Samuel Taylor Coleridge’s Ancient Mariner complained of “water, water, everywhere, nor any drop to drink.” Modern CISOs face the same problem with security tools. The more they have, the less useful they seem to be.
More tools often muddy the waters instead of offering clarity, warns Candy Alexander, board member at the Information Systems Security Association (ISSA). “We’ve been saying for years as cybersecurity professionals that we need to have a single pane of glass to see what’s going on,” Alexander says. “Each time a new tool comes about, that means another pane of glass we need to look through.”
Two years ago, the Ponemon Institute found that companies used an average of 45 cybersecurity tools each. Those using more than 50 tools ranked themselves 8% lower in their ability to detect an attack.
Given the massive challenges Western companies face, including stealth economic battles with China and all-out cyberwar with Russia, many companies feel it’s time for tool vendors to work together rather than in isolation. The sprawl of tools points to a need for a convergence of solutions, experts say. The times demand action.
The urge to merge
Security professionals are getting tired of the tool-sprawl conundrum. Two-thirds of the 280 cybersecurity pros polled in Technology Perspectives from Cybersecurity Professionals, a research report this year from ISSA and Enterprise Strategy Group (ESG), felt that products were too complex and difficult to use to their full potential. Almost three-quarters felt that vendors engaged in hype over substance, confusing them and handing the advantage to cyber-adversaries.
Security pros say they want to consolidate and integrate tools using a core set of global open standards:
- 77% of respondents would like to see more industry and technology support for open standards.
- 84% of respondents believe that a product’s integration capabilities are important.
- 83% of respondents believe that future interoperability depends upon established standards.
James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), blames cultural flaws. Buying more tools seems like progress because it demonstrates action, he says, even if it’s the wrong kind of forward movement.
If you get hacked via an Active Directory compromise, you’ll often buy a tool to plug the hole.
“When you get hacked again, you buy another tool,” he says. “Then you can go to your board and say that you’ve taken steps to remediate the problem, so there’s an incentive to keep buying.”
It wouldn’t be quite so bad if companies could integrate tools effectively. Product integration ranked second only to cost in procurement criteria among ESG/ISSA respondents. But not all integrations are equal, says Mark Mastrangeli, co-chair of the Open Cybersecurity Alliance (OCA). Set up in 2020, OCA—an open-source group operating under the OASIS Open governance project—works to create common standards for exchanging security information between tools and simplifying integration.
Direct integrations between tools create a complex web of connections that are difficult to manage. They also discourage swapping out the most integrated software, he warns. “The cornerstone tool that now has five other things connected to it becomes really sticky and hard to replace,” he says. “It becomes a snowball rolling downhill that is hard to unwind.”
One alternative is architectural standardization, in which an application sits in between all of the tools and serves as a communications conduit. The Posture Attribute Collection and Evaluation (PACE) initiative focuses on standard ways to exchange cybersecurity information, ranging from software vulnerabilities to patch levels and software bill of materials (SBOM) data.
When you get hacked again, you buy another tool. Then you can go to your board and say that you’ve taken steps to remediate the problem, so there’s an incentive to keep buying.
OCA working groups include a set of coding libraries that enable systems to connect to cybersecurity data warehouses and retrieve information in the structured threat information expression (STIX) format, a standard for exchanging cyber threat intelligence data. There’s also an OCA working group focused on sharing the behaviors of cyberattackers, to help companies see attack patterns.
In early August, a group of 18 companies launched the Open Cybersecurity Schema Framework (OCSF). The project, backed by the likes of IBM, Amazon, Cloudflare, and Tanium, is an open-source system designed to exchange cybersecurity information between different tools. There are other players, too. Mitre’s ATT@CK framework describes cybersecurity threats. OpenC2, another OASIS project, aims to create a standard language for the command and control of cyberdefense technologies.
What CISOs can do now
The first thing to do is to look at what’s in your company’s portfolio. Companies must find the overlap that exists between their existing tools and consolidate them, reducing their portfolio while also simplifying their management overhead and licensing fees.
“They can standardize on one product for each category,” says Jon Oltsik, an ESG senior principal analyst who authored the ESG/ISSA report. “So, one type of firewall, one type of endpoint security suite, and so on. You’d be surprised how many big companies have three or four of each.”
An alternative is to buy into a single integrated platform. Some vendors offer extended detection and response (XDR) solutions that integrate with various tools, occupying the role of central hub in the cybersecurity tools portfolio. Some vendors support integrations with their own partners, while others position themselves as straight-up middleware between third-party cybersecurity tools.
While vendor approaches vary, customer interest is strong. The ESG/ISSA report noted that 46% of security professionals had either deployed or were planning to deploy an XDR platform.
Whichever approach they take, the impetus is clear among security professionals: It’s time to lighten the load. In the crowded world of cybersecurity tools, people are realizing that less is more.