It happens to all IT folks; security is no exception. Our inner consumer craves the hottest new security technology – “With this shiny new security tool we’ll be UNSTOPPABLE!!!” Sometimes we want to address a perceived risk to our environment – “This DLP solution is gonna instantly Judo-kick that data leak problem!” Still other times something old legitimately needs to be refreshed – think old school in-line firewalls vs next-gen firewall/IPS in virtual router mode. The reality is that new security products are needed for all sorts of different reasons. As a result, an organization’s tool stack tends to grow rather than contract. So is more better?
I’ve observed that many established security organizations still frequently perform poorly on penetration tests, not to mention possess glaring security risks such as those Windows XP boxes hiding in the corner. Yes, I realize good pen tests are about education and not necessarily about winning and losing at security. But, if the fancy tools don’t demonstrably improve your security when it really counts, such as a simulated network intrusion, that’s an issue in and of itself. Beware of any security solution posing as a panacea…
Next, consider asking yourself, “Are you realizing full ROI from each tool?” Answering that question requires concerted measurement. How many of us are literally auditing each tool for utilization and effectiveness before we add it to our stack? Security Engineers – I’m looking in your direction right now.
Do you want to show extra value to your leadership? Audit your own stack as part of your business case for a new security tool. It shows that you first value what you already have (business savvy) and have a real command of your tools (tech savvy). Heck, even bake some live fire exercises into your next on-site pen test. Put your tools to the test. Can your next-gen IPS detect DNS tunneling? Does outbound C2 traffic bound for their spoofed company domain get flagged?
Any good pen tester would be happy to set some time aside to side-saddle with you on that. Worst-case scenario, you learn what can be fixed with more tool optimization and what the real gaps are in your existing tool stack, which again can help drive the business case for the next security need under consideration.
Blumira’s SIEM platform is brand agnostic. We integrate with dozens of well-known security logs and APIs. The current list can be found on our website. Additionally, our talented development team is postured to make full use of any other log API type you can provide. Budget tight? We’ll happily provide easy-to-follow instructions on how to roll out some effective, if under-appreciated, built-in Microsoft security logging tools. Advanced incident response programs and forensic consultants alike rely on Windows built-ins all the time. They’re an excellent complement to antivirus, advanced endpoint protection, or endpoint detection and response tools!
Did you miss it? Check out “SecOps Simplified, Part 1: SIEM…Now Without the Headache!“
Mike Behrmann
Mike served at the National Security Agency for seven years where he focused on leading computer network exploitation operations and was later deployed to the FBI Detroit Division’s Cyber Task Force as a Threat Analyst. He joined NetWorks Group in 2015 where he and Matt Warner established the company’s Managed...
More from the blog
View All PostsSecOps, Simplified: Part 3 – Security Orchestration, Automation and Response
Read MoreXDR from Blumira: Improving SMB Security Outcomes
Read MoreSecOps Simplified, Part 5: Speed & Visibility: The REAL Power Couple
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.