Populated with point solutions that suck up investment and monopolise resources, the industry is fast falling out of love with the burgeoning cyber security stack. Verizon’s Payment Security Report states that most organisations now have a multivendor environment of between 20 – 70 products for monitoring and detection. Businesses are now actively looking to reduce these numbers.
Many realise that pouring their money into tools rather than solutions still leaves them vulnerable to attack. It’s a sentiment echoed in a recent Twitter poll of UK and US security professionals. It found that a third of respondents thought they were ‘throwing money at nothing’.
A further 17 percent stated their cyber stack was too time and cost consuming. Additionally, 27 percent thought it was overwhelming, and 23 percent claimed to be a tipping point with their current technology. The clear consensus is that the current strategy of buying point solutions cannot continue.
Far from alleviating the issue, adding more security products often results in duplication, crossover or functionality going unused. Teams do not have the expertise, time or resources to leverage a product’s feature sets – that’s if they even know they’re there.
For example, Alex Asen, from the Boston Consulting Group, refers in the Verizon report to a business that was looking to buy a malware sandbox environment to deal with email attachments. It didn’t even realise it had this functionality in its existing email security gateway. Then it hired a new CISO that flagged the feature, thereby saving the business considerable expense.
Cybersecurity stack costs
But there are other factors at play here too. Rising inflation is causing many to look again at running costs. When questioned in the poll about where they think cost savings can be made, 45 percent of respondents said reducing infrastructure would offer the biggest cost-saving. For example, reducing the number of products, removing duplicated and unused tools (29 percent), and reducing analyst training (27 percent).
Training will likely become a more pressing issue over time as the skills shortage grows (there is an annual deficit of 10,000 entering the cybersecurity sector, according to the DCMS). Security teams simply can’t justify the man hours required to grapple with the idiosyncrasies of different types of proprietary technology.
For this reason, features tend to go unused. But, running these tools straight out of the box can also be risky. The Verizon report warns that plug-and-play can even result in configuration failure. With misconfiguration the number one cause of data breaches in the cloud, that’s to be avoided.
However, the problem remains that businesses must continue building out their cloud presence which is also proving costly. The poll found that 39 percent regarded software licensing in the cloud as too expensive, with 24 percent declaring it led to unknown future costs.
Lock-in or lack of control with software licensing was flagged as an issue by 22 percent. 14 percent also cited a lack of user-based licensing options, as the predominant charging model is data usage-based. The results indicate there’s clearly some appetite for change in how cloud-based security services are offered.
Understandably, these issues mean businesses are now looking to rationalise and consolidate their cybersecurity tools to reduce complexity, cost and management. Two-thirds of organisations (66 percent) are now actively seeking to reduce the number of cybersecurity vendors they do business with, according to Jon Oltsik at Enterprise Strategy Group (ESG).
But that doesn’t mean they’re shrinking the stack. Rather, these businesses are simply looking to buy more from fewer vendors, which solves little regarding the issues flagged in the poll.
Oltsik points to a conflict between the traditional approach, which is to buy best of breed, versus current thinking, which is to consolidate by using integrated products. This means there are habitual and logistical obstacles to overcome, requiring a change in mindset.
From a practical perspective, questions remain over how you swap out technology in a way that is non-disruptive and that still allows you to amortize your existing tools. Oltsik suggests the transition will need to be led by CISOs and carried out on a project basis, with KPIs used to assess the merits of replacement solutions.
Of course, the market is also seeing some natural consolidation as complementary technologies converge. For example, we’re already seeing this with the SIEM (Security Information and Event Management), which is now evolving to include UEBA (User and Entity Behaviour Analytics) and SOAR (Security Orchestration, Automation and Response).
It enables security teams to integrate security analytics such as NTA (Network Traffic Analysis) and automated investigation and response, which is then managed via the SIEM. Acquiring all three of these technologies is likely to be cost-prohibitive for most businesses. However, it is easier to justify when taken as a combined offering.
It’s this way that Oltsik sees the market evolving. EDR, NTA, malware sandboxes, threat intelligence, analytics and security management will coalesce to provide a single architecture for threat detection and response.
One of the ways he sees this happening is with security controls at endpoints, networks or in the cloud, all relaying telemetry information to the SIEM. It will effectively become the brains of the operation. Therefore, an integrated or converged SIEM would significantly reduce complexity and, because it utilises automation, wouldn’t monopolise security team resources.
There’s no doubt that the evolving threat spectrum coupled with digital transformation and cloud expansion are making businesses double down on their defence efforts. But devoting more spending to a growing litany of security products, even if they come from the same vendor, is not the answer.
Rationalising the cyber security stack will require CISOs to lead from the front. They will have to select integrated or converged solutions that utilise machine learning and AI, to reduce the burden on security teams and analysts.
While technology is naturally evolving along these lines, it will be up to the business to plan how it can retire and replace, requiring a systematic change management plan. But the upshot of all of this is that teams will, at last, be able to fully utilise their product suite and stand to benefit from a converged cost-effective form of cyber defence.
LogPoint is the creator of a reliable, innovative cybersecurity operations platform — empowering organizations worldwide to thrive in a world of evolving threats. By combining sophisticated technology and a profound understanding of customer challenges, LogPoint bolsters security teams’ capabilities while helping them combat current and future threats. LogPoint offers SIEM, UEBA, and SOAR technologies in a complete platform that efficiently detects threats, minimizes false positives, autonomously prioritizes risks, responds to incidents, and much more. Headquartered in Copenhagen, Denmark, with offices around the world, LogPoint is a multinational, multicultural, and inclusive company. For more information, visit http://www.logpoint.com.