High profile data breaches have pushed IT security up on the agenda of organisations. As a result, some companies have been overzealous in implementing a whole host of security solutions in the hopes of staving off attacks. But this is not an effective or efficient approach to IT security; You need to take the plunge and streamline your security product portfolio. Here's where you can start.
Chris Coryea is the cyber intelligence service manager for Lockheed Martin in the UK. While the company is known for its aerospace and military defence work, it does have a cybersecurity division that services global enterprises. Since Lockheed Martin was hit by its first cyberattack back in 2003, it has been working to align its people, processes and procedures to better fend off IT security threats.
Speaking at the RSA Conference 2016 in Singapore, Coryea wanted to share some lessons the company has learned. One of the issues he raised was about companies that assume buying up a swathe of different security products would make their IT environment safe. A client Coryea had dealt with had the same problem.
"They were a vendor's dream; [the company] wouldn't buy just one product, it would buy the whole suite — all of it," he said. "Because of this, the company had a 'set it and forget it' mentality and that out-of-the-box solutions are good enough; the client trusted the vendors so they just put it in and let it hum."
The security solutions would generate a ton of alerts every day and the staff responsible for monitoring the corporate network was overwhelmed and could barely keep up. They couldn't even think about tuning the security products to better suit the organisation's needs in fear that it would increase their workload even more. Intrusion rates weren't dramatically lowered either, despite all the tools.
According to Coryea:
"What they didn't realise was that they had a major duplication problem: they would have 3-4 technologies firing on the same incident within their environment, which meant they had 3-4 network defenders responding to the same incident when one technology could have taken care of the situation; nothing was standardised. "… They were just taking all the alerts from the vendors, who didn't know about their environment at all."
Lockheed Martin went through the customer's entire security portfolio and did a technology capability assessment to understand the effectiveness of each product. It looked for gaps and duplication that was occurring then evaluating the portfolio against real attacks. If the first product doesn't catch a particular threat, will the second or third product pick it up?
Each organisation's internal threat landscape, that is, the actual attacks that they face, is different and may require a unique combination of security tools. But it's pointless spending money on everything and hoping for the best; The right set of tools will not only help standardise your security strategy but reduce duplication of alerts as well. This will in turn give you the best return on investment (ROI) and free up security resources to help make the most of existing solutions.
When you decide what security technology to cull, you need to look at all those factors.
As for the client that Coryea worked with:
"We showed this to the CISO and told him: 'We have your technologies lined up against your framework and against your threat landscape. You spent $500,000 on technology A and against your threat landscape, it only blocked two of the advanced threats. Meanwhile… you spent $75,000 on technology B; It's picking up 75% of the advanced threats you need to be worried about.' "As a CISO, looking at return on investment, which technology am I going to get rid of? That really went a long way for that organisation."
Having said that, some security tools require fine tuning to obtain the best results. Technology A could potentially pick up 90% of the threats if it was customised correctly, which would make it a better solution than technology B. The bottom line is don't assume all security products will just work out-of-the-box and it's another thing to consider when you want to downsize your security portfolio.
Spandas Lui travelled to Singapore as a guest of RSA