When you need to do a job around the house, tool selection is easy. If you do not have a power drill, screwdriver, saw, lawn mower, or barbecue, a quick trip to the local Home Depot will provide the right tool for the job. As CISO’s, we can only wish there was a Home Depot for cyber security tools – endpoint security products are in aisle 18B, firewalls in 9A!
This article takes a look at some of the lessons learned and best practices I have experienced over the years regarding cyber security tools.
Make sure you have the right security tools
In the Home Depot example, it is easy to find the right tool for the job. For CISOs, it’s almost never that easy.
One framework we used to ensure we had a fairly complete and effective portfolio of security tools was called the “Cyber Kill Chain” model. Originated by Lockheed-Martin computer scientists, the “cyber kill chain" describes a model of seven intrusive phases of cyber-attacks that are countered by six defensive actions. We developed a matrix depicting the seven intrusive phases and the security tools that we deployed as a counter to each phase. This model ensured we had coverage for each attack phase and that any gaps in coverage would be addressed at budget time or sooner if a context was considered an emergency situation.
Be sure you do not have too many systems/tools
Implementing and maintaining every tool requires costs and management overhead. Ultimately, someone has to monitor and manage the system/tool.
If you believe that your organization is too “tool heavy” your CIO might want to have an independent, third party review to assess the organization’s overall portfolio of tools and their use and effectiveness. This type of review can result in increased efficiencies, significant cost savings and a more secure and less complex operating environment.
Look for hidden security features and capabilities in existing IT tools
In my last CISO job before retiring, we had more tools than we knew what to do with. I don’t just mean security tools, but other IT tools, too, that could benefit the security team - like network monitoring and analysis tools used by the network teams and database monitoring tools used by administrators, for example.
Many of these IT tools have security components and benefits that were often overlooked by IT staff. Be aware of what tools IT staff are using to monitor and analyze their networks and systems – you might be surprised, and you may be able to use them to expand and extend your team’s visibility into the IT environment.
Get the most out of the tools you do have
Central to your security tool portfolio is the Security Incident Event Manager (SIEM). These are complex systems that require continuous tuning and overall “care and feeding”. Most of the major SIEM vendors have support systems including (but not limited to) training, certifications, user groups, customer advisory groups, etc.
The same is true for other security tools, such as anti-malware, NIDS, HIDs, etc. Your team needs to know these tools inside and out. CISOs are wise to invest in their tools and the on-site security analysts that operate and monitor them.
Security tools are not “plug-and-forget”
Depending on the security tool, it’s likely loaded onto servers with commercial operating systems (OS). Like any IT system, security tools need to be patched and upgraded, as do the servers they sit on. The SIEM that we used required routine patches and upgrades – running the spectrum from trivial to moderate to complex. We set up a support contract with our vendor that included routine, remote health checks of the system and on-site support for complex upgrades.
In some cases, there is a symbiotic relationship between the tool and the OS. The worst-case scenario is that patching or upgrading the OS breaks the security tool. It is best to check with the security tool vendor before you upgrade or patch the OS.
Use built-in metrics to assess the effectiveness of the tool
Many of the security products have built-in capabilities to generate reports and metrics. Use these product features to assess the effectiveness of the tool, to spot trends, and to provide metric-based reports to upper management.
We used a very effective email filtration product that showed the number of emails rejected due to reputation issues, viral content, etc. The monthly percentage of rejections usually ran into the 90% range for incoming numbers in excess of 1 million emails. Effectiveness reports like our email filters went a long way in justifying the cost of the tool to upper management.
Be aware and beware of “Shadow IT”
Additionally, in my last job we had diverse and sometimes autonomous-acting lines of businesses (LoBs). Historically lacking a strong, centralized Chief Information Officer (CIO), LoBs would establish their own IT organizations – hence the moniker “Shadow IT”.
In these scenarios, LoBs had their own IT staff (excluding security personnel, of course) that purchased tools, systems and software products which were most often in conflict with corporate IT standards. Maintaining “Shadow IT” is an expensive proposition, since the model does not take advantage of corporate-wide economies of scale like the shared services, resources, and software licensing negotiations that often result in volume discounts.
From a security perspective, our “Shadow IT” teams had an “above-the-law” attitude and, in most instances, did not adhere to corporate security policies such as server patching schedules and configurations settings. It took upper management commitment to bring “Shadow IT” under the corporate IT and cyber security umbrella. I mention this situation since it can have a significant adverse effect on the security posture of an organization.
Maybe in the future we will see a Home Depot for IT and cyber security tools, but in the meantime make sure you have the right tools – and get the most out of them that you can.
Share This Article