Techstrong TV: Addressing Cybersecurity Tool Sprawl

The Great Resignation is adding strain on the already tight security industry labor shortage. In turn, it’s leaving companies vulnerable with limited bandwidth, even more burnt out teams and tool sprawl – with the majority of organizations having one staff member managing more than four tools. Joe Partlow, CTO of ReliaQuest,  and Charlene discuss how organizations can and should address cybersecurity tool sprawl. The video is below followed by a transcript of the conversation.

Charlene O’Hanlon: Welcome back to Techstrong TV. I’m Charlene O’Hanlon. And I’m here now with Joe Partlow, who is the CTO of ReliaQuest. Joe, thank you so much for joining me today. Really do appreciate it. 

Joe Partlow: Oh, thank you for having me, Charlene. Looking forward to it.

O’Hanlon: Excellent. So wanna talk to you a little bit about security tooling and what organizations are dealing with these days. But first, I wonder if you can introduce us to ReliaQuest.

Partlow: Yeah. So ReliaQuest is a security firm based outta Florida, but we have global operations, and really has kinda evolved into an Open XDR as a service. And really kinda what that means is operationalizing security programs, so whether that’s integrating the various tools that they may be using in their environment, automating any of the processes, procedures, obviously incident response and health and security of kinda the corporation, really bringing that all together in kind of platform and services that we call GreyMatter. And it’s really kind of an incident response platform that we’ve evolved over the years that adds in a lot of capabilities with that. 

O’Hanlon: That’s awesome. Great, it sounds like a really, really nice platform. Especially when you think about the amount of security tooling and software and applications that organizations are dealing with these days, sounds like your technology is a great way to kinda pull it all together.

Partlow: Yeah. And most companies are certainly trying and that’s a challenge for them, right? I think on average, last time I looked, there’s probably a good probably 30 to 40 different categories of technologies that most security programs have to deal with. So how do you make sure all that is healthy and reporting in what it should and doing all that detection that it should? It’s certainly a overwhelming task for a lotta teams, which especially have been hard-to-fill kind of open positions. 

O’Hanlon: Yeah. Yeah. We’ve been talking a lot about that lately. I actually just had another conversation with somebody. We were talking about the Great Resignation and maybe how it actually should be called the Great Reshuffling because people are just kinda moving around so much. It’s like we’re living in a very dynamic environment these days, it seems like.

So I do wanna dig into more of this whole idea of security tool sprawl and what organizations really need to do to kind of harness their security applications and really create a more cohesive security footprint. I feel like there are so many different security technologies that exist today that it really has become kind of a Mulligan stew, if you will, of security in organizations, and so much so that there really doesn’t seem to be a good blueprint, if you will. Organizations have so many different things that they’re  all the different challenges that they’re trying to address with the technology. And I feel like it’s gotten to be too much. What are you guys seeing in this space? 

Partlow: Yeah. And certainly being in this space for a long time, it’s kinda we’ve been a victim of our own success a little bit. In the early days, you’re lucky if you had a firewall, and that was pretty much it. But as tools have got better and new capabilities have come out, there’s been a lotta vendors that have filled that niche. And it’s been great because now we’ve had capabilities and ways to see and do things that we had never had in the past.

The problem is those evolve quicker than we can integrate them back in or roll them back into kind of one platform. So while it’s been better that we’ve got a lot more visibility and a lot more capabilities, it really hasn’t been tied together or timed in any way, shape, or fashion. So it’s been kind of a free-for-all. And the teams have had to struggle to kinda keep up with that. So it’s kind of a mixed bag of problems. A good problem, but then still a problem.

O’Hanlon: Right, exactly. Exactly. It’s because the brain can only process so much. And so especially when we’re talking about security and applications, I feel like we see a problem, we throw a technology at it. We see another problem, we throw another technology at it. And we keep kinda piling it on. Nobody’s really thinking about whether this tool up here may have actually addressed a problem down here and we could’ve killed two birds with one stone.

And so there’s, I don’t know that we’re actually getting the value from the applications that we’re investing in because there are – there are so many kind of one-off security applications addressing one particular problem or two particular problems, but there really doesn’t seem to be any kind of organization, if you will, to a lot of security strategies within an organization. Their security strategy is basically just throw it against the wall and see if it sticks. So is there an easy answer to this? Or is it something that we’re gonna continue to grapple with for a while? 

Partlow: Yeah. Unfortunately, the easy answer you’ve kinda hit on, Charlene, is that it’s, “Hey, if I have a need, there’s a quick niche to fill that in.” And go to any security conference and you’ll see 20 vendors that will promise to do that. It’s got tricky because as vendors have matured and added more capabilities into their product because they see opportunities to get into some of the other spaces, the problem that we see a lotta times for many security teams is the tool or the platform will get deployed, and maybe they’re using 20 percent of it because one, they just maybe didn’t have time to fully deploy it out or just didn’t have the understanding or the time to actually get it fully baked. And then a lotta times, the tool gets a bad rap, and it’s, “Oh, this doesn’t work.” Well, it was never really kinda rolled out the right way and there’s always some new kinda shiny new tool coming down the pike. So obviously wanna keep current on technology, but a lotta times, we see a lotta software out there or that could just be ’cause of lack of training or turnover or there’s many times were new teams will get brought in that we see in a corporate environment and they didn’t even know they had certain tools because it was sitting off in the background somewhere. 

