6 tips for consolidating your IT security tool set

Organizations have been on a spending spree when it comes to cybersecurity tools and services, as they look for ways to defend themselves against an ever-growing array of threats.

This means many CISOs, CSOs, and other senior executives might be encountering tool sprawl. It’s especially a concern for larger, more disparate organizations or those that have gone through a lot of mergers and acquisitions.

“Security teams today are struggling when it comes to the proliferation of tools within their ecosystems,” says Jeremy Ventura, field CISO at systems integrator Myriad360. “Threat actors have drastically increased the frequency of attacks leveraging sophistication such as AI, resulting in defenders [deploying] new security tools and services to combat threats.”

In addition, the rise in the use of cloud services and the increased volumes of data organizations own, send, and ingest is not slowing down, Ventura says. “All these factors have created the issue of vendor sprawl, which calls for the need for consolidation.”

Recent industry research shows that a large number of CISOs are looking to prioritize the consolidation or simplification of security solutions and controls. Getting a better handle on security tool sprawl can result in benefits such as cost reduction and — oddly enough — enhanced security through a more streamlined and efficient cybersecurity program.

“It is crucial for organizations to reduce the number of vendors they are using to streamline management and monitoring,” says Anant Adya, executive vice president at Infosys Cobalt, an IT services provider. “A consolidation of tools and services significantly minimizes complexity and eliminates gaps in data storage that make an organization susceptible to cybersecurity risk.”

The focal point of any effort to rein in cybersecurity tools is oversight by CISOs and other security leaders. “Cybersecurity tools need to be managed effectively,” says Robert Bolder, founder of hosting provider VPS Server. “Begin by taking a thorough inventory of every cybersecurity tool and ensuring it is current and set up correctly.”

Here are some tips, from cybersecurity practitioners and other experts, on how enterprises can address security tool sprawl.

Eliminate what’s no longer effective

The first step toward streamlining your security tool stack should be a thorough assessment of what still has value as part of your security defense. After all, every enterprise at some point has deployed security tools for a certain purpose only to later encounter changes in circumstances that render them no longer needed or useful.

All controls and tools should be linked to a reduction in the probability or likelihood of a risk that’s above the organization’s tolerance level, says Kayne McGladrey, CISO at risk management provider Hyperproof and a senior member of IEEE. If there’s no longer a need for a product, it should go.

As an example, McGladrey cites a CISO colleague who had a next-generation firewall renewal coming due. “The reason for the firewall was to limit the regulatory risks of data exfiltration to the business,” he says. “However, the business had moved to a primarily work-from-home stance, so the next-gen firewalls were protecting empty office space that would soon be sold.”

The CISO instead found an alternate solution for mitigating the risks of data exfiltration in a remote work scenario, and worked with the risk committee to confirm that the firewalls were inadequate at managing the risk. The new solution better met the needs of the business and was less expensive, McGladrey says.

“Any control that cannot be linked back to one or more risks should be scrutinized and probably removed from the organization for a lack of business justification,” McGladrey says.

Leverage analytics to assess your tool estate

Security teams can analyze the data they are gathering from security tools to determine what products can be eliminated. This data should be collected and made visible automatically, if possible.

“When I was doing executive advisory work, one project my team and I worked on involved consolidating telemetry from dozens of different technologies into a single dashboard for a CISO, showing how the combination of controls was effectively reducing risks,” McGladrey says.

“Counterintuitively, the benefit of this dashboard was that it allowed the CISO to focus on failure points; controls that were in place but were not being operated effectively, or controls that failed regularly,” McGladrey says.

This enabled the CISO to have board-level conversations about the amount of time a given tool had not been operated effectively by specific business units, or about how the data showed the tool failed frequently. Tools that are difficult to operate or that frequently fail are likely candidates for expulsion.

Automate to elevate your security posture

Using automation wherever possible can also help security leaders find opportunities to reduce security tool sprawl.

“Prioritize tool sets with heavy automation capabilities,” says Carl Lee, information security manager for cyber defense operations at Api Group, a provider of safety and specialty services. “Managing multiple security tools proves to be difficult for smaller teams without automation capabilities to consolidate alerts, tickets, etc.”

Automation “is key to simplifying security operations,” says Prahathess Rengasamy, staff security engineer at financial services provider Block. “Automate repetitive tasks such as patch management, threat hunting, and incident response, to reduce the burden on security teams and minimize human error.”

