By Adrian | December 2, 2019

Defense in depth, it’s a good thing. But how much is too much? While you could argue that you can never have enough security, the answer to that question really is, how big is your wallet? You want the best of breed everything, then its going to cost you….. dearly, while it would be amazing if that level of cash could be splashed, its not always the case and its not always the best solution for your organisation. You should always have just the right amount according to the appropriate security classification for what you are trying to protect. Anything more and you are wasting cash, anything less leaves you exposed.

So what’s wrong with doing more with what you have before you start adding more servers, more appliances, more software onto your stack? The big issue for me is that companies can sometimes expect more monitoring with the same levels of staff as tool sprawl increases, and a staff capability uplift never seems to be included in such plans.

This leads down a dangerous path where a very limited set of functionality that a product has to offer is ever used, a “set and forget” mentality where a product isn’t managed in line with Vendor requirements and analysts with limited knowledge about how to use such devices to their full potential. This is just asking for technical debt.

What happens when that severity one issue comes in? Engineers and Analysts can be overwhelmed and their product, implementation and troubleshooting knowledge for that product is near zero. Been there, its never an enjoyable experience for customers, managers and engineers alike.

Before looking at new shiny security tools, ask yourself, am I using each tool to its fullest, is there some part of this device that isn’t being used that can be used, is this going to add another bundle of hay to a potentially already overworked operations team and how will this device be tuned to reduce false positives to gain that higher fidelity of alerts. Also, do you have a plan on how new staff will be trained in your procedures and processes of that particular product?

Theres a lot to be said that security is more about people and process than technology. What is the point of adding yet another blinking light only for it to be ignored? Ultimately security controls that go unmonitored are useless if alerts are not monitored and acted on accordingly.

I recall a story where the building’s fire alarm was sounding, and staff made the assumption that it was another drill, until they saw the smoke out the window and realised it was the real deal. Management rightly copped a hammering from the fire brigade on that, but the point I am making is that there are plenty of examples where this has been the case in IT security where alarms were ignored, written off as false positives and resulting breaches happened. I can’t help but feel that they may have been victims of too many tools and not enough support making them effective.

The Banner photo is by Vlad Tchompalov on Unsplash.