What if we were to tell you that not only does your enterprise likely have too many security tools, but doing so hinders your incident response effectiveness? What if the Ponemon Institute told you the exact same thing, based upon an analysis of insight from 3,400 security and IT professionals globally?
The latest Ponemon Institute Cyber Resilient Organisation Report, sponsored by IBM, found that formal, enterprise-wide security response plan adoption is on the up. Across the last five years, enterprise incident response planning adoption has seen a 44 percent growth rate. That's the good news.
Less comforting for security professionals are the findings as they relate to the number of security tools being employed by enterprises. On average, enterprises use a total of 45 different security tools and 19 of these will be employed in response to a single incident. If that sounds like a positive, you are probably in the wrong line of work: more does not mean merrier when it comes to security tools and incident response.
The Ponemon Institute research found that, on average, those enterprises employing more than 50 security tools were eight percent less effective in detecting, and seven percent less effective in responding to, a security incident than those using fewer tools. This negative benchmarking proved to be applicable across multiple categories of the threat lifecycle, according to the report.
SC Media UK asked infosecurity professionals what they made of all this.
"All this 'study' shows is that organisations with larger budgets are more likely to doubt their ability to counter dedicated threat actors," Richard Bejlich, principal security strategist at Corelight, says. "In other words, they have accepted that prevention eventually fails. To make any claims about effectiveness of security tools or budgets, you'd need to analyse how often various organisations are compromised, to what degree, impact, etc."
That said, Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that "complexity is indeed the enemy of security, having more security tools doesn't always equate to better security, and security shelfware remains an issue in many organisations." Malik warns that defence in depth can all too easily become expense in depth for many enterprises. So is orchestration the answer? "Orchestration can be useful, but it will only be as good as the underlying tools it is orchestrating," Malik advises, "so, it's important to have the right tools in place."
Chad Anderson, senior security researcher at DomainTools, says that "you cannot fix an enterprise’s security by throwing more tooling and capital at the problem." There is no "electronic vest of mithril" here, he continues, and you should run if you see a vendor ever speaking in absolutes. "Security is hard and often unforgiving as you just can’t get defence right every time," he says, "tools need to be effective and rolled into the daily process for security teams and they need to be integrated into other systems with a goal towards automation."
"Multiple tools performing similar functions can produce contradictory results," says Theresa Lanowitz, director at AT&T Cybersecurity and a former Gartner analyst, "understanding which result is incorrect can be challenging." Lanowitz argues that organisations become encumbered with a plethora of tools because adversaries innovate, and so the enterprise is "led down the path of believing more tools is equal to more and better security – this is false." Those with large numbers of tools "must make sure the staff, expertise, and proper organisational alignments, expectations, and structures are in place," she concludes.
We will leave the final word with Ilia Kolochenko, CEO at ImmuniWeb. "Eventually, cybersecurity teams just waste their valuable time trying to configure and correlate countless systems lacking consistency and missing a long-term strategy. They follow the hype, but miss the wood for the trees," he says.