I’ve been talking about the problem of “Tool Sprawl” for over four years. I may have made up the term, or acquired it from somewhere else. I don’t remember. But the core idea is that buying a ton of security tools to fill in compliance gaps and spit out alerts doesn’t equate to security.  Even the coolest cyber security technology can be rendered useless if it is part of an avalanche of technology that an enterprise is trying to manage and respond to.

The clearest example of this is the constant problem of misconfigured firewalls, both traditional and next-gen, that have created a whole new category of products centered around validating FW rules and configurations or “Rule Clean Up.”  I’ll start by saying I think that those products are worth it, and I have proposed them to customers and would advocate they be used by any enterprise looking to protect their perimeters.

The problem is that only one category of product is being addressed to double check configurations.  What about your WAF/ADC, IPS/IDS, AV, EDR, Active Directory, PAM, vulnerability scanners, route/switch, or *gasp*? Shall I go on? How do we know anything in our network, end-point, and security tool environments are set up and configured right?  Adding more tools to check our tools only compounds the problem of tool sprawl mentioned above.

As a recovering Data Center enterprise architect, and present cyber security enterprise architect, my desire is to keep things simple, yet effective.  I am drawn to products and services that provide both Security ROI and Financial ROI.  Most assume correctly what a Financial ROI is, but what is “Security ROI”?  I look at it as quantifiably moving an enterprise’s security posture forward vs. the dollars spent.  Some good quick hit products in the security field are high bang for the buck I can rank with another tools Security ROI.  Believe it or not, there are some security tools out there that actually offer a true Financial ROI as well.  The best reduces both CAPEX and OPEX costs, as well as the labor overhead needed to manage everything.

The absolute home runs have both Security ROI and Financial ROI.  These are rare of course.  Keep an eye out for our soon to be released Federal whitepaper that will detail more about enterprise architectures and some go-to solutions that do have both. One of those solutions in our whitepaper is called security efficacy testing and automation. Sometimes referred to as “Security Instrumentation”, this software exposes misconfigured security tools, overlapping security products, confirms security teams are correctly responding to incidents, and allows an agency to continuously validate and improve layered defenses.  Often deploying a Security Instrumentation platform can immediately improve the security posture of an agency, as well as improve SOC processes in dealing with an incident, both with simple changes and little capital expenditure.

This is exactly what enterprise security teams need to battle tool sprawl.  Once you are able to identify what is and what is not working, you can justify consolidation and possible removal of ineffective tools, opening up CAPEX and OPEX for new tools that can fill in the gaps.

Join GuidePoint Security and Verodin on Feb 8th to hear more about security tool consolidation and how government agencies can move their security posture forward with less funds.


Click here to Register for the Feb 8th, 2018 Webinar.


About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.