Managing multiple vendors is difficult. Yet few vendors do everything you want. If you start introducing cyber security analytics, you will invariably integrate your data with maybe a dozen smaller vendors, as each one can do a particular thing very well.
Firewall logs, SIEM logs, IDS logs, and endpoint logs, from different vendors, are in different formats. Converting those logs into a common model that can be analysed takes significant work. In addition to spending that time to normalise the logs, you’ll need to stay on top of every change the vendor supplies. Often software upgrades result in slightly changed log output, requiring you to re-develop your common information language.
While the above situation is handle-able, it introduces downtime and overhead that is not always pre-planned or accounted for. More stressful dangers of working with multiple cyber security vendors is when you integrate different analytics into your cyber security platform.
Cyber security analytics vendors can do network anomaly detection, user behaviour analytics, proxy log malware identification, and a whole host of other niche capabilities. If you’ve managed to turn your logs into a common language you should, in principle, be able to feed your analytics engines with that juicy data. Yet if you are like many customers, you’ll want to ingest that data into all of your vendors. So your user behaviour analytics gets data, your network analytics gets data, your rules engine start running, et cetera. These changes will result in an incredible amount of alerts. You immediately risk missing the forest for the trees by having an influx of false positives or, worse, false confidence.
It takes a long time to train machine learning capabilities, and we as a technical community have not created the solution to this problem. It is a continuous work-in-progress with every algorithm or solution we bring in. Trying to train one tool is difficult. Trying to train 4 tools that do things slightly different in an effort to eventually integrate them so a network anomaly is also linked to an end-user and also the malware that the end user brings in is very hard work. In fact, many of our customers try to take on that hard work, only to realise it’s far too hard for a small team (that is constantly fighting the bad guys and keeping your tools available) to handle.
So my advice is this — the fewer vendors you work with, the more integrated your defence will be. And the more integrated your defence, the better your security. Yet, the reality is that once you move from intermediate to advanced capability, there will be niche suppliers providing specifics that your team will absolutely need. So, what do you do?
My advice is to embrace continuous improvement while acting like Arnold Schwarzenegger. Arnold was Mr Olympia, is a great action actor, and a popular politician. Each of those could dominate an individual’s career, yet he did all three. How? By focusing on one at a time.
He was first a world-class bodybuilder. Then, when that was well established, he became an action star. Then, when he was one of the biggest names in Hollywood, he became a successful politician.
Treat your security development like Arnold treated his career. Continuously improve, obviously, but start with a single focus and work doggedly to become the best. A lot of customers want to integrate a new SIEM, whilst doing a firewall refresh, whilst lifting their services into the cloud, whilst limiting the number of vendors or outsourcing some of their capability.
Those are all worthy goals, but doing them concurrently is a recipe for delayed delivery and exasperated colleagues. Instead, fight the good fight and focus on a single project, with a support network (like an MSSP) to guide you through. Then bring in new capability and vendors systematically and over a long period of time.
By making sure that every element of your security process is mastered in this step-by-step approach, you can ensure that you’re always in control of your vendors, no matter how many you work with.