Tools, Tools, and More Tools...

The proliferation and race to market for newer, better, and more stable security tools has thoroughly saturated the IT world. Who hasn’t walked through a trade show and seen booth after booth of the latest and greatest tools? 

We have a question for you:  Do you really need another tool? 

Tools are positioned as labor saving applications that will provide you the security that your enterprise requires and will allow you to run lean with minimal staff or minimal contractors/consultants required to manage the enterprise (which the board, investors, and accounting team likes). 

The problem is, unless you are a Fortune 100 company, you may only have one SME (subject matter expert) and a partially trained backup for each tool.  The backup SME probably has minimal experience because they have their own tool or set of tools and operational responsibilities.  Then one day out of the blue, they both leave or a decision is made to cut staff and you lose key resources…  Now what?

Silent Sector recommends you take a breath and stop buying tools, at least for a moment.  Read on it will all make sense in a minute.

A few questions for you:

• Can you name all the security, monitoring, logging, prevention, provisioning, hardening, deployment and detection tools in your enterprise?
• If you can, do you know who owns them?
• Do you know who the SME is that has the day to day responsibility for each tool?
• If you can name the SME, ask them if they have all the time they need every day, including regular duties, to digest and use all the data the tool provides outside of critical alerts and putting out fires.  What is their answer (realistically)?
• Is the data coming from the tool actually useful?
• How much of the budget did you spend on tools and maintenance last year?
• Do you have a geographically dispersed security team?
• Do you have a use-case for every cybersecurity need that you are using a technology to meet? 
• Do you have a comparative analysis with security tool requirements you need vs. the industry tools available and how their technology meets or exceeds your needs?

At Silent Sector, we are by no means proposing that you abandon the use of security tools.  We use multiple tools for pen testing, compliance tracking, vulnerability scanning, and for other processes as needed.  However, Silent Sector is tool and OS agnostic.  While we have our preferences, we aren't here to sell you more software or tools.  Instead, we strive to make you succeed with what you have in-house, before buying anything new.

We've have seen many clients through the years who have amassed more tools than they can begin to use.  Many have had overlapping capabilities and worse yet, were sitting dormant while getting renewed annually because the SME who knew the tool has moved on (we all know IT people move around from job to job for numerous reasons and that is a topic for another time).  Whats more, so does their backup SME, the other backup, and the manager that originally approved the tool...  Meanwhile, purchasing keeps renewing the licenses for the tools that no one uses and acquiring the next new tool that will "solve all of our problems."  This becomes a perpetual cycle of throwing money out the window.

You are probably saying, “Wait are you really that jaded? Do you just need a hug? Are you really Comic Book Guy from the Simpsons?”  We have had long careers in IT at all levels with all types of companies imaginable, consulted a long time, seen things that would leave most speechless.  It is because of these problems that we left corporate InfoSec to start our firm and offer better solutions.  So of the 3 choices above, we’d go with "jaded" but we are hopeful we can help change this cycle.

Here's an example:

Two companies are described who differ in scope and volume, yet the circumstances are eerily familiar.

• Company A is mid-sized regional company with a couple thousand employees and multiple compliance requirements.  They were late in understanding their needs for IT security and they have cycled through multiple senior level IT management team members including C-level and directors.  As a result, they had to rebuild their IT teams multiple times and in doing so lost most, if not all of the tribal knowledge.

• Company B is a large international company with 7500 employees that grew rapidly through acquisition but in the process lost not only tribal knowledge and key SMEs, but the mid-level management that handled the acquisition and almost all of the senior IT leadership. This included several complete security teams as well as entire IT staff other than those possessing the IP that justified the purchase of the company.

The circumstances are similar for both companies and countless others.  As new teams of IT management and new resources took control of each environment, they brought in past experiences with tools and solutions that they had used at previous roles in their careers. They made their cases to acquire familiar tool sets and solutions. With changes in management direction and staff turnover, these tool sets and solutions went untended or were never fully deployed. 

Replacements were hired who may have had knowledge of the existing tool sets but had a tool set or management style they preferred over what was in place.  A case was made to purchase new tools and then at some point due to business requirements, change in management direction, or simple turnover these tools and solutions also went untended or were not fully deployed.

Replacements were hired who may have had knowledge of the current tool set but had a new tool set and management style they preferred and a case was made to purchase new tools.  At some point due to business requirements, change in management direction, or simple turnover these tools and solutions went untended or weren't fully deployed…..  Am I repeating myself?

If the situation above sounds familiar there is way out of this cycle.  WARNING, this might be a little painful so strap on your chain mail:

1. STOP. Don’t buy anything new until you have completed an inventory of every tool in your enterprise.
2. Identify the cost of every tool you own as well as the maintenance and support fees.
3. Identify what each tool does and if it is utilized to its full capacity or at the very least, what the modules you own can do.
4. Identify the SMEs responsible for each tool. (If the identified SME is that guy that used to sit in the cubicle by Gary but you haven’t seen him or for that matter Gary in a while, that is a bad sign!)
5. Identify where the tools you own overlap.
6. Identify any gaps you need to cover that is not currently being covered by your existing tools.
7. Determine what tools are still needed as well as those where you can bite the bullet and decommission them (be sure to let purchasing know not to renew the license).  This will save you not only on the tools but also on infrastructure costs.
8. Put together a team and project plan to fully deploy the tools you have decided to keep.
9. Determine if you have the in-house expertise to deploy the tool to its full capacity.  If not, engage the tool companies’ professional services.
10. Make company sponsored training on the tools a priority for your SMEs.  Often the tool companies provide it for free or minimal cost.
11. One challenge in larger organizations is that tool management may be dispersed in different geographic locations and across multiple teams.  In order to simplify management, Silent Sector recommends that you identify a single geographic location and team to consolidate tool management.  This will also make cross training easier.
12. Complete requirements by gathering and purchasing additional modules or bring in additional resources to complete the deployment of existing tools.
13. Create a centralized tools inventory and document repository.
14. Get to work deploying, configuring, and leveraging the tools you have decided to keep.
15. Decommission unneeded tools and infrastructure.
16. Document (I know everyone hates it -- this blog alone took 2 bottles of scotch)... Document everything you have done, every setting, service account, every piece of infrastructure, port, protocol, and connection and justification for why you did what you did. The idea being that if your SME gets hit by a bus on the way to work or wins the lottery and walks away, you can pick up where you left off.
17. Diagram the Tool – Create a Visio diagram with a graphic representation of what you have documented. This is a little more fun than documentation and generally takes less scotch.
18. Use your tools and delegate a SME plus 2 backup SMEs.
19. Utilize job swapping for cross training opportunities so the backups can learn in a live environment while the primary is still engaged and not just waiting out their 2 weeks’ notice.
20. Have your boss give you and your team a bonus for saving the company money and being so brave and innovative!  In all seriousness, attaching a bonus in a percentage of money saved by your team goes a long way for motivation.

Obligatory sales pitch: Silent Sector can help you with this entire process, making it far less painful.  Plus you’ll occasionally get to see our bright shiny faces.  The Silent Sector team strives to do security the right way, since most small-mid market companies don't have the budget to support one of those giant firms that can sponsor the Super Bowl.  We are here to help by providing guidance and support in the cyber, infosec, and compliance space at reasonable rates.  A security posture is only as strong as its weakest link.