A Rant on Single Function Security Tools

As you may guess, I was raised on Unix and in Unixland single-function tools rule the seas. From “ls” to “ping”, Unix is full of commands that are in reality tools that do one thing well. And it is wonderful!

However, I am not so sure our [“our” here applies to all shades of defensive security professionals, the People of Cyber…] collective fascination with narrowly-focused tools is that healthy.

But maybe it is OK? Let’s debate.

Here is a recent example [I am usually a bottom-up thinker, hence examples]:

  1. With some luck, you can perhaps orchestrate security operations using a general IT platform (chef, puppet, ansible, etc) – VERY general.
  2. Or, you can buy a SOAR, an orchestration platform for security – STILL general.
  3. Or, some vendors can sell you a SOAR module/tool that only helps with specific threats – NOT general.

As a result of this trend, we now have “SOAR for email threats”, “UEBA for web proxy logs”, “DLP for data discovery”, “vulnerability scanner for databases”, “SIEM can only match logs to threat intel” etc. Or, as my former colleague pointed out, a Cambrian explosion of tools.

What is driving this?

IMHO, this is driven by “boxes are cheap, people [labor] are expensive.” So, the above list becomes this:

  1. General platform + 1K hours of labor = result you want now [but, really, not now, but in 1K hours]
  2. More focused platform + 100 hours of labor = result you want now [still not now, but in 100 hours]
  3. A point solution tool (not a platform) + NO labor = result you want now [and actually now!]

Naturally, an asture reader will immediately point out that a general platform will give you more than one useful outcome over time, while a single function tool will only ever deliver one outcome. The same reader will also point out, wisely, that some “boxes” (like say SIEM or UEBA) don’t do anything useful unless accomplanied by people.

However, my impression is that many security leaders facing this choice will consiously decide to buy yet another single purpose tool. Following the above example, we’ve seen cases where somebody buys a SOAR, tries to operationalize it, realizes the amount of work (often months) – and then goes and buys “SOAR for email” and then perhaps “SOAR for clearing SIEM alerts.” And then eventually “SOAR for SOAR” :-)

It seems that time to value for an immediate problem seems to beat higher value over time. Or, perhaps “no labor box” approach wins over the “labor + platform” approach.


*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: