Your Security Tools May Be Making You Insecure
Security Tool Sprawl, Attack Surface Management and Risks Laying at the Feet of CISOs
Addressing the Elephant in the Room
There’s an uncomfortable topic that warrants discussion within cybersecurity. That is the fact that while cybersecurity tools are aimed at helping organizations reduce risk, they often can end up doing the opposite, especially due to some of the factors we will discuss in this article.
Don’t believe me? Let’s look at some examples.
One quick recent example is the Department of the Treasury, which recently had a security incident due to a compromise of a secure cloud-based service vendor called BeyondTrust (ironic name, I know).
But wait, there’s more, much more.
CISA recently published its “2023 Top Routinely Exploited Vulnerabilities” report. What are some of the key vulnerabilities and vendors listed?
Fortinet FortiOS and FortiProxy SSL-VPN
(Not to pick on Fortinet, but if you go to the CISA Known Exploited Vulnerability (KEV) catalog, Fortinet has 15~ entries)
Barracuda Networks Email Security Gateway
Zoho ManageEngine (which includes a security component/capability)
CISA itself experienced an incident in early 2024 due to the VPN vendor Ivanti.
Of course, Crowdstrike deserved an honorable mention for 2024. However, that was a faulty update rather than a security incident or compromise. Nonetheless, they’re a security vendor, so we must acknowledge them.
I don't mean to pick on Microsoft; granted, its incidents have been tied to things like email. Still, its incidents have impacted critical U.S. Federal and defense entities, been investigated by the Cyber Safety Review Board (CSRB), held a top spot on the CISA KEV, and even been called a “national security threat” while boasting tens of billions in security revenue.
Okta, an identity and access management (IAM) vendor, has experienced several reputational-impacting security incidents in recent years.
There are many more examples, but I just wanted to share a few to set the tone for the conversation.
The theme is that security tools are a part of your attack surface and are highly sought-after targets, given that security tools often have elevated privileges, far-reaching enterprise visibility, and the ability to have major ramifications when compromised. They, of course, are also pervasive as more and more organizations build out their ever-complicated security tool stacks to try and address cybersecurity risks.
By the way, none of this is intended to criticize security vendors, as we know no software or system is infallible. However, it does warrant some discussion, especially given that security tools are intended to mitigate, not propagate, organizational risks—and their entire business model is based on trust.
As my friend Ross Haleliuk at Venture in Security says, “Everything in the industry relies on trust.”
Given that context, let’s discuss the situation a bit further.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 8,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
CISO’s and Risk Ownership
One hot topic being discussed in the industry lately is that around CISOs and Risk Ownership.
Folks have been discussing whether or not security “owns” the risk or if the business does. I think that, for the most part, cybersecurity does not own the risk, but the business does.
We’re often advising, advocating, educating, and recommending, all in an effort to empower the business to make risk-informed decisions. We can do this until we’re blue in the face, but at the end of the day, the business is going to do what the business is going to do.
This concept is articulated well in sources such as Tyler Fararr’s CSO Online article “The CISO Paradox: With great responsibility comes little or no power” or a recent Defense in Depth podcast episode titled “CISOs DO Own the Risk,” in which my friend Ross Young, contrary to the episode title, points out that the business does not “own” the risk, and security is there to educate, inform, and advise, as I mentioned above.
Now, despite this CISO/Security Paradox, where security often feels powerless regarding business decisions and their risk ramifications, one area where we DO fully own the risks is security tools. The CISO and Security organization/Team generally control what security products, vendors, and tools are used within the enterprise.
This means we lose the ability to shirk responsibility when incidents impact the organization, which is tied to the security vendors and products on which we’ve directly made decisions that allowed their introduction. We’ve introduced the tool/vendor/product into the organization and shoulder the responsibility for associated risks.
Increased Risk and Attack Surface
As I mentioned in the opening statement, security products and tools are ultimately part of the organization’s attack surface. These tools are vulnerable just like any other software and products. In fact, they are often run with elevated privileges and permissions, making their compromise and risk implications even larger than those of some of the benign enterprise software our business peers use.
These products and tools have vulnerabilities and require secure configurations, secure implementation, ongoing maintenance, and sustainment, and all of the fundamental security practices we apply to the rest of the enterprise apply here, too. They are part of your software supply chain and can introduce risk, just like anything else, and as we saw above, they often do with damning impacts.
The risks from these tools aren’t isolated to vulnerabilities, configuration, and implementation, either. One hot topic in cybersecurity over the past year that has been getting long overdue attention is security tool sprawl.
As I have covered in Resilient Cyber before, the problem of cybersecurity sprawl is getting worse. Estimates on the average number of security products/tools in organizations range from 70-90 to as high as 130, with many considering the problem getting out of control. Despite that, surveys show that most security leads plan to add to their security stack in the coming year, not reduce it. This is due to factors like the ever-evolving threat landscape, the creativity of attackers, and the growth and complexity of modern digital enterprises.
Due to often insecure development, design and implementation of technologies, organizations have to chase after the risks with an ever growing list of security products. Leaders like Jen Easterly have quipped “we have a softwarew quality problem. We don’t need more security products - we need more secure products”, but this assumes vendors will place security over competing priorities, such as feature development, business development/growth, revenue and more - which is like wishing on a star. That isn’t how business works.
