The cybersecurity technology field is, shall we politely say, crowded. I recently returned from attending RSA, one of the biggest conferences in the industry. Trying to describe just how many new technologies and solutions I saw there feels a lot like trying to describe how big space is: Our brains can't actually process that kind of scale.
I imagined being a chief information security officer (CISO) at this event, trying to make decisions on what products or technologies would solve their particular organization's security weaknesses. It was, in trying to maintain my earlier commitment to being polite, overwhelming. There must be a better way to quickly figure out if a security technology is worth evaluating.
This ecosystem we have found ourselves in, of slapping new technologies into our security stacks, isn't working. Security staffs everywhere are pulled too thin trying to manage every new technology, and threat actors are continuously breaking through our protection technologies.
So, how do we break this cycle? When looking for security technologies, we start assessing how much value the technology provides — not just whether it can do what it promises to do, but also if it provides a net positive for the entire security stack and management teams.
We are moving into a new era of cybersecurity, and every investment must be prudent. In order to make these decisions, companies must start asking some fundamental questions about these technologies in order to understand the true value — or cost — of a security solution. These questions of proactivity, intelligence, autonomy, scalability, and benefit to the stack as a whole can help you find the most value in every security technology.
Importantly, these questions can also help you evaluate your existing technologies, as you now know in real life how they are (or are not) serving your network and your teams. The answers might surprise you.
Question 1: Is the technology proactive or reactive?
While almost any cybersecurity technology will be quick to use the word "proactive," we first should define what the term really means. A truly proactive technology is one sitting "left of boom," or, more simply, before a successful breach. Recently, almost all cybersecurity technology sits "right of boom," responding to and mitigating the effects of breaches that have already happened.
In modern security frameworks and stacks such as MITRE/NIST/zero trust, often the only left-of-boom technology in place is the firewall/next-generation firewall (NGFW). These decades-old technologies have been tasked with more and more, and yet they remain standard. We have to help the rest of the security stack by investing in more proactive technologies.
Question 2: How much cyber intelligence can the technology leverage?
It has become increasingly clear that the word of our time is "intelligence" — be it artificial, human, or, more in my world, cyber. The value of intelligence and data has never been higher, and this has proven especially true in the war against cybercriminals.
The future is intelligence driven, and the more intelligence a cybersecurity technology can act on, the better. Any cybersecurity technology must be informed by as much cyber/threat intelligence as possible. Without the data to make informed decisions about enforcement, threat actors automatically have an upper hand.
Question 3: Is the technology (truly) autonomous?
I cannot think of a cybersecurity technology that doesn't claim it is "autonomous." This has become so common in our industry that the word itself has almost lost meaning. However, with a cybersecurity staffing shortage that does not look to be going away any time soon, it's critical we evaluate what we mean by "autonomous" when thinking about a technology.
How many hours of an employee's day (on average) does this technology require? Does this technology require another full-time employee to manage the alerts or logs? Does this technology automatically update? (And what are the down times like for them?) The answers to these questions should be: zero, no, and yes. Anything else is not an autonomous technology.
Question 4: How does the technology scale?
Threat actors have shown themselves to be nimble, inventive, and persistent in their attacks. The technologies we implement must be able to grow and adapt to these realities. Can they adapt to higher volumes, deeper obfuscations, and yet-unknown attack vectors? Knowing your technologies can grow with your network and adapt to an ever-changing threat landscape is vital in any security technology investment.
Question 5: Can the technology work easily with existing technologies?
One of the biggest drivers of cybersecurity professionals is what's known as "alert fatigue." This is caused by too many technologies that are extremely sensitive in finding threats or breaches, yet are unable to communicate with each other easily, throwing multiple alerts for the same malicious traffic. The cybersecurity teams are then forced to sift through multiple erroneous/duplicate alerts, and are more prone to errors due to the large volume of traffic networks are receiving day and night. Sadly, this is just one example of how multiple technologies that aren't sharing information can impact a network's cybersecurity posture.
Any new cybersecurity technology you consider should be not just a neutral addition to the security stack, but rather a benefit to the other technologies or people managing them. Some questions to ask in this arena might be: Can it feed intelligence easily to other implemented technologies? Does it ease a pain point of another technology? Can it ingest information from other implemented technologies?
Rarely will a technology be able to adequately answer for more than one of these questions. For instance, a technology might be able to use lots of intelligence but isn't proactive and needs constant monitoring by employees. These are the challenges security teams face every time they make a decision about a new or existing security technology, but figuring out how much value each technology adds — or doesn't — is the best start.