Enterprises are frequently deploying new security tools and services to address needs and threats. A key consideration is how to integrate these various offerings — in many cases provided by different vendors — into the existing infrastructure to support a cohesive security strategy.
The move to the cloud has made security integration somewhat easier, but the process can still be a major hurdle for organisations as they try to build strong protection against the latest threats. Here are some of the challenges they might face and how can they effectively address them.
1 - Too many security tools
A common security integration problem stems from something many organisations are doing: deploying too many security products and services.
“The sheer volume of disparate security tools and a lack of native interoperability between them is one of the biggest challenges facing cybersecurity operations today,” says Chris Meenan, vice president of product management at IBM Security.
“Each new security tool must be integrated with dozens of others, creating a compounding number of custom integrations that must be managed between each — growing at a scale which has become unfeasible,” he says.
Thousands of cybersecurity tools are on the market today, “with a mishmash of varying features and capabilities,” says Kelly Bissell, global managing director of Accenture Security. “Any security leader, regardless of their experience level, can easily get overwhelmed trying to make the ‘right’ security choices for a company.”
The result is often a corporate security infrastructure with 50 or even 100 different tools all cobbled together, Bissell says. “When new tools are introduced but can’t communicate with other platforms or security tools, it makes it even more difficult to get a useful view of the true threat landscape,” he says.
Organisations “need to do some ‘spring cleaning’ and rationalise or consolidate their cybersecurity tools,” Bissell says. “They should also select a few core vendors and scale back others to maximise the value of their core vendor relationships. This will save cost in licensing and integration while simplifying their footprint.”
2 - Lack of interoperability among security tools
Many security tools available today use proprietary interfaces and data exchange languages, Meenan says. While many now offer open application programming interfaces (APIs), “these APIs are not necessarily built on the same standards, so specific, custom code is still required to integrate product A with product B,” he says. “Additionally, the language for exchanging data is not standardised.”
Efforts are underway among multiple security communities to address this issue of interoperability, focused on developing more common data models, open standards, and open-source tooling that can be used across vendors and toolsets, Meenan says.
“By relying on common APIs and common data models, security teams will be able to swap out one tool for another more easily, ultimately making it easier to add new tools and reducing vendor lock in,” he says.
A good example of where this type of community work is taking root is in the Open Cybersecurity Alliance (OCA), Meenan says. This is a cross-sector group of vendors, consumers, and non-profits under open governance that is dedicated to leveraging open source and open standards to improve cyber security interoperability.
“Organisations like the Open Cybersecurity Alliance are all about bringing together players from across the broader security community to help define these standards in an open and transparent way, with development, review and feedback from the community,” Meenan says.
“Companies can start looking today towards software that is based on open-source tools and standards, in order to reduce the burden of security integrations—both now and in the future.”
3 - Broken functionality
Oftentimes security tools require certain access to systems or network traffic to run, and adding new tools could cause existing tools to stop working, says Eric Cole, founder and CEO of Secure Anchor Consulting, and a cybersecurity expert.
“This is based off the premise that when new tools are installed, they often make changes such as removing or uploading files, drivers, and registry keys, and those configurations are often used by previously installed tools,” Cole says. “This problem is mainly prevalent with endpoint security tools or tools that have to be installed directly on a system.”
With network devices or appliances, this is less of an issue, Cole says. The solution is with host- or server-based tools that must be installed locally, organisations should stick with a single vendor suite or tool to minimise cross-vendor contamination, he says.
4 - Limited network visibility
Newer security tools are focused on building out behavioural models to better understand network traffic and behaviour, and using this information to detect anomalous activity, Cole says.
“In order for these models to be effective, they must examine and analyse all of the network traffic,” Cole says. “If the tools only see a subset, the models will not be accurate or effective.
"This is mainly a problem with network devices and appliances, but if a new network device is installed in front of existing technology, it could block traffic and limit the visibility of existing systems.” If the new device is installed behind existing devices, it would have limited information and not be effective, he says.
The solution is to implement network tools per virtual local area network or network segment, Cole says, so a single tool has full visibility for the portion of the network that it is protecting.
5 - Increase in false alarms
New security tools also tend to be more focused on claiming they can detect attacks instead of focusing on providing accurate and reliable information, Cole says.
“Therefore, as you install more tools it increases the alerts and increases the overall number of false positives, “Cole says. “The solution is to utilise a security incident and event management [system] and correlate the data from multiple sources, and only alert on activity that consistently alerts across multiple tools.”
6 - Failure to set expectations properly
Security vendors might occasionally embellish the integration capabilities of their products or fail to mention all the additional prerequisites that must be in place to achieve the stated outcomes, says Brian Wrozek, CISO at security company Optiv. This, in turn, can lead to security leaders or teams setting expectations for business users that can’t be met.
“Business leaders have more familiarity with business applications than security applications,” Wrozek says. They know what they are getting with an application such as Salesforce or Zoom, he says, but not a cloud access security broker (CASB) tool. “Therefore, it is imperative that you explain all the limitations of the solution rather than focusing exclusively on the benefits,” he says.
7 - Lack of skills
Anyone in security leadership knows how serious a problem the skills gap is for businesses. Demand is simply much greater than supply, for virtually every aspect of security. That includes the skills needed to integrate various security tools and services.
The lack of trained staff who can manage the integration of security tools and determine what actions need to be taken is a key challenge today, Bissell says. “The more tools you have requires time and expertise, and [that] often creates a significant resource drain.”