O’Hanlon: Yeah. And you mentioned turnover. And that’s a huge thing these days, especially  in the security teams. The – in many organizations, turnover is high because they just get burned out so quickly. Because if you think about just the amount of cybersecurity threats that are out there today, it’s like every day, there’s a fire drill, something that they’ve gotta take care of. And I think I read something that the average CISO’s tenure was something on the order of 18 months, which is I mean, that just boggles my mind.

And this is the person who’s supposed to be heading up the entire cybersecurity operations for an organization. I imagine that alone contributes quite a bit to the fact that there are cybersecurity technologies in an organization that maybe some people don’t even know about because there’s just – the CISO adopted the technology, approved it. It got installed. That person left. And the new person came in, really had no idea that nobody had taken an inventory of their cybersecurity applications set or anything. And so there’s no tribal knowledge left with that amount of turnover. 

Partlow: Yeah. No, you touched on a thing that is really the biggest problem, that tribal knowledge that a system administrator or a network administrator, a lotta times, those folks, they kinda knew where the skeletons were hid in the closet, right? So that person kinda really knew a lot. But like you said, CISOs and even the security team, we’re seeing, is turning over 18 to 24 months at a time. And a lotta times, it’s maybe going to another division in the same company. Or obviously, the security market is pretty hot right now. So there’s a lotta folks looking to kinda make that move, especially in the last couple years with more remote positions opened. That’s opened up a lot of opportunity, too.

So yeah. I think it’s easy to get discouraged in security. Security is not an entry-level field. There’s a lot going on. It’s easy to get discouraged, like you said, with all the fire drills. So to keep people from getting burnt out from having a whole set of tools that they have to keep up and running contributes to that a little bit. It’s not the reason why a lotta these folks got in. Most people like doing the incident response process and really kinda solving problems, not dealing with 10,000 alerts coming off of some noisy tool.

O’Hanlon: Yeah. Well, I kinda joked at the beginning of the pandemic that, “I think Slack will be the death of us” because my entire day was spent answering Slack messages from all the other employees who too are working remote, and it’s like death by a thousand Slack messages. But yeah, in this case, it would be death by a thousand security alerts. And I can imagine, especially if a security team is working remotely, that’s a 24-hour job. And when you’re working remotely, it’s hard to disconnect sometimes when your slack is going off and you’ve got security alerts that are pinging you at 2:00 AM and 3:00 AM. So I imagine that that’s also contributing to that kinda massive burnout that a lot of security professionals are feeling these days. 

Partlow: Oh, yeah, especially if your team is really half of what it should be for the size of your organization and you’re dealing with three or four or five different technologies, keeping those up and running. It  does take its toll. And it’s funny – not funny. But if you look back, a lotta the major breaches and incidents that we’ve seen in the past few years, more times than not, there was some indicator or some alert that something shady was happening. It was just lost in the noise. And if someone’s got five or six different tools that they have to monitor and keep track of, it’s easy to see why that stuff maybe gets lost sometimes.

O’Hanlon: Yeah. Yeah. So I know that there are a lot of different alerting technologies out there. And to your point, though, there’s still a lot going on out there. So I don’t – I feel like we haven’t really cracked the nut when it comes to understanding the ability to properly prioritize security alerts.

And I’m sure it’s different in every organization. But I almost feel like maybe this is something that the organization is probably better off not even having to deal with on its own, that it maybe it is time to look into using a managed services provider or an as-a-service provider to help them kind of at least kinda manage the security incident levels and help them understand, really, what’s an alert and then what’s an alert, and kind of separate thing. What do they say? Separate the noise from, what is it? I can’t  [laughs] the information from the noise or something like that.

Partlow: Or make it actionable. We talk about actionable events versus non-actionable.

O’Hanlon: Yeah, exactly. 

Partlow: Yeah. And it’s certainly kind of what we’ve been living for the past decade or so and kind of the space that we play in. But if you look back at kinda – there was this shift a few years back to kinda get everything we must have a big data lake. And all the security events and other info, we tried to get into kinda these big data lakes to try to corral it and get kinda that single pane of glass, and whether it was tool sprawl or information sprawl or just corporate application sprawl. And then as kinda cloud platforms got bigger and more took over a lot of kinda centralized spots, that’s contributed to that a little bit.

And that’s really something that we’ve kinda got to do to be successful, we feel like you’ve really kinda gotta go to the source of that data. It’s too hard to bring it all in one. There’s too much data out there. You really have to have those detections at the source or closest to the data and have a way to correlate those. Unfortunately, business kinda moves too fast to integrate and centralize everything as much as we would like. So you really kinda have to be all places at the same time. 