Implementing automation scripts for routine security tasks at Block enabled the firm to reallocate resources to more strategic initiatives, significantly enhancing its overall security posture, Rengasamy says.

Dig deep to root out duplicate tools

A significant contributor to security tool sprawl at many enterprises is the presence of duplicate tools.

Organizations compile duplicate tools over time for many reasons, including mergers and acquisitions, siloed departments, lack of a cohesive security plan, and so on. Regardless of the cause, taking the time to discover and eliminate duplicate tooling can greatly help simplify and consolidate your security stack.

The first step in doing so is to undertake an assessment of known tools and the roles they play, says Adam Garcia, founder of The Stock Dork, a provider of financial investment services. “Analyze similarities and differences between current instruments, as well as areas of saturation and possible overlaps.”

Live Proxies, a provider of Internet proxy services, discovered that different tools were in use in various departments doing similar tasks such as threat detection and network monitoring. “By consolidating these into one larger and more robust platform, we reduced associated costs and simplified our operations, which had the added benefit of enhancing our security posture,” says Jacob Kalvo, co-founder and CEO.

It’s important to undertake an audit of all tools and services in use as the first management step for cybersecurity tools, Kalvo says. “You can then weed out redundancies and overlapping functionalities.”

It is increasingly common for larger companies to buy and incorporate lots of security technologies, “and as such organizations may find that they have multiple products or platforms providing the same functionality,” McGladrey says. “For example, an organization I worked with had four separate products providing endpoint detection and response [EDR], and all the products reported data into a single security incident and event management [SIEM]” platform.

This produced duplicate reports for the incident response team and a high degree of false positives, “which increased the probability of a true positive slipping by unnoticed,” McGladrey says. “This overlap of EDR products was unintentional. The organization had recently completed an acquisition, one of their vendors had expanded into EDR, and another vendor had bought an EDR solution.”

The well-meaning IT team had simply decided that more was better, McGladrey says. This was identified as a risk to the business and a substantial cost inefficiency, and was resolved after a review of the duplicate functionality.

Consider going unified where possible

Unified security platforms are available that can enable security programs to consolidate tool sets. These suites of products provide previously distinct functions such as authentication and verification, user permissions, privileged access, and analytics. 

“Use a unified platform where it makes sense,” Api Group’s Lee says. “Depending on your preferred security tool sets, some vendors offer unified platforms that can combine services into a single tool set.”

“The benefit of integration is that unified dashboards or centralized management consoles should be sought for security in general, and the management of security incidents especially,” The Stock Dork’s Garcia says.

“In my experience, the consolidation of endpoint security solutions into a single platform not only had an impact on the reduction concerning the number of licenses required,” Garcia says, “but the consolidation also resulted in the enhancement of the endpoint visibility and better abilities in terms of threat detection.”

Moving to the concept of “rationalization” might make sense for some organizations, Myriad360’s Ventura says. “Rationalizing tools under one vendor can help when it comes to consolidating multiple security alerts under one dashboard, saving time to detect and respond to incidents,” he says.

In addition, rationalization can help reduce vendor management issues. “One support team and one contract can be ideal for some organizations,” Ventura says.

Foster a culture that capitalizes on tool consolidation

Would organizations need fewer security tools if their workforces were better trained in the secure use of their devices as well as the use of the latest security tools? Maybe, but either way it’s a good idea to keep all employees abreast of the latest threats and vulnerabilities and the security staff up on how to use the latest technologies.

To this end, Live Proxies has created a culture of continuous improvement and training, Kalvo says. “We integrated security products such as firewalls, intrusion detection systems, antivirus systems, and others within a SIEM solution,” he says. “This not only gave us a simplified security architecture, but also gave us a ‘single pane of glass’ view for our network — empowering us to make quick and knowledgeable decisions.”

But even the best tools can’t work well if they are not used right, Kalvo says. “That is why at Live Proxies, we train our people regularly in new [tools] and ensure that the [security] tools we use are always up-to-date, like installing the latest patches and the latest features,” he says. “This enables our team to stay on top when new dangers emerge, and ensures maximum realization of our security investment.”

It’s smart to involve all relevant stakeholders in the tool consolidation process, including IT, security, and business units, Block’s Rengasamy says. “Provide training to ensure that teams are proficient in using the consolidated tools and understand the new workflows,” he says.

During its consolidation initiative, Block held cross-functional workshops to align stakeholders on the new tools and processes. “This collaborative approach ensured a smooth transition and fostered a culture of continuous improvement,” Rengasamy says.