“Large organizations are using over 130 tools on average. This is just massive!”
– Matt Chiodi, CSO, Palo Alto Networks’ public cloud
A new Cloud Defense (CD) white paper reports on this critical need for centralized security policy and reporting controls. Tech companies today use way too many security tools; wasting their developers’ time, increasing attack surfaces, with most tools being incompatible or not talking to each other.
This folktale-esque hydra problem has partial roots in the multi-cloud which spawned fractionated security coverage models, leading us further from shoring data breaches. A few private attitudes that enterprise level SecOps leadership teams today hold:
- 73% still manually configure security policies; a trend hyper enabled via inefficient and fragmented cloud stacks (50% protect via hybrid cloud; 18% multi-cloud).
- 53% don’t know if they’re actually protected by these tools; two-thirds observe false positives.
- A worrying Pareto distribution; only 25% can respond to security incidents within a day. OSS compliance is an associated major concern, the largest that open source developers worried about in 2020.
How we got here? Notable DevSecOps events to today:
1990s to 2010:
The Lockheed Martin Cyber Kill Chain — a decades-old framework for identifying and preventing attacks, attempts to provide a unified cyber security front. But it’s unwieldy and gives SecOps teams too much to manage. This ironically fractionates sec-teams — all using specialised wrenches for discrete parts of the cyber kill chain. The result: Myriad tiny points of failure.
2010s to present:
Security tools develop in a similar ad hoc fashion — duplicative, shared critical-coverage use cases. This cluttered intelligence stack diminishes managerial efficiencies. Redundancies blind large companies, of whom there are too many to name (2017 alone saw 3 billion compromised Yahoo accounts, its third massive breach). No sense of coverage gaps hierarchies — a resistance to overcomplicated protections even grows.
Ideal single platform solutions
Individual threats aren’t impossibly complicated. The hydra problem occurs via a myriad of clutter, overwhelming a clear vision. As covered in CD’s How Equifax’s Breach was Easily Preventable case study, fixes are often simple; even if it’s just a period of downtime to block first penetrators.
Without deep integrations, operations turn into breach-permeable pincushions; remaining coverage gaps in fact go unseen. Pareto’s ‘Vital Few’ is a reflexive philosophy security leaders can use to massively reduce complexity and apply a focused risk management plan. Elevating vital tools, scrapping duplicates.
Centralizing tools are breakthrough when they perform vitally; automating risk posture assessments for entire application stacks. 6 key areas to centralize:
- CIO (centralized reporting)
- CFO (same results, less costs)
- InfoSec (many tools automated together)
- Dev-first UI with bleeding-edge auto-remediations
- Engineering managers (no CI/CD bottlenecks)
- Legal checklisting/reports
In short, adequate fitness is all…which today is more than enough to separate the top twenty percent from the rest.