O’Hanlon: So do you think organizations are getting better at it, then, at least recognizing the fact that they have a problem and then they say the first step in fixing a problem is recognizing that you have one in the first place. So do you think we’re there yet? Or do you think that we’re still gonna be experiencing a lot more pain before we finally get some sort of resolution? 

Partlow: Yeah. I do feel like most organizations even up to the board level have really kinda, in recent years, realized, especially with ransomware and a lot, you tune into the news and there’s always something happening. The awareness is certainly there. I think the challenge that we see for most customers is the speed that their business is moving at, whether it’s acquisition or mergers or expanding into cloud environments, just keeping up with it. So the awareness is definitely there.

That’s the challenge that we see is, well, how do you get visibility into that? And how do you do proactive detections and threat hunting and all the good stuff that you wanna do to try to get out in front of it? Trying to keep pace with the business is kinda the biggest challenge that we see, and obviously that contributes to the incidents. If you can’t secure what you don’t know about. So that’s kinda the biggest challenge that we see. But luckily, I think are up to the board level, we’re definitely seeing a lot more buy-in, and security is really kind of at the forefront more so than it has been in the past. 

O’Hanlon: Yeah. Yeah. I would tend to agree with you, especially with, as you said, with the number of ransomware attacks and other cyberattacks that have been happening over the last two years. It really has become an imperative for organizations to make cybersecurity the highest priority, I would say, within the organization. A lotta people say that it’s really all about the customer experience. Well, yeah. If you can’t get to your customer, then there is no customer experience to be had. So I think protection of the networks and the data are and should be top priority for organizations.

And I also do think that organizations are a lot better about recognizing the fact that they do need help when it comes to cybersecurity and ensuring that their networks and all of their data, if it’s on-premises or in the cloud or a combination of the two, are being protected appropriately. And whether that’s done through an in-house application tool set or through the use of a managed service provider or some other means, I think the organizations are becoming a lot more comfortable with the idea of getting the proper amount of help that they need from wherever it comes. So I think you guys probably are in a very, very good spot to be able to provide that to customers really no matter what size organization. Because it really doesn’t matter how big you are. You do need cybersecurity end-to-end. It’s just a matter of doing business these days. 

Partlow: Yeah, yeah. And luckily, we’re in a spot where a lotta times, we’re providing that consistency. If that team is turning over every year or so, a lotta times, we’re kinda being the ones in the background that’s training up that new team and getting them up to speed on, “Hey, what do you have? What are issues that we’re working on?” And you kinda hit on something, too. For the tool sprawl, another reason why we’re seeing some of that is that with a business being typically siloed away from the security team and the security team really not understanding the why behind the business. Typically, we see them just go out and buy a bunch of tools, and “All right, well, I gotta solve every problem. And I’m gonna throw a bunch of stuff at it, and hopefully something sticks.”

Whereas now, having that security team and the business closer aligned, you can really kinda focus and say, “Well, hey, my top three business risks are this. And maybe I don’t need 20 tools to solve that problem. I can solve 80 percent of the problem with this 1.” So that’s a good trend that we’re seeing, at least, is that now that security is kinda more to the forefront, being aligned more with the business, hopefully that will avoid security teams just thinking they have to cast a net over everything and protect against every single thing that’s out there versus focusing on the most important. 

O’Hanlon: Yeah. Well, I hope that organizations do recognize that security tool sprawl can actually help work against their cybersecurity efforts. If you’ve got too many tools and they’re all kinda working against each other, sometimes that actually can hinder a cybersecurity operation or kind of retract the footprint rather than expand it. So I think there’s a lot to be said about having a second set of eyes, if you will, on a cybersecurity program within an organization. So good stuff. Good stuff.

 

Partlow: Yeah, hundred precent. Obviously, nobody’s an expert in every single tool, but having kind of another group of folks that maybe see these tools a lot more across customer base or something, that certainly helps rapping new team members up on the customer side. 

O’Hanlon: Yeah. Yeah. And there’s a lot to unpack with this topic. I know we could talk for a lot longer than we have been. But unfortunately, we’re outta time.

Joe, thank you so much for taking a couple minutes and talking with me about this. I’m sure we’ll be having more conversations in the future. Cybersecurity is a topic that is not going away anytime soon. So they’ll – many problems as there will – as we’ll have, there will also be as many answers. So thanks again for taking the time today. I do appreciate it. 

Partlow: Yeah. Thank you, Charlene. Glad to, glad to be on.

O’Hanlon: All right, everybody. Please stick around. We’ve got lots more Techstrong TV coming up, so stay tuned.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. Sponsorships ... Read More
Palo Alto Networks
Avatar photo

Charlene O’Hanlon

Charlene O’Hanlon is Chief Operating Officer at Techstrong Group and Editor at Large at Techstrong Media. She is an award-winning journalist serving the technology sector for 20 years as content director, executive editor and managing editor for numerous technology-focused sites including DevOps.com, CRN, The VAR Guy, ACM Queue and Channel Partners. She is also a frequent speaker at industry events and conferences.

charlene has 55 posts and counting.See all posts by charlene