How to Close the Security Effectiveness Gap

Years ago, I decided to upgrade my (then) state-of-the-art home surround sound system. It was a game-changer, with high-fidelity wireless speakers that could be partitioned to play different music in separate parts of the house. The system worked flawlessly for the first two years, but as time passed and new features were rolled out, system performance began to slowly degrade. Playlists weren’t loading, music was cutting out, old speakers weren’t working with the new app… I still love my sound system, but wish it worked as well as when I used it. had for the first time.

Anyone who has spent time in the trenches of enterprise information security can undoubtedly relate to this story: we want the latest and greatest features, but, at the end of the day, we just want our systems are working. As famous security guru Bruce Schneier wrote, “Complexity is security’s worst enemy – and our systems are getting more and more complex.”

In the area of ​​security, we have become accustomed to, if not resigned to, a perpetual upgrade cycle. This is often done at the expense of complexity, sometimes to the point of rendering certain advances useless. The scale of the problem is enormous considering that there are currently over 3,500 security vendors in the tech industry and the average company manages an average of 45 different security tools.

Why incremental capabilities breed mountains of complexity
Security has become so complex, largely because of its design. For much of the past two decades, the prevailing wisdom has been to take a layered or “defense-in-depth” approach to security. The logic is simple: relying on a tool to perform a certain function is a potential single point of failure waiting to happen; the layering of multiple tools serves as a safety net in case one tool misses a threat or fails in some way.

It’s no wonder, then, that security officials have beefed up their arsenal of tools. It may make them feel like they’ve protected their organization, but more products and more features don’t necessarily mean better security.

The reality is that no major data breach has ever occurred as a result of a lack of tools in place. In fact, many of the most devastating data breaches over the past decade have been caused, at least in part, by complexity: the cacophony of noise generated by dozens of separate systems provides the perfect cover for security actors. the threat, allowing them to remain undetected inside networks. for months (and sometimes even years).

3 Strategies to Close the Security Effectiveness Gap
To balance security and complexity, organizations need to bridge the security effectiveness gap—the growing delta between new features introduced and the complexity those features produce.

Here are three strategies for closing that gap and building a more responsive security practice that can filter out important threat signals amidst a sea of ​​noise.

1. Don’t invest in a new tool unless it’s truly interoperable: There has been a lot of positive momentum over the past two years to make security systems smarter and more interoperable. But just because a vendor says their tool is easy to integrate doesn’t mean it is. Before introducing a new tool, determine what other systems the tool needs to interact with and look for tools that generate prescriptive information rather than batches of data that need to be processed and analyzed.

2. Take stock of your existing capabilities and ruthlessly consolidate: Another way to master complexity is to focus on fewer devices with more capabilities, as well as investing in platforms that can communicate with complementary hardware and software. The more hardware and software components there are in a network, the more the interdependencies will be fragile and difficult to interpret.

3. Implement automation to solve the problem of analytics complexity: Every security team struggles with base rate errors and false positive issues. The base rate error assumes that all events are created equal, but we intuitively understand that they are not. Machines can help alleviate this complexity by providing the context needed to determine how much we should care about a particular event and do so in an automated way.

Conclusion
As an industry, we need to fundamentally change the way we think about security and the role of tools in general. We also need to remember that no matter how robust the tools, people need to use them effectively and make sense of them.

Sharon D. Cole