COMMENTARY: Sprawl of all types has become a constant, growing problem in enterprises – code sprawl, vendor sprawl, cloud sprawl, and attack surface sprawl.
They aren’t just plaguing IT teams – they’re also putting the entire organization at risk. That’s because as companies acquire more and more tools to cover niche problems, they begin to plug holes rather than create an ecosystem that works together. Proper integration and budget management are needed to get the most out of security tools, but overlapping, dissonant capabilities leads to diminishing ROI.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Tool sprawl creates a large vacuum of knowledge that’s difficult to fill in as security teams try to wrap their minds around an endless number of apps and dashboards. Layer in siloed data and half-baked integrations, and it becomes nearly impossible to cross-correlate information and alerts efficiently. Dealing with an overwhelming number of security notifications can lead to alert fatigue, burnout, and high turnover.
However, there are ways to tackle tool sprawl while also making the job easier for security teams and reducing investment costs for CISOs, namely through consolidating telemetry streams for more actionable data analysis.
Not just a buzzword
We’re all familiar with the term tool sprawl, but is it just a buzzword that large security companies use to sell an “all-in-one” platform?
Yes and no.
Tool sprawl has become a very real issue for security teams. According to a CrowdStrike survey, 90% of respondents are using three or more tools to detect and prioritize vulnerabilities. Of the respondents, 31% said that prioritization was an issue because of too many tools, 37% said too many alerts and 55% said coordinating alerts among multiple tools.
Similarly, estimates show that companies can have between 60 to 75 security tools installed, with 87% of firms expecting to increase spend on cybersecurity. Unless specific actions are taken to reduce the number of tools used by security teams, the problem will become worse. The obvious answer: consolidation.
With that being said, consolidation takes more than just investing in a single platform that claims to handle all security needs.
So how many security tools should organizations have? The answer isn’t simple. Just like an organization's size, industry, location, security team expertise and cybersecurity priorities, it all depends. There’s no magic number, and that’s why one-stop-shop security platforms aren’t the best answer for consolidation.
When deciding if the company has too many tools, start by looking at the organization’s own security team’s bandwidth and determining the tool-to-analyst ratio. It’s also an exercise in setting realistic expectations for security teams. How many tools, dashboards and alerts can security analysts juggle? If there are three analysts and 21 different tools constantly streaming data and setting off alerts, that’s a ratio of 7:1. What if the business could consolidate so that the ratio is closer to 3:1? This would make the security team more efficient when responding to incidents, and they would also have more time to focus on proactive security measures and automating day-to-day operations.
In a hypothetical scenario, if one tool sets off an alert and the security analyst has to cross-correlate it with several other tools, these extra steps create more time for a hacker to move through the network. The adversary gains an advantage before response and remediation even begins. In mission-critical environments, dead time between detection and response can make the difference between stopping an attack or being breached.
The case for consolidation
Consolidation should happen at the source. By condensing the stream of security data into a digestible medium with customizable detections and tailor-made incident response controls, security teams can respond quickly enough to close exploitable windows of opportunity. By centralizing – and operationalizing – security telemetry, teams are more efficient, plagued by fewer alerts and faster to respond.
When all is said and done, it’s challenging to work in complex environments, and very hard to avoid tool sprawl. That does not mean it’s an unmanageable problem. The solution in the IT world came with the advent of cloud providers that allowed IT teams to ditch the software-in-a-box and build their own bespoke products that can scale seamlessly. Similarly, cybersecurity benefits from an ecosystem of products with the ability to self-serve, scale, and achieve efficiency by leveraging customizable, open tools.
Maxime Lamothe-Brassard, founder and CEO LimaCharlie.io
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.