Securing Simplicity

Those who get breached with the most tools… are still pwned. 

Author: Tim Sewell, CTO, Principal Consultant, Co-Founder

 Let me tell you a story. It begins with a heavily publicized breach of a well-known organization. The news cycle is full of statements from executives, comments from prominent regulators and security researchers, and massive shareholder lawsuits. Slowly, the details behind the attack emerge and point to a slight variation of a common issue.  

Suddenly, half a dozen companies are offering new solutions in that space. “Our tool would stop this from happening to you,” they assure your executives. The purchase is made, and the new tool is deployed just in time for another breach at a different company with a slightly different issue. The cycle continues. 

If this story sounds uncomfortably familiar, you’re not alone. The average large enterprise has deployed upwards of 70 security tools in their environment, and we still see new breaches every day. As organizations keep layering on these “silver bullets” to solve their security problems, they end up creating more work for already overburdened security and IT teams. In many cases, these tools come with overlaps, conflicts, and unexpected gaps. Without meaning to, organizations over-invest in popular technologies (e.g., EDR) while neglecting crucial gaps (e.g., cloud or identity management). 

The good news is that a better way exists: rationalize your tools portfolio and develop an intentional roadmap based on protecting what’s important to your business instead of the latest publicized hack. 

Rationalization starts with a tool inventory. Knowing what you have to work with is a start, but you also need to understand who operates the tool, who pays for it, the deployment model, and what features are or aren’t working. Just listing all the tools in your organization can be an eye-opening exercise – make sure you look beyond the security organization into IT, research, and other potential buyer organizations to get a complete list! 

Then you need to understand what you’re protecting.  There are many potential frameworks, but if you’re looking for a simple one to start with, try the I AM SO NICE framework that I’ve been working on (and a future post will provide more detail into): 

  • I – Information
  • A – Applications
  • M – Machines like IoT devices, wearables, medical devices, etc. 
  • S – Security Operations (SOC, SIEM & SOAR, etc). 
  • O – Operational Technology and ICS 
  • N – Network
  • I – Identities
  • C – Cloud services
  • E – Endpoints 

Now, look at your list of tools, and your list of things you care about:  

  • Where do you have redundant coverage? What can you eliminate? The answers start to build your rationalization plan. 
  • Where do you have valuable assets outside your security coverage? Where should you invest in new capabilities? These answers become your roadmap for the future. 

Obviously, there’s a lot of complexity beyond this simple outline. You could start linking in the kill chain, for example, and add phases and attack methods to dial into your specific security needs. And you’ll need to coordinate with privacy and legal on any compliance requirements you need to satisfy. But with this simple model, you can start to take control of the security tools architecture, reduce complexity in your technology estate, and improve outcomes for your organization. 

***

At Reveal Risk, we help our clients build and mature sustainable, pragmatic, and focused information security programs. To learn more about our risk-driven, holistic approach, contact us at info@revealrisk.com today! 

info@revealrisk.com 

317.759.4453 

About the Author 

Tim Sewell is a lifelong security and technology advocate. Over a 20-year career, he’s worked for some of the most respected organizations in the world, building top-notch information security programs. He holds a variety of certifications including CISSP-ISSAP, OSCP, and CEH. Since jumping off the corporate ladder in 2018 to co-found Reveal Risk, he’s helped numerous organizations from Fortune 500 to small non-profits build and mature their information security and privacy programs in practical, sustainable ways. 

Leave a comment