Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:40 PM
Connect Directly

Security Tool Sprawl Reaches Tipping Point

How a new open source initiative for interoperable security tools and a wave of consolidation could finally provide some relief for overwhelmed security analysts and SOCs.

The typical security team today continues to struggle with the same frustrating and potentially dangerous problem: a sea of security tools that churn out waves of alerts and siloed data that often requires manual correlation — or get altogether dismissed by overburdened security analysts.

"If it takes a SOC analyst more than three clicks to make a decision, he/she is going to move on. They have thousands of other alerts" waiting for them, says Jill Cagliostro, product strategist for security firm Anomali.

That frightening — but understandable — conundrum for security analysts who under so much pressure that they literally pitch some alerts that take too much time to investigate underscores the perils and real possibility of missing that one needle in a haystack in security operations centers (SOCs) today. At the root of the alert overload, of course, is a mix of multiple security tools from various vendors — most of which don't work together and security analysts don't even have time to fully master.

Organizations on average run some 25 to 49 security tools from up to 10 different vendors, according to the Enterprise Strategy Group (ESG), and 40% of organizations are so taxed, according to 451 Research, that they can't act upon at least a quarter of their security alerts. And in many cases, that's leading to organizations literally shutting off some alerting functions, SOC vendor CriticalStart found.

"There have been a lot of research studies that find the whole issue of interoperability and scalability is largely ignored, so as a result the technologies don't actually work together and you have more [tools] than you need," Larry Ponemon, president of the Ponemon Group, said in an interview with Dark Reading in July. "So many things are generating reports [and alerts] ... you are in a state of information overload pretty quickly."

But the tipping point may finally be near. A gradual wave of security-tool consolidation and aggregation — thanks in part to some strategic acquisitions — as well as a new vendor effort led by IBM and McAfee for an open source set of specifications for tool interoperability, could finally streamline and integrate tools and, ultimately, workloads for SOC analysts.

The newly formed Open Security Consortium (OCA), part of the OASIS open source standards organization, will come up a common way for security tools to present data and communicate with and message one another. "Essentially, the goals of the alliance are interoperability, and collaboration around various different standards, tools, procedures, and open source libraries to enable that interoperability," says Jason Keirstead, chief architect for IBM Security Threat Management.

The alliance isn't all about creating new standards, Keirstead says, although new ones could emerge eventually. "It's around collaborating on how we interoperate with each other."

OCA — which also includes members Advanced Cyber Security Corp., Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin — initially announced its first two protocols, existing work from its co-founders IBM and McAfee. The first is IBM's open source data library STIX-Shifter, based on the STIX2 data model standard, which grabs threat information from various data repositories and converts it to a common format for all security tools that adopt STIX-Shifter. OCA also released McAfee's OpenDXL Standard Ontology, which supports the OpenDXL (based on the Data Exchange Layer standard) messaging standard for communicating and sharing security information among different security products.

The OCA's open source releases are available to all security vendors, even nonmembers of the consortium, as well as enterprises that want to incorporate the technologies. The goal, according to the OCA, is to easily integrate security detection, threat hunting, analytics, and other tools so they can operate together "out of the box."

"It's less about combining [security tool] screens and more about assuring the multiple tools a customer has all interoperate with each other and [enterprises] don't have to spend so much time maintaining those integrations," IBM's Keirstead says. "A customer can swap out any one vendor and add a competitor's and they will work seamlessly."

Several security experts welcomed the OCA's effort. "I think it's a step in the right direction," says Jon Oltsik, senior principal analyst with Enterprise Strategy Group. Security organizations for years have been collecting and storing security data in various places and trying to analyze the same data across different tools, he says. And an open source integration layer effort lowers vendors' R&D burden, he adds.

Even so, Oltsik says he wonders why more large organizations themselves aren't driving such an effort rather than the vendors. "One thing that concerns me is you would think the demand side would be driving this versus the supply side," such as large financial firms, he says. "I'd like to see some big buy-side organizations" calling for vendors to support these open source standards if they want to sell to them, he says.

Current Consolidation Situation

MSSPs also face some of the same challenges as enterprise SOCs when it comes to integrating and streamlining tools. Kevin Hanes, COO at Secureworks, says the OCA effort for data "normalization" is a positive step by the industry. It's not an easy task today, he admits: "We have solved that through a variety of ways, with us doing the hard work to bring the normalization to our platform," Hanes says. "The more that can be solved at a higher plane ... that helps everyone."

It's common for startups to get funding to focus on a specific "pain point" in security and then roll out these very focused tools, he notes. But these and other tools then don't actually work together, he says. 

The OCA effort comes at a time when several security tool vendors already have been adding products and features that aggregate others' products, as well as the consolidation of security orchestration and automation (SOAR) into bigger platforms. Splunk now owns SOAR vendor Phantom, and Palo Alto Networks owns SOAR vendor Demisto, for example, and Elastic recently acquired endpoint security firm Endgame. Experts say more technology acquisitions and integrations are on the horizon.

"There's some pretty significant consolidation happening in the market right now," says James Carder, CISO at LogRhythm. "The reason being, I think, is that SIEM as promised decades ago was the be-all, end-all, single pane of glass for the modern SOC. Now there's SOAR, endpoint security, network components, and all those pieces that are in the SOC."

Carder says vendors are trying to consolidate SOC tools, including endpoint, SIEM, and SOAR, into single platforms, and build appropriate integration among the tools. "That's a trend we're seeing now in the SOC itself."

LogRhythm is doing that with its updated SIEM platform, NexGen SIEM Platform, which combines SOAR, log management, security analytics, and network monitoring, for example, he says. "We may look at other acquisitions that could bolster [it] and give a SOC-in-a-box" offering, he says.

The OCA security-tool interoperability effort is a "sound" approach, Carder says. "Having a standard taxonomy and language and method for all different security technologies out there is a dream state of the industry where you don't have to build these special integrations with" multiple products, he says.

Even so, the industry is a long way from achieving that reality, he notes. There also are the non-security applications that have security ties to consider, he says, such as physical security systems like cameras or badging systems in an organization, and even human resources applications. For example, if a user logs in from an atypical location and suspicious network activity ensues, an HR app can't necessarily be queried to automatically check if he or she is on vacation, or if the user's credentials have been compromised. "You're still building one-off integration" with products outside security, Carder explains.

Some recently announced security tool integrations also demonstrate the pressure for vendors to unite disparate security tools. Security management platform vendor ReliaQuest, for example, acquired Threatcare earlier this month and plans to add its attack simulation technology to its GreyMatter security platform.

{Continued on Next Page}


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...