Security operations centers (SOC) have too many tools.
You probably hear that statement in customer meetings, see it on conference slides or read it in many opinion pieces contributed to the trade publications.
That statement is loaded with meaning. It suggests there is also too much cost, too much complexity, and too much technology for security talent to manage and master.
If the staff can’t master the tools, then the team probably isn’t getting the most out of it. Search Security, a trade publication, reported as much as 50% of existing functionality actually goes unused.
How Many Tools do SOCs Have?
Cybersecurity organizations tend to keep the type and number of security tools they use confidential for obvious reasons. Still, we’ve seen a couple of benchmarks that give a more precise answer than the just saying the SOC has “too many tools.”
First, a 2017 survey of 412 IT and security professionals by the Enterprise Strategy Group (ESG) found that 40% of respondents use between 10 and 25 security tools. In addition, another 30% use between 26 to 50 cybersecurity tools. Importantly, the research also suggests many of these tools were acquired to solve a new and specific problem, which over time, leads to a collection of tools that don’t talk to each other.
Second, a 2017 study of financial services organizations by Ovum, a market research firm, found “a majority (73%) of respondents are running more than 25 cybersecurity tools.” Even more unwieldy, a surprisingly significant percentage (9%) said they “are running more than 100” security tools.
These organizations are charged with facilitating large transactions. Most respondents (75%) reported working for banks with at least $10 billion under management and 25% reported having more than $250 billion in assets or more.
We spoke first hand with the analyst behind this survey and he suggested banks get behind industry standards and mandate interoperability capabilities for new security tools.
Maybe It’s Not Too Many Tools but a Lack of Integration
Both benchmarks associate the volume of tools with issues around integration. Indeed, a 2018 study by the SANS Institute linked the two directly: “Too many tools that are not integrated” ranked third on the list of SOC challenges. That challenge trailed only staff skills and better automation and orchestration across the SOC.
Not integrated is the operative phrase, because organizations are still likely to need new tools when the old ones can’t address the new threats – and there will be new threats for the foreseeable future. So, the focus on “too many tools” may distract the security community from a better question: what’s the right mix of technologies that play well with each other in the proverbial sandbox?
To that end, anyone that touches a tool – whether you make it, buy it, or use it, must demand that new cybersecurity tools adhere to open standards and open APIs. Security tools must readily share all the data they collect or generate with other cybersecurity tools a SOC has deployed and as the SOC deems necessary.
It’s an idea that is central to our philosophy at Bricata and is a driving theme behind our comprehensive threat detection solution. If you’d like to see our product and its integration capability in action, contact us for a live demonstration.
If you enjoyed this post, you might also like:
13 Big Cybersecurity Ideas for the CISO by CISOs