So, you bought good security tools. Now what?

The pace of growth in the availability of information security tools in the last five years has been nothing short of astounding. The industry has seen many startups in this market space, along with a healthy pace of product acquisitions by established companies, thanks in large part to the growth in cybercrime.

While it took some time, it seems that the data breach explosion has caught the attention of many business leaders. When the target was Sony or Home Depot, companies further down the food chain did not seem to worry much. As smaller companies began being victims, and with the rise in ransomware hitting individuals, many more in the medium enterprise and small and medium business world began to pay attention.

The combination of product availability and rising concern about becoming cybercrime victims brought about a natural reaction — companies in large numbers began to purchase the tools offered by the growing number of information security companies. This may sound like a positive development, but there are definite challenges.

In my practice, I have seen a definite upswing in the number of companies purchasing expensive security tools, which will ultimately sit on the shelf and do little to improve their security posture. They have become victims themselves, having purchased tools they can’t or won’t use, and thinking somehow the the purchase and initial installation makes them safer.

I in no way mean to impugn the growing list of good security tools available. More such tools become available every month, and notwithstanding a few that are more hype than reality, they are generally good and useful. I would also never suggest that companies not consider tools that can help their security posture. The issue that concerns me is the purchases that happen without an understand of the care and feeding involved with such tools, and how they will fit into the operation of an organization. 

If you are a leader in one of the many such businesses or organizations considering security purchases, I would suggest that you think through the following steps first. If you have already written the checks, I suggest that you back up and run through this list.

Strategy 

Most companies are smart enough not to launch a new product or service themselves without establishing the proper strategy first, and yet the same entities will make expensive tool purchases at the drop of a hat. Before you spend anything, understand the problem you are trying to solve.

Threat intelligence is one of my favorite examples. The concept of using shared security information to protect a business is attractive. The concept is useless, however, without the proper infrastructure and the ability to use the information. 

Start by figuring out what issues you need to address. What particular security threats are common in your industry? What attacks have you or others in your industry seen recently? What critical assets do you need to protect? Once you understand these items, you can begin to build a strategy.

A good place to start is with a formal risk assessment. This may sound difficult and time consuming, but it can be done quickly and efficiently, as I describe in “The dreaded risk assessment.”

Staffing 

If I could build a product that would show you via a single console screen the threats your business is currently facing, and what you need to do immediately to protect yourself, I would retire comfortably to my own private island, probably next door to the one owned by Bill Gates. Sadly, no such technology exists, and is not likely to in the foreseeable future.

Automation can help, but people must be the center of your strategy. What staffing would you realistically need to implement your strategy? Are you better served by outsourcing some or most of your security efforts? Beyond the very basic tools, like a good endpoint security suite, you should not be making major purchasing decisions without considering the staffing implications. 

Data collection 

The key element to any security product involving security analytics or threat intelligence is the connection of data from your systems and networks into a single repository. Without this, any investment in such tools would be wasted.

One of the values of an approach like threat intelligence, as an example, is the ability to compare the incoming data with the content of your logs, looking for overlap. One of my customers recently got a threat intelligence report involving a list of rouge IP addresses. When they compared the list with their log repository, they found that one of the addresses in the list had been repeatedly trying to breach their network.

Intelligence and analytics work, but a good central log repository must be at the core. You can find good background information on accomplishing this in the article “Are you buried under your security data?“

Selection 

Once you have your strategy and staffing in place, and you are able to address logging, you can begin the process of product selection. Ask vendors to show you real-world examples of companies successfully using their products. Talk to references, and understand what the real care and feeding of the products involves. Try them in your own operation for a time, to assess their true potential impact. 

Implementation and operation

Many of the security tools on the market are complex, and require integration with your log management and other tools. As such, strongly consider using professional services offered by your vendor to handle the initial implementation. Once installed and operational, make sure you have policies and procedures in place to ensure that alerts coming out of such products are acted upon. In my article “The devil is in the details: The importance of tight processes to strong information security,” I provide a road map for accomplishing this.

Bottom line: Security tools are a great way to help secure your organization, but you must take the appropriate steps before you write the check. An unused or underused tool does little more than drain your bank account.