The use of too many different cybersecurity tools is weakening companies’ cyber-resilience, according to the latest research published by the Ponemon Institute. The Cyber Resilient Organization Report 2020, sponsored by IBM Security, is based on a survey of over 3400 IT and security pros worldwide. It found that almost 30% of organizations had more than 50 tools in their cybersecurity stack. They ranked 8% lower in their ability to detect a cyber-attack and 7% lower in their ability to respond, it said.
Cybersecurity depends on visibility. Unless you can see everything that’s happening in your network, you won’t be able to spot all of the suspicious traffic. Just as with other areas of IT, data silos between products create problems because they leave you blind to emergent behaviors in your network. Attackers love this. A fragmented infrastructure lets them gain a foothold and move laterally with less chance of being detected, especially if they are already being stealthy and living off the land.
Companies’ cybersecurity tools proliferate and fragment for various reasons. Different cybersecurity teams acquire different tools over time, driven by their own strategies and commercial licensing agreements. In large organizations, different departments might adopt their own approaches with little reference to each other. Political fiefdoms develop driven by ‘not invented here’ syndrome, exacerbating the problem.
None of this would be an issue if cybersecurity tool vendors followed some kind of unified standard, but in an IT business driven by competition, that doesn’t happen. Startup vendors all have their own unique sales propositions, driven by technologies that they feel only they can offer. Their data formats differ. When they get acquired by larger vendors, as they so often do, there will be some integration, but customers still use a variety of products spanning a range of big players.
Application programming interfaces (APIs) go some way toward solving this problem, because they enable vendors to publish a language that other software can use to talk directly to their products and exchange data. Simply having an API is not enough, though; someone else must code their product to work with it. The smaller the vendor’s market share, the less likely others are to integrate with its products and the more work it must do to write its own connections using other, larger vendors’ APIs.
So, companies end up with ‘frankenstack’ solutions. They build Babel-like towers of products that don’t talk to each other, leaving significant gaps in their intelligence. This shows up in the numbers. The Ponemon study cited silo and turf issues as the third biggest factor preventing companies from becoming more cyber-resilient. Almost a third of respondents said that it was a problem. Conversely, almost 40% of those companies that said they had improved their cyber-resilience said that solving these problems was a factor.
If sunk investment and politics were no longer issues, you could throw in your lot with one product provider and buy a single-vendor stack. This creates its own vendor lock-in challenge, though. Hitching your wagon to one company leaves you following its strategic direction, which may end up deviating from your own. The company might get creative with its licensing. You might find that it has significant gaps in its product portfolio or that some of its offerings just aren’t that good
Last year, IBM Security and McAfee launched the Open Cybersecurity Alliance to try and encourage integration between cybersecurity vendors, and put it under the OASIS standards body. It’s an open source effort to build tools that interoperate with each other and it launched an open source language, OpenDXL, to foster that integration back in February. It now numbers AT&T, IBM, McAfee, Packet Clearing House and Tripwire on its steering committee, along with an impressive sponsorship list. Could this be the start of a change in the business?
