Best of Breed culture. The one thing to keep in mind is control.Different issues need various tools and unique solutions among the organizations for different infrastructures. That’s a fact. But, as said above, the problem comes up when all of these are managed in silos.
It is true that different issues sometimes need various tools to be remediated, and organizations need other solutions for different infrastructures among the organizations. That’s a fact. But, as said above, the problem comes up when all of these are managed in silos.
A holistic view is needed in terms of managment. The uncontrolled tool sprawl favors the widening of the attack surface. To ensure a good enough security architecture, one needs to reassess the way they manage the tool-stack used by security operations.
It means that the persons in charge, Chief Information Security Officers (CISOs), have to start by rethinking their organization’s security architecture. They need to reassess each tool or point solution acquired, evaluate their utility, their opportunity, and the potential overlaps between some of these with the following questions in mind: is each one answering an issue that cannot be otherwise answered? What’s the cost of maintaining multiple tools from different vendors?
This belief is shared across the industry. The SANS “Network Visibility and Threat Detection” report found that 67% of respondents share the will to minimize the number of tools used.
Furthermore, its understandable that budget is an issue across most companies and the need to contain their growth is shared, especially after the stress induced by the pandemic. As such, unused functionalities illustrate a lack of efficiency that needs to be addressed, especially when the total cost of ownership (TCO) surges as the number of tools is increasing. To contain the budget allowed to security operations, a CISO ought to control expenses. Between different costs, some are easier to control than others. TCO, driven by the accumulation of tools is among those that could and should be reduced in most cases.
At last, it turns out that security teams can’t keep up with updates across their entire security stacks. Consequently, Tech target reported that almost 50% of functionalities end up being unused which adds to the lack of efficiency of security operations.
To meet these problems, when planning to rationalize their information security solutions you should go for a way to oversee the future stack to be able to have visibility of the whole architecture. Such an approach would help you reassess security operations tools-stack structure and decide which tool is superfluous and should be taken out of the stack. A solution is designed to answer these very needs.
To rationalize the tool sprawl, organizations should consider orchestrating them in a single platform. If having a stack of devices is the go-to solution to prevent incidents at every point of interest in the organization, they have to tackle the fragmentation issue with a solution that can unify the overall management in a single, easy-to-use platform while at the same time allowing the people working to choose the tools they want.
SOAR solutions aim to answer those particular needs. A SOAR looks forward to limiting the friction between the use of every tool. Connecting the tools used, it prevents the lack of cohesion among different devices. Risks of overlapping, duplication of alerts, and false positives are reduced. All of these strengthen the organization’s security and minimize the chances of a breach.
By connecting the different tools, you can create streamlined workflows to automate and better orchestrate their security stance across the organization. Automating minimizes the risk of letting known threats breach their systems. Threats are detected and remediated according to the processes built in the playbooks found in the SOAR.
Such a platform would also have the advantage of unifying the skills needed to operate it. This point should be important to CISOs since security teams face a hard time dealing with a chronic talent shortage.
The result is freeing crucial time for teams that can reorganize their schedule to more rewarding tasks.
Moreover, collecting and correlating data among the different tools used also helps for those more complex tasks. In terms of Tactics, techniques, and procedures (TTPs) or Forensics, collecting relevant data from every tool is a significant advantage as it reduces the complexity of the collecting steps.
Too many different security tools, unconnected, are resulting in a fragmented security architecture, which is prone to breaches. We don’t think the solution is to be found in some bundle-package or extreme reduction. We think that the issue is about control: control of which tool is in the stack, of what is used or not, and how everything is connected. This can be achieved by orchestrating them into a single platform. In the end, tool sprawl isn’t a problem per se, it’s when it’s uncontrolled that it’s becoming a problem. Here at Mindflow, this is what we aim to achieve, giving back the control on the technology you want to use.
For those, who think all-in-one approach is the magic solution. We made an article to share our vision about why we think you should go for a Best of Breed culture.
33 rue Lafayette 75009 Paris, France