“Large organizations are using over 130 tools on average. This is just massive!”
Matt Chiodi, CSO, Palo Alto Networks’ public cloud

A new Cloud Defense (CD) white paper reports on this critical need for centralized security policy and reporting controls. Tech companies today use way too many security tools; wasting their developers’ time, increasing attack surfaces, with most tools being incompatible or not talking to each other. 

This folktale-esque hydra problem has partial roots in the multi-cloud which spawned fractionated security coverage models, leading us further from shoring data breaches. A few private attitudes that enterprise level SecOps leadership teams today hold:

 

  • 73% still manually configure security policies; a trend hyper enabled via inefficient and fragmented cloud stacks (50% protect via hybrid cloud; 18% multi-cloud). 
  • 53% don’t know if they’re actually protected by these tools; two-thirds observe false positives.
  • A worrying Pareto distribution; only 25% can respond to security incidents within a day. OSS compliance is an associated major concern, the largest that open source developers worried about in 2020.

How we got here? Notable DevSecOps events to today:

1990s to 2010: 

The Lockheed Martin Cyber Kill Chain — a decades-old framework for identifying and preventing attacks, attempts to provide a unified cyber security front. But it’s unwieldy and gives SecOps teams too much to manage. This ironically fractionates sec-teams — all using specialised wrenches for discrete parts of the cyber kill chain. The result: Myriad tiny points of failure

2010s to present: 

Security tools develop in a similar ad hoc fashion — duplicative, shared critical-coverage use cases. This cluttered intelligence stack diminishes managerial efficiencies. Redundancies blind large companies, of whom there are too many to name (2017 alone saw 3 billion compromised Yahoo accounts, its third massive breach). No sense of coverage gaps hierarchies — a resistance to overcomplicated protections even grows. 

Ideal single platform solutions

Individual threats aren’t impossibly complicated. The hydra problem occurs via a myriad of clutter, overwhelming a clear vision. As covered in CD’s How Equifax’s Breach was Easily Preventable case study, fixes are often simple; even if it’s just a period of downtime to block first penetrators. 

Without deep integrations, operations turn into breach-permeable pincushions; remaining coverage gaps in fact go unseen. Pareto’s ‘Vital Few’ is a reflexive philosophy security leaders can use to massively reduce complexity and apply a focused risk management plan. Elevating vital tools, scrapping duplicates. 

Centralizing tools are breakthrough when they perform vitally; automating risk posture assessments for entire application stacks. 6 key areas to centralize: 

  1. CIO (centralized reporting)
  2. CFO (same results, less costs)
  3. InfoSec (many tools automated together)
  4. Dev-first UI with bleeding-edge auto-remediations 
  5. Engineering managers (no CI/CD bottlenecks)
  6. Legal checklisting/reports

In short, adequate fitness is all…which today is more than enough to separate the top twenty percent from the rest. 

To learn more about how Cloud Defense can protect your vital systems and automate security please read our whitepaper