Why do security 'solutions' fail to actually solve the problem that you made the investment of time and resources for?
If we're honest with ourselves, we can easily look around the organization and find several projects that even though they are implementation-complete, are hardly "complete" as they sit. Too often after a catastrophic failure, or security incident we're pre-disposed to making hasty purchases to effectively stop the bleeding without considering what the full scope of what we're doing may be. This is one of the reasons the worst time to make a technology investment is during a catastrophe.
Along that thread, let's look at your projects list and resource requests for the next fiscal or calendar year. I bet there's at least one or two new "shiny objects" on there that solve some big new problem the media tells you that you have... and I'm probably committing blasphemy as a vendor by saying this but - do you really need those bright shiny new things? All too often the answer is no, and unfortunately this only gets worse as time ticks by.
So what should your next critical security project be?
If the last few weeks of conversations with CISOs planning their budgets is correct... the next big project should be figuring out how to take the investments you've already made and implement them to their full potential. Getting 'full potential' out of existing investments is something one financial CISO runs an end-of-year program for each year. At the end of each year, this CISO spends a few weeks with his team combing through the many dashboards, boxes and security solutions in his environment to figure out where more use can be squeezed out of existing investment in technology. Unfortunately his team doesn't typically have to work very hard to find those gaps.
At the beginning of the following fiscal year, the first few 'critical' projects, aside from business-related tasks, are to close those gaps between what the invested technology can do and what it currently does. This is no easy task, mind you, but it's one that yields a large benefit with minimal new investment.
Here's a list of questions to ask when looking back at existing security projects/solutions to decide whether you should be giving them another look...
- Have you updated, tweaked, tuned the product in the last quarter?
- Do you use more than 50% of the product/solution's core features?
- Is the product/solution adequately integrated with other solutions within your security practice?
- Does the purpose the product/solution served when purchased still exist?
- Does your team have time to regularly maintain, or get use out of, the product/solution?
Those are just a few of the questions from the list... but they give you a good idea of what to think about.
Too many 'security solutions' are often orphaned servers, or blinking boxes in a closet, that no one ever checks on much less regularly maintains or gets useful intelligence out of. After all, aren't security tools supposed to be some of the most actively used telemetry in your war chest? Security organizations, if you haven't noticed, have a glut of 'stuff' blinking, taking power and space, and altogether being nearly useless in their organizations. Niche products are OK, but that "APT Fighter Pro v2.0" security widget probably needs regular care and maintenance ... oh and you should be getting regular benefits out of it!
Ask yourself how many security dashboards you have at your disposal right now, today. I bet it's at least a half-dozen if you're a reasonable sized company... when you do a dashboard-to-analyst ration your dashboards shouldn't outnumber your security analysts... yet I find plenty of places where this is true. You can't tell me you're getting value from those if you can't spend quality time with your tools...
The solution then to your glut of 'solutions'? Consolidate, re-evaluate, and maximize.
- Consolidate - Take 5 niche tools that each do 1 thing really, really well and consolidate them into a single tool that does all 5 of those things reasonably well ... in a single product. This gives you better usability, intelligence, and a much higher likelihood that you'll actually get value.
- Re-Evaluate - Sometimes that point tool you needed 4 years ago to fight some fire or band-aid some poor implementation just isn't necessary anymore... or it can be rolled up into another tool or solution. Security teams are no more or less guilty than anyone else in IT or business at this... but it's still a cardinal sin - re-evaluate whether you need that widget at least twice a year... because if it's not helping you it darn well may be hurting you.
- Maximize - Spend time with the tools that are your life-lines. As an analyst you should know the capabilities of all your security products and solutions. You should know the capabilities as well as limitations - those aren't the same thing, and know when to keep pushing. A SEIM can just be a dumb logging box, or it can be the one nerve center for your enterprise - it's a matter of understanding capabilities and pushing boundaries!
What will your next priority project be for security?
How about you look inward, and figure out how to maximize last year's investments (or the previous years?) and surprise your management by telling them instead of chasing the new shiny thing you're going to reinvest time in the stuff you already own.
Cross-posted from Following the White Rabbit