Why existing solutions let security leaders maximize value

Eddy Bobritsky explains why existing solutions create the opportunity to maximize value before looking for something new

retail shopping cart commerce
Thinkstock

Traditional antivirus is not dead.

Same goes for a lot of conventional tools we’ve come to rely on. The challenge often lies in understanding the nuance of the controls to match them to our environment. Often that challenge is daunting.

That doesn’t mean throwing them out in favor of a new approach, necessarily.

That was the theme of a recent conversation I shared with Eddy Bobritsky (LinkedIn, @eddyb0b), Co-Founder & CEO, Minerva Labs. Eddy is a cyber and information security domain expert with extensive experience in cyber security for the defense and financial sectors. His rule of thumb is to 'keep things simple' in order to help businesses operate seamlessly, which is why he started Minerva Labs.

I really enjoyed the discussion with Eddy as a guest on Startup Security Weekly (Episode 24 - YouTube) and kept it going here. We got deeper into the costs of ‘rip and replace,’ and the realization that the longer you have tools in your environment, the better you use them. If only because you better understand the settings, controls, and how to make it work for you.

Eddy also pointed out that established vendors have the resources to integrate anything new - if and when it proves valuable. With that, we covered a lot of ground exploring how security leaders can get more value from current solutions.  

You pointed out that traditional approaches are best value for the dollar. How so?

When it comes to detecting known attacks, traditional antivirus (AV)  products provide the best value for investment. New next-gen solutions deliver technologies that in reality bring little to no additional value to enterprises that keep their traditional security updated. They claim behavior detection and machine learning are more advanced technologies than signatures, however, in order to detect a certain behavior, or to find anomalies based on algorithms, the attack must run to be caught. Just like with signatures, the solution is only efficient following a successful attack. The attack is not prevented, it is stopped after it began causing damage.  

But that’s not the only thing. Unlike new players, traditional AV companies have large databases and intelligence gathered from hundreds of millions of endpoints worldwide, empowering the security of all their customers. They are constantly improving their solutions and now incorporate machine learning and behavioral detection technologies into their existing solutions. And most importantly, the costs of replacing your endpoint security solution are extremely high. Keeping your existing solution, which gets better all the time, lowers the costs of keeping your company secure.

How does familiarity with these tools unlock more value?

Familiarity with the solution holds more value than you think. Being familiar with a solution ensures you get the most out of it. Your staff is used to it, they know how to best operate it and get tasks done quickly and efficiently. This applies to new features that are introduced to a familiar solution too, you know how to handle things in a familiar environment.

New tools mean new expenses and that’s not just for the product itself. A new solution brings along additional training costs, a learning curve, adaptation time and it can even mean recruiting new employees.

What do security leaders need to consider before ripping and replacing the tools they have today?

Replacing endpoint security solutions is a long, frustrating and expensive process. You need to consider the replacement process itself, the adaptation to the new technology and the employees training and recruiting processes.

The question that needs to be carefully considered is naturally, are you going to get your money's worth?

The replacement process requires a major organizational effort, both from a financial and an operational perspective. If at the end of the day (or year more likely) you will be seeing only a slight increase in your detection rates, it is not likely to be worth the investment.   

What is the best way to find out what to spend time and money on?

Before anything, test. Put the new solution in a lab and conduct a thorough proof of concept. Compare the results of the new solution to that of your existing one, to see if it really does make a big difference to your organization’s security. Then carefully consider all other operational and financial aspects we talked about before.

There is also a difference between adding another layer of detection, which is what the next-gen solutions provide, to adding a different layer that doesn’t rely on a similar approach, one that is active at an earlier phase of the attack kill-chain. EDR and AV endpoint solutions aren’t really preventing attacks. They detect the malware after the attacks begin. Adding a real prevention layer, one that prevents the attack from launching altogether, recognizing it at the installation stage of the cyber kill chain, is where companies should be looking.

How to get started?

Organizations need to assess three main things:

  1. Identify the gaps in your endpoint security strategy - what endpoint security measures are currently deployed and what is missing from a coverage perspective?

  2. What alternative or additional solutions will truly improve the organization’s security?

  3. What are the financial costs and operational efforts involved, and what will be the ROI?

Use numbers and comparisons throughout the process.

When you consider what you have and why it’s not enough, remember to consider your SOC teams and the number of alerts they handle, as well as other costs. Then think what products that employ various aspects of automation may do to these numbers.

When evaluating alternative solutions, run real comparisons in a lab environment, verify the true value of replacing a solution, in terms of results, maintenance and costs.

And eventually, do the math and get a real understanding of what solution will significantly improve the organization’s security with minimal operational effort and good ROI.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies