• United States




Defense in depth: Stop spending, start consolidating

Mar 14, 20167 mins
Business ContinuityData and Information SecuritySecurity

How many tools are too many tools to have an efficient defense in depth security infrastructure?

When it comes to layered defense and security tools, less is often more just as more can sometimes be less. The average enterprise uses 75 security products to secure their network. That’s a lot of noise and a lot of monitoring and testing for security practitioners. 

To make sure that the security tools not only work but work in harmony with each other, some security professionals recommend taking a closer look at the layers of the security ecosystem to eliminate redundancies that contribute to alert overload. 

There is a lot of threat intelligence information out there, and Stephan Chenette, CEO, AttackIQ said all of that threat information can be overwhelming. “They need to use the threat information to determine what is applicable to their organization and tailor it to their industry. Risk has a number of factors, not only the impact to organization but also the real probability of the threat,” Chenette said.

Security teams need to distill down all of that threat intelligence and find what matters in relation to their business because most enterprises aren’t regularly testing all of their security tools, “The alerts that matter are being missed,” Chenette said.

The security industry has long touted defense in depth as the solution to thwarting off attacks, but the reality is that more layers don’t prevent attacks, said Chenette.

For many enterprises there is a disconnect between the products they are buying and their effectiveness. “Many people are putting firewall, IPS, and antivirus in place thinking that intelligence is actually going to help them,” Chenette said. 

What is more effective is taking that threat intelligence and running attack tests and attack models to identify potential blind spots. “Defenders think in lists but attackers think in graphs,” Chenette said. In order to build the best defense in depth strategy, the organization needs to start looking at what’s at risk and what’s at stake and then determine how to create security around those assets.

“Hope is not a strategy,” said Chenette, so in order for companies to improve their security strategy, they need to realize that technology can fail. “Controls fail over time, and the worst outcome is that there is a breach because they had a control in place that should’ve detected,” Chenette said.

Stephan Chenette, CEO, AttackIQ

It’s important to know what security controls are in place, whether the controls are even working, and whether those are the right controls for the realistic threats.

With an average of 75 security tools in play, redundancy exists. “Many organizations are hiring security experts to manage redundant products and manage alerts that don’t mean anything. The goal of continuous testing is to find the core amount of security products. To truly have a smart strategy and resilient architecture,” Chenette said.

Businesses that are trying to solve the hyper-convergence of technical and business problems by purchasing tools to mitigate risk, “are instead ending up with a lack of mitigation and a lot more telling me I have a problem,” said Stan Black, CSO, Citrix.

Black said, “What we are all talking about now are complex attacks going after this ecosystem of technologies and trying to find the weakest link.” The bad actors know that they can find a weak link, likely long before the enterprise. Once they get in, they progress.

“They end up with a multi front attack on the network. Cryptolockers have an inherent immediate need for security teams to focus on thwarting them,” said Black. “They launch one of those and in concert launch a secondary attack with other malware that is their primary. They are using the window to come in and probe, send phishing emails, or change binary codes as they learn more about your response to these attacks,” he continued.

Many of the issues with layered defense appear on different fronts. An IT help desk gets a call, then the security operations team starts seeing red flags on their screens. The events occur on different fronts, and they are not talking to each other. 

“We need a common set of logs. Each group traditionally has captured their own logs for their unique purposes. We need to be moving toward a common language so that we can have a high fidelity look back to see an increase in persistence and nature. By using the same set of logs we are now able to work in concert and have full clarity of what other teams are seeing,” Black said.

Black attributed the high number of security tools in an average enterprise security architecture to multiple acquisitions and growth over time. Rarely is the merging of security infrastructures a top priority during an M&A; thus, larger enterprises end up with a lot of redundancy in security tools. 

“There are two ways to remove the problem,” said Black. “Either find significant overlap between one problem and another–there’s likely upwards of 50% overlap–or find which tools provide the highest level of fidelity and actionable information, and then remove or significantly reduce all others over time.”  

While some products do individually add value to the overall ecosystem, managing all of the security technology has become very complicated, said Geoff Webb, vice president of solutions strategy at Micro Focus. 

Most enterprises are looking at their many layers of defense in depth and realizing that they have added many different tools to protect against many different types of attacks. “The security team’s ability to manage and develop the architecture that is compromised,” said Webb, “because it’s difficult to understand exactly what’s happening.”

Webb said, “It’s important to be realistic about what is possible given the people you have. Also, I recommend that they have a strategy that maximizes the results while minimizing the noise in the way they build their infrastructure. That’s why we are seeing this shift to analytics and machine learning. All of those are the result of the need to find balance in this space of too many things to look at and too little help.” 

Both Webb and Black recommended that security practitioners shift their thinking in order to build their security strategy in a way that protects from the inside out. “A very successful security team makes it hard to get in but also focuses on quickly getting them out and limiting the damage they can do,” said Webb.

The physical network still needs defense, so firewalls and switches need to be in place, but many security professionals are exploring behavior analytics and virtualization technologies in order to understand user behavior and have complete visibility into the extended network.  

“You really have to focus on what is the critical stuff,” said Webb. Understanding the key sets of information. The confidential and private information should be the starting point to building a better security strategy.

“Look at whether you really need this product that is monitoring this information. Build outwards based on information and people rather than building inwards. Take a hard look at what the problem we are trying to solve is as opposed to putting tools in to prevent what was a previous security risk,” said Webb.

Webb said he often recalls a quote from Bruce Schneier, who said, “Complexity is the enemy of security.” The more complex the security infrastructure, the harder it is to defend.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author