alphaspirit - Fotolia
- Dave Shackleford, Voodoo Security
Security platforms are constantly evolving, adding features and capabilities that may perform the same operations as some controls already in place. Getting all of your security tools from a few trusted vendors has its perks. But as technology providers' increasingly expand their integrated security suite to create bigger and better tools through mergers and acquisitions, add layers of functionality to commoditized products, and offer new delivery models -- the resulting confusion and capabilities overlap can take its toll.
Many security teams buy new or upgraded tools that eventually become shelfware, without active use or purpose. As this trend continues, organizations end up spending more money than they should on products, whether they are part of an integrated security suite or not. CISOs may also confuse the accuracy and effectiveness of controls definitions for meeting policy and compliance needs.
Once in a while, it's a good idea for larger organizations to clean up the backyard, taking a hard look at what tools are needed, which ones perform best, and the features most important to meeting stated security and compliance goals. What process should you pursue to identify these overlaps and pare down your integrated security suite footprint?
What You Have vs. What You Need
To get started, consult your current system inventory and review the applications installed in your enterprise. If this is a weak area for your organization, it may be difficult to really ascertain what security tools are most applicable. First, you may have legacy systems and applications that are not compatible with newer technology or controls that you prefer. Second, you may have an entire spectrum of technology that requires a particular control type that you need or don't currently have, which should also influence the way you approach tools consolidation and purchases.
Once you have a reasonable idea of systems and applications that need protection, then it's time to review your vendor management practices and policies. First, see if you have preferred vendors that offer your organization significant discounts or favorable business terms. While you shouldn't select an integrated security suite of tools based on the vendor alone, if two security platforms are similar in capabilities but one vendor offers significant advantages in price, customer relations and support, then this will definitely prove to be a valuable factor in making decisions later. Second, determine contract terms and lengths that may play a role in deciding which vendors you select. If you have certain products that are locked into longer-term contracts, you may want as a starting point to see if these tools reasonably meet your needs. In some cases, you will likely also uncover vendors that your procurement department does not favor, and you should consider their concerns when looking at vendors that meet your needs, too.
Once inventory management and vendor specifics are taken into account, you need to evaluate the list of controls that are required or desired within your enterprise. The first place to start is with the list of needed controls for compliance initiatives and regulatory requirements. Many security organizations have found that they can start evaluating their existing tools by making a list of all the technologies they currently have, then designating each as "must have," "nice to have" or "unnecessary." Any controls that compliance and regulatory guidelines require should be designated as "must have." Note that this applies to the controls, not the vendors. By going through this exercise, you will likely discover some technologies that are not providing a lot of value, as well as those that are due for a refresh.
Now you can begin evaluating new products and features for the types of security functionality that you are missing in your program, as well as market trends that may offer new functionality and specifications that you know you'll need in the coming months and years. For example, many organizations have determined that their traditional firewalls or intrusion prevention systems (IPS) are not capable of detecting newer types of application attacks or identifying malicious software and command and control channels that malware and compromised botnet nodes use. To meet these needs, a new market segment of next-generation firewalls (NGFWs) has emerged, with products that either replace or augment traditional network technologies like firewalls and IPS. If your organization needs the features that NGFW technologies offer, then you should document the reasons why your current firewall and IPS products cannot meet your needs and then determine what is best for your desired architecture and enforcement policy set. Should a new technology replace an old one? Or does it make more sense to augment those security platforms with a newer technology?
The next consideration should be what tools you currently have, and what features they offer. Where you are likely to find the majority of tools that overlap is in three areas: network security, event management and endpoint security. For example, many log management platforms now offer more advanced analytics and correlation capabilities much like SIEM systems. On the flip side, most SIEM platforms can also accommodate some degree of pure log and event management. Network security options from larger providers may encompass network access controls, network anomaly detection, malware sandboxing and "detonation," and more. Endpoint security platforms tend to have one of the highest degrees of overlap. Endpoint agents can encompass configuration management, patch management, host-based intrusion detection and prevention, antimalware, whitelisting, file integrity monitoring and more. For many teams, endpoint security today needs to cover antimalware, some degree of whitelisting, file integrity monitoring or HIDS/HIPS, and potentially some type of forensic acquisition and investigation support.
Tools Assessment and Consolidation
How do you judge success when looking at an integrated security suite of tools or other products? There are many different opinions on what constitutes success, but the key factors to consider include the following:
- Cost reduction: Often, cost is a major factor in trying to reduce overlap between vendors. This should not be the only consideration, of course, but if two products are largely equivalent and one costs less, this is a simple criterion.
- Improved functionality: If an integrated security suite of tools can offer the same capabilities that your existing product can, plus additional features that are required or desirable, then choosing the more functional toolset is a sound choice. This can easily be a deciding factor when choosing between two tools that are already in-house -- for example, if one company acquires another and two different tools are used in the newly merged organizations.
- Complexity reduction: If two tools are largely equivalent but one is much simpler to configure and install, then this may weigh in its favor. Also, if a tool requires a vast degree of skill to work with, and that skill set is rare, the security team may have difficulty finding or even training skilled staff to manage the product over time.
- Integration capabilities: If a specific tool has the functionality desired and the majority of features that the security team would like, integration with other tools and management platforms can be a strong consideration for acquisition or retention. For example, McAfee ePolicy Orchestrator (ePO) is a central console that most all McAfee tools plug into or feed data to. If a successful management and monitoring strategy is built around a tool like this, network, endpoint and other security products that also integrate may be more valuable collectively than standalone systems with disparate management consoles.
- Management and overhead: If a specific tool consumes more time than needed with troubleshooting, configuration, tuning or other tasks, then it may be better to find a similar product with less overhead requirements.
- Platform support: Broad platform support is a technical consideration that may weigh in a tool's favor, especially for endpoint and server security products.
An integrated security suite of tools may offer significant benefits over disparate products. In the realm of network security, unified threat management (UTM) platforms that can perform tasks such as traffic access control and intrusion prevention may make more sense than separate firewalls and intrusion prevention sensors. Many organizations are implementing NGFWs in place of both firewalls and IPS. For endpoint security, an integrated security suite with a single agent that performs malware detection, whitelisting, and forensics or incident response will conserve resources and potentially provide more unified management and integration across functions and capabilities.
The landscape of security tools is changing rapidly, as well. For organizations implementing cloud services, a number of security as a service (SecaaS) offerings are now available that offer new capabilities and integration with numerous cloud service providers. Using these SecaaS services for identity and access management, cloud server host-based security, and data loss prevention and content monitoring, may afford security teams advantages in ease of setup and management, as well as tools and capabilities that they may not be able to get otherwise with on-premises products.
Security teams are more strapped for time than ever before. We have to cover a lot of ground with small teams of people, and we need an integrated security suite of tools that give us the most bang for the buck, while ensuring our budgets are spent as wisely as possible on the functionality we really need. Reducing overlap between tools and streamlining our security product and control infrastructure is one way to help accomplish this mission.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Evaluating vendor promises and integrated security capabilities
Should you consider an integrated endpoint security suite?
How to conquer the steady stream of new technologies and find the best security tool