Beyond “best of breed.” Solving for risk through consolidation

It’s 2023, and security cap-ex spending is at an all-time high and forecast to keep growing. 

Thanks to frameworks like MITRE ATT&CK, we also know more about how threat actors function than ever. There is no shortage of security solutions either – the average organisation uses around 60 within its environment. But cyber attacks still do hundreds of billions of dollars of damage annually.

So, what’s going wrong?

The answer has three parts.

Firstly, cybercrime has gotten a lot easier. To see how, roll back the clock 10 years. Back then, launching an advanced attack meant having a deep understanding of IT, cyber security and social engineering. 

Today, thanks to developments like ransomware-as-a-service, threat actors hardly need any technical knowledge to launch advanced cyber attacks.

Trends like cloud migration, remote working, and the simple reality of more people doing more online (the amount of data online has grown by 45x) further up the stakes. Sprawling IT networks also mean that security teams are increasingly unaware of their estates. 62% of CISOs admit to blind spots in their attack surfaces.

These factors are mostly outside security teams’ control.

But the third part of what’s harming cyber security is something security decision-makers can and should take immediate action on. It is that there are too many disjointed tools in operation within a typical SOC. 

Attend our upcoming webinar to learn more about this problem and how security teams can use security tool consolidation to fix it.

Here is a quick look at what to expect.

How We Got Here 

The good and the bad of the standard approach to buying security solutions can be summed up with the phrase “best of breed.”

Security teams buy tools based on their relatively high performance within their designated use case, i.e., best-of-breed. 

This search for best-of-breed solutions is not a bad idea, at least in theory. 

Against advanced threats that can move laterally and fool signature-based detection, it makes sense to deploy the best possible point solutions across the different parts of an organisation’s environment.

The result is that a typical organisation will protect its endpoints with an endpoint detection and response (EDR) solution from one vendor, monitor its network with a network analysis tool from another, protect servers with a next-generation antivirus (NGAV) from someone else etc. 

An organisation might also use a security information and event management (SIEM) platform to pull data from other parts of their network and a log management system to keep the information in one place. 

A typical organisation will not only have a range of tools like these. They are also likely to have a number of redundant or duplicate ones.

The still bigger problem is that most of these tools do not talk to one another. Or if they do display alerts on the same screen, they do not act in tandem.

This lack of integration creates a range of serious security efficiency problems. 

A major one is alert fatigue. Analysts’ capacity to make sense of data has evolved at a vastly different level compared to security tooling’s ability to send them data. 

With dozens of solutions bombarding the security operations centre (SOC) with different warnings, mostly without any context, it is unsurprising that 31% of staff say too many alerts make working in their SOC painful. 

Another problem is data siloing. 

When security data cannot flow between tools or is not actionable, it ends up ignored, and accuracy and productivity suffer. Lack of bi-directional integration is the reason given by over 42% of security leaders as to why they stopped using a particular security tool.

Challenges (Technical and Commercial)

In the last 10 years, security teams have gone off searching for solutions to their problems but ended up buying products instead. 

Many of these products are fantastic at doing their job, whether that is finding threats on endpoints or collecting security logs. The problem is that they don’t add up to more security. At least not collectively.

The obvious solution is to use fewer security tools (prioritising tools that cover more ground) or security solutions that integrate natively. 

Unfortunately, purchasing or building a suite of perfectly interoperable tools for endpoints, networks, and servers is not easy for a security architect to do.

Take extended detection and response (XDR), for example. Whether single-vendor, open or something in between, XDR suffers from various commercial and technical problems. 

The tools that XDR platforms integrate are not natively designed to work together. 

This is true of single-vendor solutions too. With single-vendor XDR, the offering usually consists of a range of smaller solution providers purchased by a larger operator and co-branded.

And, even if a single vendor were to develop a suite of integrated solutions purely for XDR, the problem of false positives and rule sets would remain.

On a technical level, consolidating tools is, to a large extent, a data problem. 

To deliver the increase in efficiency that consolidation offers, any genuinely effective consolidation effort needs to collect high-quality data from across an environment in a universally understood format. 

It also needs an analysis and automation layer capable of processing that data, creating actionable insights and taking action based on it as necessary.

No security orchestration, automation, and response (SOAR) platform, XDR or any other linking of existing security solution tool stacks can do this. 

How SenseOn Delivers Consolidation

Senseon solves the consolidation challenge by starting with the hardest part of the problem: data.

Our ethos is that efficient security tooling needs great data.

To collect high-quality, timely and complete data, SenseOn connects identity (i.e., who users are and what they are doing) with full deep packet inspection.

SenseOn does this through a Universal Sensor that can be deployed at every layer in an organisation’s environment, including endpoints, networks, and servers. This eliminates the need for disparate point tools. Layered on top of this is a cloud-based SIEM/SOAR platform that can be deployed in any AWS region and SOC services empowered by hyper-automation.

The result is high-quality data from across an organisation’s environment being fed into a powerful machine-learning-equipped automation platform. 

SenseOn only escalates context-rich information to your human security analysts, removing the problem of false positives and automating security decision-making.

To watch our Security Consolidation webinar, click here. To find out more about SenseOn, schedule your free demo here.

Previous
Previous

A Guide to MITRE ATT&CK Tools

Next
Next

Managed NDR, NDR or Advanced NDR