Despite a proliferation of security tools, breaches continue to happen. Best of breed isn’t working, so organizations need to rethink their approach to deploying cybersecurity products, said Matthew Chiodi, chief security officer, public cloud and Sandra Wenzel, sr systems engineer, both with Palo Alto Networks, at RSA Conference 2019.
Right now, $32bn is spent on trying to convince organizations that they need to use a best of breed product, with much of that spending based on the Lockheed Martin Cyber Kill Chain framework. “If you are trying to understand the breakdown of an attack, this framework is very useful,” said Chiodi, “but it inadvertently gave security teams too many tools.” They now think they need a tool for everything.
The majority of organizations say integration is their priority when buying security products, but that’s not what they purchase. They look for best of breed, regardless of integration capabilities, and this is creating data security silos. In turn, this makes it more difficult to discover data breaches.
It’s time to downsize on tools, which is easier once you realize that 20% of attack actions cause 80% of security issues. To move in this direction, Chiodi and Wenzel provided four steps:
- Inventory existing security tools: Create a spreadsheet that lists each tool, why it was originally purchased, how it is actively used and if it shares threat intelligence
- Create a coverage map: Determine your critical coverage categories and analyze how each tool covers those categories
- Compile and categorize your list of incidents: Work with your SOC team to utilize a set of actions, the number of occurrences and the percentages for each action
- Map your security portfolio to your vital few: Get rid of the security tools that aren’t working
The adversary only needs to be right once, Wenzel pointed out, but your security team needs to be right every time. Having fewer tools that integrate will make being right easier.