By Fabio Fratucello, Field CTO, International, CrowdStrike
It’s no surprise that we’re hearing a lot more about cyber-attacks. The barrier to entry for eCriminals is lower with the advent of Ransomware-as-a-Service and Access Brokers, providing cyber kill-chain elements as commodity services. The attack surface for cyber-criminals to target has expanded as cloud adoption continues to increase across business environments. And adversaries are getting quicker at moving laterally within a compromised environment; in 2022, the average breakout time was just 84 minutes, down from 98 minutes in 2021. All of this presents a significant challenge for cybersecurity
leaders as they consider their approach to cybersecurity investments.
It used to be the belief that the more security tools an organisation has, the more secure it would be even if there were multiple tools across the same domain. However, many Indian businesses are now challenged by the complexity of their security stack. Organisations relying on an overly complex and disjointed array of technologies can be exposed to greater cyber risks due to the nature of a fragmented architecture while incurring increased operational costs.
Having complete visibility across the environment is key. What may seem like a siloed anomaly at first may be a sophisticated attack that is leveraging multiple vectors across different domains. However, visibility can be reduced by having too many tools, particularly if they are disjointed and unable to share data timely and effectively with each other. This makes it difficult for defenders to connect the dots, track an adversary’s path, and ascertain whether a security event is a false positive or part of a legitimate attack.
Security leaders, therefore, need to consolidate their security stack to prevent breaches slipping between the visibility gaps, either by implementing extensive and expensive integration programs or by taking advantage of a security platform approach.
The modern security approach for detection and response
Identifying overlap in security tools is the first step a business can take to begin its consolidation journey – and often the endpoint is the most common domain for this.
Over time, endpoint protection tools have evolved to offer a broader range of security functionalities beyond antivirus and anti-malware. These tools may include features like host-based firewalls, data protection, and device management. With an extended array of features, endpoint protection tools often overlap with other specialised security tools.
Businesses should evaluate which tools are more of a burden than a benefit to their overall security posture. Using endpoint protection as an example, one can see that replacing a range of specialised tools with a single comprehensive solution can provide out-of-the-box visibility across different domains, removing operational friction and driving increased efficiency. For example, by consolidating solutions across the endpoint at the identity protection domains, businesses are in a position with a single interface to understand attack correlation across two of the most critical domains requiring protection. This is a platform benefit, an out-of-the-box outcome that does not require businesses to further spend their budget on data integration activities.
Also important to consider is what the journey from a threat detection and response perspective should look like. It may involve several integral steps starting with runtime environment monitoring (where applications and services operate) and endpoint protection (across on-premises and cloud environments), to identity protection, threat intelligence, threat hunting, and managed detection and response (MDR). If all these capabilities are architecturally disjointed, the integration cost may go up very quickly.
It is an intricate task to track an adversary from one point to another across several domains and hundreds, if not thousands of individual signals and alerts. If tools cannot effectively talk to each other throughout that journey, then you have an interoperability problem that is putting your organisation at risk. Ensuring all your tools are working together via a single platform is critical. Having a consolidated approach is a more cost-effective and reliable solution to achieve the organisational security goals.
Nonsecurity considerations for a successful consolidation
A lack of security tool consolidation can also introduce various operational and financial issues that organisations need to consider. Assessing the total cost of ownership for security solutions means taking into account not only the initial acquisition cost of a control or capability but also the broader impact it has on various aspects of the organisation’s technology ecosystem. While the acquisition cost is relatively easy to understand and quantify, there are other factors that need to be considered and planned for.
For example, implementing multiple controls that do not interact with each other not only introduces a likely visibility gap but also unnecessary costs and can lead to productivity loss too. Employees may need to navigate and manage multiple systems, resulting in inefficient workflows or spending significant time trying to stitch them together. Additionally, having multiple consoles and disjointed solutions may require an additional headcount to monitor and manage them effectively. This means hiring more staff or reallocating resources, which adds to the overall operating cost.
As such, assessing only financial transaction costs when acquiring a security solution is a shortsighted view. Assessing the broader impact on operations, productivity, data engineering and transformation activities and human resources is critical when deciding on a security solution. The bottom line is that complexity is the enemy of security. By taking a holistic approach and considering the broader implications and costs associated with security solutions, organisations can make more informed and cost-effective decisions to align with their overall goals and resources.