When it comes to cyber security rationalization, government cyber security leaders tend to align with two general schools of thought:
- They say, "We’re running dozens of different cyber security tools and have no idea which ones can be eliminated safely." They then avoid making any changes for fear of introducing more risk.
- Or they say, "We’re actively measuring the performance and effectiveness of our security tools and processes," and they go about attempting to eliminate those that are redundant or no longer add value.
The first option is an ineffective way to approach the rationalization of cyber security tools, primarily because it does nothing to improve the efficacy of security capabilities. The second option is the better approach to rationalization, as it pragmatically implements the best solution for security while driving towards a greater return on investment.
As cyber security tools and processes have matured over the past 20 years, the means to automatically test, measure, and track the effectiveness of entire cyber security operations has not kept pace. As a result, agency cyber security leaders are forced to rely on promises, assumptions and hope. Vendors promise that products work as promoted, assuming that controls are deployed and configured optimally. At the end it’s all a hope that changes in the environment are implemented properly and the additional tool will increase overall security posture.
The old axiom holds true—if you can’t measure something, you can’t improve that something. Effective security rationalization depends on the ability to accurately and repeatedly measure many aspects of the cyber security infrastructure, team and processes. CISOs understand they have redundant, overlapping tools, but do they know what and where they are? There is a 100 percent chance employees have multiple anti-virus (AV) tools on their computers, even outside of work, and the enterprise is riddled with layers of scanning. All of these tools are in the environment to increase security, and yet there hasn't been an effective way to accomplish making informed decisions about which can be eliminated without introducing unacceptable risk into the environment.
The lack of visibility into cyber security tool effectiveness forces agencies to be reactionary or overly tactical with measuring cyber security risk. The art of risk mitigation is not a government-only problem; in fact, the average Fortune 500 company has deployed more than 100 different cyber security products. Further complicating things is the fact that a significant amount of these tools overlap in the information systems environment.
The majority of cyber security professionals we talk to at FireEye admit they are not reaching the full potential of their security portfolios. This has resulted in "security tools overload" and frustration for both security teams and executive management when trying to understand the real value of the cyber security dollars being spent.
The FireEye Verodin Security Instrumentation Platform (SIP) provides the visibility to break through the noise. Verodin SIP provides agencies with information from a platform agnostic of vendor bias that measures, manages and improves the effectiveness of security tools. It clearly, automatically and continuously reports on what’s working, as well as what’s not working and how to fix it. Recommendations were developed to be easily understood by technical and non-technical decision makers, with actionable and quantifiable data points that show where security effectiveness is improving or decaying over time.
The FireEye Verodin SIP deploys flexible software actors within the production environment (endpoint, network, cloud) that safely execute real attack behaviors against Verodin Virtual Appliances or in a Protected Theater—without exposing the production environment. The platform continuously monitors and validates the layered defenses, helping ensure that as threats evolve and the environment changes, cyber security effectiveness is understood and improving.
When cyber drift lowers security posture due to human error, a detection signature is overwritten or a correlation rule becomes stale, Verodin SIP will alter the Security Operations Center (SOC). This automated alerting brings to light changes that inadvertently increase the vulnerability to data. It’s impossible to rationalize cyber security tools and processes (in the good way) without this type of visibility. Verodin SIP assists agencies as they execute on their IT modernization initiatives with their eyes fully open to the impact on cyber security.
FireEye Verodin SIP is on the Continuous Diagnostics and Mitigation (CDM) approved product list (APL). Visit our FireEye Verodin SIP page to learn more.