At Odds: The Promise vs. Operational Reality of Security Solutions
There’s a gap between the promise of a security technology and operational reality
By now you’ve probably spent at least a few minutes watching “What I thought I was getting vs. what I actually got” videos. There’s the pet edition, the mature husband edition, even a personal edition – “How I thought I looked vs. how I actually looked.” You get the picture.
A similar phenomenon has been happening in the security industry for years – there is great promise in a new product or technology; however, the operational reality is much different. Think back to the early days and Intrusion Prevention Systems (IPSes). Companies released IPSes that you could plug and play on your network and the device would block what it thought was bad. Sounds great right? Well, the operational reality is that it blocked things it should not have, resulting in many false positives. And when the security team was asked “why was that blocked?,” they couldn’t get an answer as the IPS device was a ‘black box.’
Clearly, there’s a gap between the promise of a security technology and operational reality. Let’s take two more recent examples: Security Orchestration, Automation and Response (SOAR) platforms and tools and Extended Detection and Response (XDR) solutions.
SOAR has been growing in popularity over the past several years; however, it too presents a disconnect between promise and operational reality. The promise is that automating processes can help you save time and resources and accelerate response. But the operational reality is that you need to have defined processes tailored for your environment. It isn’t plug and play. And, more importantly, you need to make sure you determine the right criteria and triggers for the process. Without first aggregating, scoring and prioritizing intelligence – steps which can and must also be automated – you’re creating a situation of bad data in, bad data out. The result? Amplified noise that plagues security operations, wasting precious resources and hampering security. The operational reality is that you need the right inputs to focus on what really matters to your organization and the right processes to take the right actions, faster.
The latest market discussion gaining traction is XDR. ESG defines XDR as, “An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.” Organizations are attracted to the approach because one of the promises of XDR is vendor consolidation. Wouldn’t it be great if you could get a single solution with multiple enforcement points from a single vendor that leverages the benefits of the cloud and is pre-integrated? Then you could work with a single vendor (or a very few number) vs. the dozens of products currently deployed.
But therein lies the problem. The operational reality is that no organization is starting with a clean slate. On average, organizations are using more than 45 different security tools and the appetite to rip and replace is low. What’s more, different departments with different budgets and teams are using different solutions. Invariably, some will decide to stick with their best-of-breed solution that can’t be matched in capabilities by a single vendor offering a consolidated solution. And time will tell if XDR solution providers will be able to maintain the level of innovation of best-in-class solution providers who focus their resources to address specific use cases, new types of threats and emerging threat vectors. There’s also the issue of dealing with on-premises tools that you still need to use, at least in the short term before you transition fully to the cloud. Organizations will be able to reduce the number of tools to maybe a dozen or so, but they still won’t interoperate.
So, how can we bridge the gap between promise and operational reality? As you determine what security technologies to invest in, develop not only a technology roadmap, but also include and align an operational roadmap. If not, you’ll limit the value of any technology investment in the short term, and potentially hamper longer-term adoption and momentum. Look beyond the promise of what is being sold to you and make your decision grounded in your operations and the realities that will occur. For example, vendor consolidation is a great goal, but what’s the path that will work for your organization? Is rip and replace the way to move forward or is a transition over time better for you, and what’s needed at what time to support your approach?
“What I thought I was getting vs. what I actually got” videos are entertaining. But when it comes to security, the humor gets lost. We must and can bridge that gap.