Tool Sprawl – The Cybersecurity Challenge of 2021 by Mike Lloyd of RedSeal

Tool Sprawl – The Cybersecurity Challenge of 2021 by Mike Lloyd of RedSeal

Our first annual #InfoSecInsightJam proved an incredible success, featuring the contributions of cybersecurity experts and providers from around the world. However, we didn’t get the chance to post and publish all of the excellent, in-depth material we received.

Therefore, we’re working to catch up on all the material we couldn’t share during the Cybersecurity Insight Jam 2020. In that regard, we’re pleased to share this article on tool sprawl by Dr. Mike Lloyd, CTO of RedSeal.

Tool Sprawl – The Cybersecurity Challenge of 2021

By Dr. Mike Lloyd

It’s not news that the pace of change in IT is extremely fast. What’s less well-known is the downside — tool sprawl. IT teams innovate at a breakneck pace, picking up whatever innovations suit their immediate needs. Security, in contrast, must protect the old applications that are still around, plus the new ones, plus the different platforms those new applications are built on. It creates a juggling challenge – how many different technologies can your security team juggle at once? If you have too many, how do you decide which are most important and which you must drop?

Security is in a tough spot. The rules of the game keep changing. We were finally getting close to perfecting the art of securing data centers and VPNs, when along came cloud, multiple cloud environments, and a pandemic forcing many of us to work remotely. Cloud has forced a rethink of what a perimeter is made of, and the pandemic caused organizations everywhere to take a good hard look at the downsides of a security model based on what was “inside” versus “outside” a network. It doesn’t help that each cloud vendor has their own design for how perimeters should work with different lingo.

It might not be so bad if the move to the cloud were literally that – a lift and shift move, with nothing left behind. That’s not how it works in practice. New business applications are built-in new ways – as one example, take Kubernetes container orchestration. The Kubernetes wave disrupts earlier waves like Virtual Private Clouds, or prior to that, Elastic Compute, all of which in turn disrupted the old data center. But disruption is not the same as a replacement – organizations keep the older generations around because critical business services run on them. From a security point of view, this means the technology stack keeps getting bigger and bigger, with no levels ever really going away. Every network is hybrid now – some data centers, some early cloud fabric, some latest and greatest fabric.

Tool sprawl isn’t such a big headache for individual IT teams – they get to specialize in whatever tech stack they pick. Security, on the other hand, is responsible for securing everything. It’s as if they need to be universal groundskeepers for everyone when teams can choose whether they want flower beds, or dense jungle, or open savannah, or anything in between. It’s an absurd challenge, beyond human skillsets, because these environments are so different and need to be managed with different tools.

The other big headache for security teams is the perennial shortage of experienced cyber defenders. I find it’s typical for organizations to have between fifteen and fifty different security technologies in their portfolio, but with enough skilled staff to drive perhaps three or four of them at the expert level required. Security teams haven’t been over-buying – each of these complex technologies solves a real problem. But security products are inherently complicated, and as a result, they have complex interfaces that give powerful ways to get things done, but only on condition that you actually know how to do it. In theory, if we had enough skilled security professionals, all these technologies would be great, but it’s simply not practical to find enough people who know all the nuances and subtle use cases of these powerful tools.

What can defenders do when they’re caught between the need to monitor and control each new IT innovation without enough skilled staff to drive the existing tool investments properly? Clearly, we must simplify – reduce the difficulty of using any given defensive technology and increase the integrations between them so that experts in one can drive others without having to master every interface of every different product. The other important simplification is to focus effort on the most fundamental things, even if this means missing some cutting-edge esoteric offerings. After all, experience shows that most breaches could have been stopped by a more diligent following of basic cyber hygiene advice – the fundamentals matter.

One guide on how to focus on what is essential is a military principle called the OODA loop. This came originally from the US Air Force but has been used as an effective model across other military contexts, in business, and now in cybersecurity. The original question was who wins aerial dog fights – the person with the fastest plane, or the biggest guns? Generally, no. The winners of aerial combat are those who have honed their skills in the four key areas of the loop so that they can iterate around the loop faster than their opponent. The four stages in the loop are Observe, Orient, Decide, and then Act. If you miss any one of these four, you will not be effective. If you are slow to do any one of them, your opponent will outmaneuver you. If you get any one of these steps wrong, you risk crashing into the ground.

In cybersecurity, we cover Decide by investing in SIEMs to sort through vast data lakes. We use SOAR and similar automation approaches to help us Act. We have many Observe tools, to the point that most security teams are drowning in facts from scanners, traffic taps, and logs. What we lack and what we need to invest in is a matching ability to Orient, to understand the significance of the facts in each situation.

As technology advances, so does tool sprawl, and it is a major challenge to security teams. The solution is to reduce to the truly essential, eliminating any overlap and unnecessary complexity so that the limited teams we employ can get maximum defensive benefit from the minimum amount of technology. The OODA loop is a useful guide to what is truly essential – every organization needs to have a viable, well-practiced, and rapid ability to move through Observe, Orient, Decide, and Act. Anything distracting you from this mission is a luxury we can no longer afford.

Thanks again to Dr. Mike Lloyd, CTO of RedSeal, for his time and expertise on tool sprawl. For more, check out our SIEM Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner