So many vendors, so little budget. Security departments are constantly tasked to know how to properly allocate funds to staffing, resources, tools, solutions, software, vendors, third-party contractors, and more. Even an unlimited budget wouldn’t help as security departments can find themselves bloated with software or vendors, leading to an inefficiently run department.
We spoke to Mark Butler, CISO of MegaplanIT, to understand how security departments, with small and large budgets, can manage their spending effectively when considering new vendors or solutions.
Butler’s most important advice was to establish a security framework for your organization. You can start off by adopting existing frameworks provided by ISO, Cloud Security Alliance or other associations who have developed frameworks for organizations that match your organization’s specific considerations such as industry and department maturity.
When developing a framework, here are a couple of questions Butler advises to start with.
Answering these questions will help you understand what you’re trying to secure. Some organizations will require physical asset protection while others will require IP
protection. Additional framework considerations include an organization’s revenue stream, supply chain and third parties, business model and more.
Having a framework in place improves effective decision-making when considering new vendors or solutions as your organization grows and its needs increase. The framework would also help you highlight security gaps or deficiencies so if your budget were to increase, you’d know where to allocate that money effectively.
Butler notes that the right framework should hold true, regardless of size or budget. “Whether you’re a 5 or 500 person team with a large or small budget, you’ll have similar type of tools….tackling the same type of risk”
The major differences between tools and vendors by budget is that organizations with a smaller budget can rely on open-source tools while large-budget orgs can invest in enterprise and more specialized products. However, even these tools, despite the differences in price, have their pros and cons.
Fortunately, the considerations making up these frameworks are built to scale.
When you’re ready to shop around for vendors, your previously-established framework should provide a benchmark you can assess vendors against. “If I want to invest further in tools, people, or processes,” Butler explains, “they need to be evaluated within a given set of capabilities. What type of bucket does this solution fall into? Is it a prevention tool? Detection tool that improves response time or is it a response tool? They should be assessed from a technical, threat, and risk standpoint.”
These considerations are essential for making sure your budget is being spent on the most effective tools that will make a positive impact on your organization. It will also help you find the right vendors that will either cover a new area of defense as they come up in the security world or replace legacy vendors that are no longer effective or applicable.
When asked what common pitfalls organizations usually fall into, Butler points to older, legacy solutions. “Ultimately, tools that were deployed 5-10 years ago aren’t what they used to be from a security stack standpoint,” Butler explains. “Cloud-based tools, next-gen variations of tools, AI-based tools, and tools based on network traffic are very much needed now.”
Butler also mentions that tools focused on signatures, point-in-time information, and static analysis aren’t as helpful anymore because of how an organization’s environment has changes. For example, network intrusion detection analysis tools, despite being commonly required for compliance, doesn’t provide the security benefit it used to because it often doesn’t look at encrypted traffic.
When considering your current security technology stack, Butler recommends you review why each vendor and solution was purchased in the first place, what the tool’s current use case and value is, and what the roadmap for the tool is. This will help you understand whether the tool will be updated for more contemporary use cases by the manufacturer or whether you should look for a better tool or a broad-reaching tool that will subsume a lot of your current tool’s responsibilities. Often, endpoint solutions are the ones that require the most scrutiny because the threat landscape and endpoint threats are most subject to change.
Of course, one of the biggest problems an organization faces is spending on tools that don’t fit an organization. This can be due to a lack of dedicated resources but it also may be a tool that doesn’t provide a benefit given the organization’s security objectives. The problem with having partially implemented tools doesn’t get solved by partially implementing more tools.
This is why establishing a framework is extremely important.
Making a Choice: Fundamental Tools, Single-Point Solutions, and New Solutions
While developing a framework is fundamental here, it is a long-term endeavor so we wanted to look at ways to approach vendors and tools if you’re considering single-point solutions, just getting your department off the ground, or looking for solutions that defend against a new threat.
Butler encourages organizations to start investing in threat detection tools before moving on to prevention tools and response tools as their security department matures. Detection tools should focus on:
Prevention tools include next-gen firewalls, endpoint detection, and sandboxing applications for various channels. As your organization matures, Butler encourages more proactive methods and tools such as honeynets and honeypots, canary accounts, and publishing fake data to see who is targeting your organization and where your data is being sold.
Butler recommends that stand-alone tools should be utilized if there’s “dedicated staffing or manual reporting” to support and track metrics. He also mentions that most organizations tend to prefer a more simplified security stack, which is why end-to-end security solutions look so attractive.
However, when evaluating single-point solutions against a broad-reaching solution, you should always consider real use cases and situations tied to your organization’s specific needs.
While new threats and attacks should always be expected, Butler affirms that a framework goes a long way in helping you find the right solutions. Most attacks and threats, whether new or old, exploit fundamental and core vulnerabilities within an organization. By aligning any new investments in the year to your framework and finding ways to improve the maturity of your security department, your organization will be more than equipped to face new threats in the coming year.
Now that you have a better idea on how to approach the security market, it's time to test it out. Visit us at InfoSec World 2019 to get a glimpse into the latest security tools available to you and your team.