Page 94 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 94
Organizations want to ensure they have every attack vector covered with a tool that’s the best at solving
a particular problem. For example, endpoint detection and response (EDR) to find suspicious endpoint
activity, network detection and response (NDR) to monitor network traffic, and so on.
According to research by Panaseer, there are at least 76 solutions deployed in a typical SOC – a number
that is growing each year.
However, the risk in chasing best-of-breed is that spending can end up replacing strategy.
It can be very reassuring for management to know they have the latest detection and response toolset
deployed in every part of their environment. However, an overfocus on individual tools’ performance can
do damage to security operations.
Having many sets of detection rules across different systems can pick up more threats, but it shouldn’t
be normal to be bombarded by hundreds of alerts from dozens of security tools each day. Or for analysts
to have to connect the dots between disparate data sets to understand whether an alert is a real threat
or a false alarm.
And yet, despite record spending on security programs, activity and behavior still have to be manually
connected and assessed by sorting through a variety of endpoint logs, user activity, and network traffic
analysis sources. False alerts are such a persistent problem that analysts are turning off whole categories
of alerts to avoid burning out altogether.
The outcome of this security dysfunction is missed attacks. A recent example is when security teams at
VoIP vendor 3CX confused a real attack with a false alert.
Without the capacity to cope, SOCs can end up consumed by the tools their companies bought to help
them. The tail ends up wagging the dog.
Security Teams Want Integration
Our survey data shows how awareness of security tool sprawl impacts security buyer priorities.
When it comes to buying new security solutions, two of our respondents' top three priorities were how
easily new tools integrate with existing tech (51%) and whether they are easy to implement (42%).
While the top priority for buying any new tool was stopping specific threats (59%), the close second and
third priorities for our respondents were, to put it bluntly, making life easier rather than harder.
Our findings show that security buyers don’t want best-of-breed tools if they don’t play nice with the rest
of their environment. Security leaders also told us that the average new tool deployment time, excluding
training new staff, takes 2.5 months. Time they would rather spend doing almost anything else.
There is also a growing awareness of the risks that a bigger security tool ecosystem creates. 30% of
respondents working in companies with more than 5,000 people said third-party risks were their top
priority.
94