A recent report by Forrester spotlighted a growing trend in infosec point solution purchasing: the majority of respondents dealt with the challenge of point-tool sprawl. In fact, 60% of survey respondents said that their tools come from five or more vendors, which creates an integration and accessibility bottleneck.
What’s worse, the complexity of the threats that SecOps must deal with have also intensified. A recent survey conducted by McAfee shows that in 2005, “enterprises typically saw 25 new threats per day,” but by 2016 it had grown to 500,000 per day.
McAfee’s report goes on to support Forrester’s findings that complexity for SecOps is an intensifying problem. This makes sense in the light of the explosion of threats over the last ten plus years.
The implication is this: most companies are looking at cybersecurity solutions as a series of “bolt-ons” to the existing tech stack, instead of mapping out a comprehensive plan to help monitor the threat landscape and execute defense against an attack.
The simple principle is sometimes the best policy—you need a security stack framework that is streamlined yet comprehensive enough to address today’s cybersecurity challenges.
Put a stop to tool sprawl
Tool sprawl is creating a major security barrier that prevents better protection and maintenance of technology environments due to the fragmented nature of endpoint solutions employed today.
Vinod Mohan of eG Innovations notes the major reasons for tool sprawl:
- Specialized Requirements: Ad hoc tool choices due to the specialized requirements of custom applications, etc.
- Inheritance and Bundles: Additional monitoring tools do to mergers and acquisitions.
- SaaS-Based Monitoring Options & Freeware: With the ease in which so many products can be used at minimal expense, it can lead to a free-for-all approach to point-solution purchasing.
The truth for most organizations is that they suffer from a combination of all three, but endpoint complexity puts a wedge between the tools and teams required to maintain functionality and resilience of security systems. It requires too much coordination between human capital and it slows reaction times to threats.
It also creates blind spots in organizations that contribute to confusion regarding what is actually occurring across all endpoint solutions.
Tool sprawl acts to defeat one of the primary tenets of the security stack which proposes that information communication technologies be architected and designed to operate securely and effectively within organizationally specific cyber threat environments.
Integrated systems are the path forward
When we think of the traditional security stack, the security layer is comprised of several control planes across both network and application layers, many of which are engineer-for-purpose hardware and software evaluation tools.
Because the interconnectivity of current systems is so complex and the lack of interoperability slows down the process of detecting threats, various endpoints make very attractive hunting grounds for hackers.
Organizations should do all they can to eliminate redundancy in the endpoint environment. It not only contributes to a better integrated security stack overlay but also reduces unnecessary security expenditures.
Eliminate one-off solutions, when possible
Stand-alone endpoint tools should be replaced by multi-functional threat protection solutions that are better engineered. In fact, newer, more advanced technologies are coming to market that utilize machine learning and behavioral analytics that are fully integrated and provide better day-to-day security coverage.
A turnkey endpoint protection platform may not be suitable for every organization, however, a review of the leading endpoint protection providers appeared in a recent Gartner market review survey?and included those that provided robust remediation capabilities and dynamic response to security incidents.
Some of these newer multifunctional tools incorporate an approach called Hardware Assisted Control Flow Integrity (HA-CFI), which leverages features in the microarchitecture of Intel processors?like the performance monitoring unit (PMU), for security. HA-CFI also operates in the exploitation stage before bypasses happen.
Identify well-performing, existing tools with underused functionality and leverage them
In one recent survey, the majority of IT decision makers responded that current solutions prevent no more than 70% of attacks?particularly those using file-less or memory injection attacks. With that in mind, there are some best practices for evaluating existing tools to your advantage, namely:
- Platform coverage: Does the proposed product support the operating systems and versions running on all of the endpoints, such as Windows, Mac, and Linux?
- Feature set: Is the proposed product comprehensive? Does it provide all of the features that the organization requires for layered protection?
- Performance: What is the average malware detection rate of the proposed product? How quickly does the vendor typically provide a new signature after a zero-day threat is discovered?
Blind spots will always exist because bad actors will always find ways to exploit even the best point solutions designed to protect enterprise and other organizational technology environments. Endpoint solution sprawl is adding to the problem by making security resilience more complex and reducing the efficiency of operations and security teams even when they are well aligned and their tools are integrated.
One way to address dangerous blind spots is through a readiness assessment, and later, a SOC 2 audit, in which all your processes and procedures are thoroughly vetted and possible blind spots are identified. Working with a qualified auditor can avoid analysis paralysis and help you quickly lay out a plan of attack.
In the end, the more you reduce complexity in your infosec tech stack, the more you will be able to end today’s endpoint solution nightmare.