Research has revealed that the average organisation uses multiple tools to handle VPNS, MFA, NAC, NGFW, MDM and more. But do we really need of all them? Scott Gordon, (CISSP) CMO, Pulse Secure, explores how the ‘tool sprawl’ is fast becoming a problem for companies and how in this case, more security tools does not mean better security
It all looks like a bit of a mess. A new IDG survey has revealed that the average organisation uses nearly three tools to handle secure access capabilities including VPNs, MFA, NAC, NGFW, MDM and more. It’s most pronounced in the medical and pharmaceutical industries which on average use three tools for each category. High tech and manufacturing use 2.8 tools and finance, banking, insurance and investment all use 2.6.
All of this boils down to wasted time and money. Buying licences for products which effectively do the same thing, more administration, rifling through data to clear duplicate entries, blame games; these are the real world business problems that it seems most businesses are now dealing with.
But tool sprawl means more than just wasted resources – it means that a security outlook is less consistent, spottier, hobbles visibility and auditing, complicates the lives of users and administrators and delays threat response.
This matters especially when we consider how IT is changing. Increasingly enterprise environments are hybrid and diverse with the IDG survey revealing that most enterprises now distribute themselves among multiple clouds as well as the data centre.
Those cloud services often come with their own tools, which may duplicate but cannot fully integrate consistently across private cloud, public cloud and the data centre. This can create problems.
All of this merely creates more noise and more false positives for a security team. Commonly, such teams deal with thousands of alerts a day – a Ponemon Institute survey from earlier this year revealed that security teams spend 25% of their time pursuing false positives.
Furthermore, more tools means a wider attack surface. When an enterprise uses more tools than they need to, they’re handling more data than they need to and providing attacks with more places to hit and more loot to run off with.
Whether it was to address a new threat, take advantage of new features, fulfil new compliance requirements, whether individual departments could purchase freely or companies were acquired along with their tools – it’s clear that there is a smorgasbord of redundant tools. So how did we get here?
Tool sprawl can largely be attributed to the cybersecurity boom. As cybersecurity has quickly become an enterprise-wide concern, enterprise budgets have ballooned over a relatively short period of time. In turn that has led to massively increased investment into the industry. Gartner reported last year that worldwide security spending grew by 12% in 2018, and projected it to grow by another 8% this year.
So we have a superfluity of vendors selling a tonne of products, many of which do the same thing. Those large budgets have allowed enterprises to purchase without much thought as to whether those purchases are efficient. It’s of no surprise that this affects larger companies more – they’re weighed down by 30% more tools than their smaller counterparts. In fact, companies with over 20,000 staff use over five tools for cloud access security.
The other potential explanation is the arbitrary separation between ITOps and SecOps that so often dogs enterprise security. While they often use data and tools which do the same thing and serve the same purpose, they’re geared towards the specific use of the individual departments who often speak different technical languages, use different UIs and rarely communicate.
The good news is that enterprises are not happy with this situation. The IDG report further elaborates that 48% of respondents are open to reducing the amount of tools they use. Quite naturally, they want to smooth out inconsistencies and streamline their own environments.
For example, 39% of IDG survey respondents listed enabling access control consistency across their hybrid IT environments. Another ESG research paper shows that 66% of businesses are actively working towards consolidating their security portfolio. Understandably so.
So how do we do that? Again, IDG respondents were on the right track. Many are considering using integrated platforms, suites and Managed Security Service Providers (MSSPs). The IDG report added that 38% of respondents are outsourcing Secure Access capacity and that they plan to increase using MSSPs by 2021 by over 8%.
Enterprises should look at their secure access tools and decide which ones they really need, and which have become redundant since purchase. A total of 39% would like VPN as a central part of any secure access platform, 38% said multi-factor authentication and 37% favour Network Access Control, cloud security access brokering and web application firewalls.
Tools can be consolidated in other ways too. Using fewer vendors or vendors whose tools can easily be integrated with one another could be a good idea. Integrating teams so that they’re working together as opposed to side by side will be of great help here. Tool sprawl is often caused by arbitrarily separated teams which often share functions and data, but rarely collaborate. Especially when it comes to visibility, such a separation creates blind spots wherein ITOps see insecure behaviour and don’t recognise it as a threat and SecOps are often robbed of the necessary insight.
The cybersecurity boom has led many to eagerly oversubscribe to as many tools as possible. We’re starting to understand that it may not be the best way forward leading to patchy security stances, inconsistent policies across the enterprise and a mounting burden of time and cost.