The last few years have seen a mushrooming of the number and type of security tools that organizations can use to protect themselves. You can have tools, tools to integrate the tools, tools to monitor the tools, APIs, dashboards (so many dashboards), and machine learning with everything. And yet, against this backdrop of rapidly escalating security sophistication, the ransomware epidemic has got measurably worse. Moreover, as 2021 comes to a close, criminals are also still regularly exploiting vulnerabilities that their victims could have patched three years ago.
The orthodox explanation for this is that we are, collectively, not sophisticated enough—we are simply failing to adopt new technology quick enough to head off the latest threats. For some organizations that is what's happening, but is that all there is to it?
Too much of a good thing
A year ago, IBM's annual Cyber Resilient Organization Report (which is based on a survey of 3,400 IT and security professionals by the Ponemon institute) unearthed an interesting consequence of all this tooling: Too many tools weaken cyber resilience, it said:
The study revealed that the number of security solutions and technologies an organization used had an adverse effect on its ability to detect, prevent, contain and respond to a cybersecurity incident.
IBM's isn't the only recent research to identify this problem. Earlier this year, security services provider Reliaquest collaborated with IDG on a report about technology sprawl, in which it pointed out much the same thing:
The majority of survey respondents (92%) agree there’s a tipping point where the number of security tools in place negatively impacts security. Seventy-eight percent said they’ve reached this tipping point.
And there may be another, related problem too.
Over on social media, at around the same time as Reliaquest released its report, ubiquitous security influencer Kevin Beaumont was barking up an adjacent tree. To nods of approval from security professionals, he pointed out "a common trip up in cybersecurity" was "buying the best solutions ... and then not having the resources/skills/whatever to actually use the solution".
"You can buy the best - can you run the best? If not, it ain't the best."
The view from the trenches
To understand more about these issues I spoke to Crystal Green, Malwarebytes' Director of Customer Success.
In fact, the Customer Success team's very existence suggests that there is substance to these ideas. As Green explained to me, part of her work involves making sure customers aren't left behind: "As the threat landscape changes, security software providers have to constantly improve, adding new features and protections ... it is our job [in the Customer Success team] to ensure that customers are educated on the best practices for deploying and maintaining our solutions, and are getting the most value and protection from their investment."
I started by asking if she had encountered the problem identified by IBM and Reliaquest, of some companies having too many tools. After all, we've all been preaching "defence in depth" for years, so aren't a variety of tools a good thing?
"While a layered security approach is necessary, the more tools that are in the security stack, the greater the potential for conflicts between the tools increases. Additionally, key features and functionality may be intentionally, or mistakenly disabled, causing a gap in protection."
And what about the issue that Beaumont and his followers raised, of companies buying capable software they then struggling to implement? I wonder if that was just the social media echo chamber at work or if she'd seen it for herself.
"We see a lot of companies that purchase software but don't actually deploy or use the software. Sometimes it doesn’t get deployed at all, other times key features aren’t used."
The reasons will sound familiar to anyone who has worked in a corporate IT department. Green explains: "This happens for many reasons, including conflicts with time, other priority projects that make the implementation of software a lesser priority, or there may not be a complete understanding of how to best use the solution."
So can companies simply freeze their security solutions in time and stop updating? Sadly, no. Threat actors aren't standing still, she explains, and modern tools are important. It's just that simply owning the tools isn't enough.
"We’ve all been seeing numerous companies in the news this year being hit by ransomware attacks. It is critical that business (and individuals) have the right tools in place. But those tools must also be implemented, configured, and maintained correctly."
Security as a process
Green recommends that businesses need to manage their security tools as an ongoing process not a project, no matter what their vendor says about how easy the software is to setup.
"Each environment is different, and environments change over time, so it’s important that administrators complete regular reviews of each tool to ensure that the configuration is meeting their current security needs and if a particular functionality is turned off, that the risks associated with that decision are understood."
That's all very well, but administrators have a lot on their plate. What about the ones who don't know what they don't know?
"We deal with this through having business reviews with our customers where we will showcase what is going well, as well as pointing out gaps, including features and functionality that are not being utilized."
Green sees that kind of relationship building as crucial to being "cyber smart" and tackling the problem of technology sprawl, and she thinks vendors need to be open to letting customers shape the software they use, sitting on advisory boards, and even speaking to engineering teams directly.
As Beaumont said, security isn't about tools you can afford, it's about the tools you can operate effectively.