How Tool Hopping Holds Back Security Workflows

By Joe Partlow, CTO at ReliaQuest.

  • Wednesday, 12th October 2022 Posted 2 years ago in by Phil Alsop

Visibility tools are a crucial part of network security. They help security operators spot the risks, hunt the threats and provide the data needed to improve the overall security of the network. It’s understandable, then, why so many organisations have invested heavily in these tools. Unfortunately, they’ve often acquired more tools than they can use effectively. Security engineers now regularly hop between visibility tools in a vain attempt to make sense of a jumbled, inconsistent picture of the network.

Amid tool sprawl, understaffing, and a lack of actionable metrics, many organisations cannot see the forest for the trees. And the current business climate has only exacerbated this chaos.

Expanding attack surfaces are making life harder for SecOps teams. The introduction of technologies like IoT, remote work, and the cloud are fundamentally changing the shape of the network that visibility tools are made to see into. These trends are introducing new complexities and traffic that many of these tools can’t see and don’t understand.

While these attack surfaces are growing, organisations' ability to properly police them is not growing fast enough. Cybersecurity has a famously wide skills gap. The 2021 (ISC)2 Cybersecurity Workforce Study found that there are still nearly 3 million cybersecurity positions unfilled around the world. The report states that the current talent pool would need to grow by 65% in order to keep up with the ever-growing demand for security specialists.

Tool Sprawl

As a result, many organisations end up facing the problem of tool sprawl. There are too many tools attempting to enable visibility over too much with not enough staff to effectively man them. A 2021 study from ReliaQuest and Ponemon found that around half of companies had one staff member responsible for up to ten visibility tools. Just over 10% of those companies said that a single staff member could be responsible for over ten tools.

These tools may be legacy systems that have been acquired over the course of years and decades, or they could be newer acquisitions, onboarded to deal with an emerging security problem. Organisations often find themselves with an overabundance of tools in the wake of mergers and acquisitions. The technological infrastructure - and thus the visibility tools - of the acquired company becomes one with the acquiring company – leading to a disorganised, uneven security stance.

These tools are often complex. They use sophisticated technologies and if an engineer is using multiple tools, they will have been built with different guiding principles, different metrics and different user interfaces.

These tools often don’t integrate with one another or use metrics that can be easily put into a broader context. This leads engineers to hop between different tools and pull together disparate data points in a cumbersome process that leaves enterprise security on the back foot.

The key problem this chaotic arrangement introduces here is that engineers have to operate tools manually. If one engineer has to read, understand, manage, and hop between more than a few tools at any one time, then every step of the security operations workflow gets disrupted.

Tool Hopping and the Security Operations Workflow

The security operations workflow exists to enable the defence of the enterprise. When security engineers are forced to hop between tools, this whole workflow - and the resilience of the enterprise - becomes cumulatively weakened.

Preparation

Preparation is all about making sure that tools are correctly optimised and prepared for the right threats. New threats spring up all the time, but they might not be the ones that directly affect your organisation. From that point of view, it’s important to understand what threats and malware families are targeting your organisation and where your infrastructure needs better visibility. However, tool sprawl hampers that crucial process.

When engineers have to move between multiple tools, preparation gets disrupted. Tools become ineffectively utilised and poorly optimised, making it difficult to gauge the effectiveness of security controls. This limits visibility and, thus, the availability of contextual intelligence, which makes it difficult to recognize a threat and where it might strike.

Detection

When engineers have to use multiple tools manually, detection becomes harder too. While visibility tools are critical to detection, they’re also machines, and they need guidance to do their job. If engineers don’t have the time or energy to properly guide those tools and tell them what to spot - they won’t be able to detect threats.

Investigation

Tool hopping hampers this stage too and fragments investigations. By hopping between tools, engineers have to effectively collect data manually, commonly resulting in lots of false positives and making it even more difficult to see the context that is crucial for investigations.

Respond

Between the multiple tools that engineers have to manage and the repetitive, manual, and inconsistent processes that they cause, threat response becomes sluggish and ineffective.

Measure

An excessive amount of tools can also hamstring security teams’ ability to think long term. Their metrics don’t give them a unified view of their own environment while their lack of visibility blinds them to where and how they’re vulnerable, and, ultimately, stops them from being able to determine their current security status and what to do next.

The True Cost of Tool-Hopping

In many cases, an abundance of visibility tools can harm an organisation’s visibility. It’s one thing to have the technology to enable visibility, but it’s another to use it effectively. As it stands, many organisations don’t have enough skilled staff to manage their visibility tools, which, ironically, results in inconsistent and ineffective visibility.

Besides the problems tool sprawl can cause for security, it can also have significant effects on the overall business. Budgets are wasted on underused tools, staff are stretched beyond their ability to

do their jobs effectively, and the lack of visibility restricts the potential for digital transformation. Visibility is not just key to security, it's crucial for the smooth running of a business’s digital infrastructure. When engineers are burdened by tools and visibility is clouded, the problems might start in security, but they ultimately end on the bottom line.

It doesn't mean that tools should be dispensed with - these are expensive and profoundly useful assets to have. It does mean that security engineers need a unified view of their environment - one which can seamlessly integrate tools together across deployments and provide the intelligence that is so crucial to the security of an organisation.