Not only do each of these tools add to considerations such as vulnerabilities, secure configurations, and secure integration and implementation, but also factors such as burnout, cognitive overload, and decreased efficiency, as security teams can’t manage the growing security stack and studies show that many of the tools never actually get fully implemented, configured, tuned, optimized and return questionable value to the organization.
Security teams typically don’t see linear growth correlating with the growth of an organization’s security tool stack, but the teams are expected to manage the growing tool stack nonetheless.
For example IANS 2024 Security Budget Benchmark Report found that security headcount growth has cooled, showing a multiyear decline from 31% in 2022 to 12% in 2024.
This isn’t to say that security staff growth should be infinite, but the fact that continues to decline while security leaders admit to plans to add more security tools, even when teams are struggling to properly manage what is in place already, doesn’t bode well. Couple that with 39% year-over-year (YoY) vulnerability growth of CVE’s in the NVD from 2023 to 2024, and it is a path to problems.
These tools also need to be patched, secured and maintained, and even in situations where the tools are consumed as a SaaS, this doesn’t absolve the organization of risks from the vendors/tools, as SaaS has become a critical part of the software supply chain as well, and SaaS tools and products are targeted just like self-hosted tools by attackers.
It’s simply an unrealistic and worsening problem.
Platform vs. Point Product - Risk Doesn’t Discriminate
Now, the problem of security tool sprawl has reignited debates about platform vs. point products and has led major security vendors such as Palo Alto, Crowdstrike and Wiz to push a “platform” narrative, making the compelling value proposition to security customers that they would be better off consolidating their tool stack by leaning into platform offerings that have wide-ranging robust capabilities, rather than managing the untenable and ever-growing security tool stack.
This is a perfectly valid argument, and in many cases, it can make sense to trade in niche point products for robust platforms, but I say that with the major caveat that cybersecurity is too expansive of a space to have one single vendor to rule them all. Cybersecurity is horizontal, not vertical, meaning everything, such as networking, identity, storage, computing, development, CI/CD, and so on, needs to be secured, and no single vendor ever can or will secure it all.
This allows for innovative founders and startups to tackle niche emerging risks and attack vectors due to their ability to move faster and respond to the cybersecurity landscape faster than some of the larger industry leaders and incumbents.
That said, tools and capabilities often become commoditized, and categorized ones are consolidated via M&A. Industry leaders acquire smaller innovative firms or build capabilities in their platforms to address new challenges and risks natively.
A good way to visualize and think of this natural lifecycle can be found in the article “Platform vs. best of the breed is a wrong way of looking at the industry.”
I say that risk doesn’t discriminate because point products and platforms each face unique risks.
Point products are typically the result of an innovative startup seeing a gap in the industry and setting out to tackle it with a new and promising solution. The problem is that these often mean small, scrappy teams with a much larger focus on factors such as speed to market, market share, customer attraction, and finding product market fit rather than security.
This isn’t to say that point products and small vendors can’t have secure products and companies, but it goes without saying that they often have less resources and bandwidth to focus on securing their products and organization than some of the large, well-resourced industry leaders who’ve found some breathing room through their success.
Conversely, industry leaders with comprehensive platforms and products suffer a bit of a different fate. Due to their outsized market share, presence, and success, they are widely used, understood, and familiar products to customers and attackers alike. There’s a reason companies like Microsoft, which dominate the software industry, also dominate the CISA KEV: they are incredibly compelling targets for attackers. A widely used product or platform vulnerability means many potential targets due to their large customer bases. The same applies to security leaders like ZScaler, Crowdstrike, Okta, and Palo Alto.
Heavy is the head that wears the crown, as they say.
Another additional consideration between the two paradigms when comes to risk management is the tradeoffs with each. With point solutions, you inevitably have more tools to manage, configure, tune, secure and maintain. With platforms, you have less tools but more systemic risks, meaning more concentrated risk due to more dependence on a smaller pool of vendors, who as we mentioned above, are big targets themselves.
Each path has its perils.
Closing Thoughts
Now, despite all of this discussion about cybersecurity incidents, the role of security vendors/products in attack surface management, and the importance of trust in the cybersecurity industry, one glaring irony is that despite these incidents, purchasing patterns largely stay unchanged.
There’s a phrase where it is said “trust is earned in drops and lost in buckets”, however, ironically in cybersecurity, an industry that operates on trust as its lifeblood, incidents seem to have limited and negligible impacts on purchasing patterns.
The large vendors who have experienced incidents largely continue on unharmed in terms of market share/share price, and studies have shown that incidents typically lead to a less than 1.4% dip in share price, rebounding 41 days after an incident, and often rising to levels higher than prior to the incident.
Share prices and market share aside, the downstream risks and impact to organizations tied to security products and vendors is real, and is impactful. It is a risk that CISOs and security leaders do own, and must be accountable for.
Hopefully this piece has provided thought fodder when it comes to the reality that security tools are part of our attack surface, and there are no simple solutions, given we need them to mitigate risks, and point products and platforms each have risk considerations.