Andrea Danti - Fotolia


Using unified security management to reduce sprawl of security tools

In an era of security app sprawl, a unified security management framework could be the best way to corral security tools and ensure network integrity.

For years, IT security vendors and the data security community at large have been promoting the concept of layered security. This is the approach where you create overlapping layers of security tools, so intruders must defeat multiple checkpoints before any network can be successfully compromised.

While layered security is indeed a sound strategy, the sheer number of security tools deployed within the enterprise today is creating so much noise that many alerts go unchecked. That's why many security administrators are looking to unified security management products and orchestration to help reduce the number of security layers, consolidate management and eliminate gaps. The goal is to lower overall data security costs.

As reported by Gartner, worldwide spending on IT security products increased nearly 8% in 2016, compared to 2015. The next five years are expected to see similar spending growth. This growth in security spending reflects how seriously enterprises are taking data security.

Too many security tools, too many alerts

But IT managers have to make sure the security tools being purchased are being properly implemented -- and that alerts are being vigorously pursued. Unfortunately, many tools are being ignored by security administrators because there are just too many for them to handle. According to an informal study conducted by Cisco in 2016, it isn't unusual to find organizations with a patchwork of 40 to 60 or more security tools.

Reducing the overall number of security applications to a more manageable number isn't only beneficial from a threat protection and prevention standpoint. It can also be great on your budget.

Unless you have an IT security team that can legitimately handle the management, support and investigation efforts needed to run dozens of security apps, perhaps it's time to start considering alternatives to this growing problem.

One option is to re-evaluate your portfolio of siloed security tools to consolidate them into a handful of products that work in a unified manner. Locally diagnosed threats -- as well as analytics from global cyber threat intelligence organizations -- can be shared among many security tools to rapidly and automatically mitigate threats. Additionally, since unified security management tools can now be configured to communicate with one another, it significantly increases the speed of retrospective security analysis. Retrospective security is used to identify how and when a breach occurred, and what devices or data were affected.

Tying disparate security applications into a cohesive whole

Unified security management architectures also provide advanced orchestration capabilities to push policy from a centralized location onto multiple security devices. This can be done both on premises and throughout private and hybrid cloud deployments. Instead of hopping from one security application to the next to update security profiles and policies, changes can largely be pushed out from a centralized security platform.

The same holds true for monitoring and alerting. The goal of a unified security management architecture is to shrink the panes of glass used for security monitoring to the point where tools and alerts don't get ignored or neglected. Some tools also have the capability to reduce the overall number of alerts by consolidating multiple alerts into a single alerting event.

There's absolutely no doubt that many of the security tools you have deployed today aren't going to play nice with others in a unified way. After all, the previous layered architecture of overlapping siloed devices didn't call for this type of interoperability. So, while it's likely impossible to move to a unified security architecture overnight, it might be time to consider a multiyear roadmap to eventually migrate to one.

Worldwide information security product spending

Sharing threat information

Be sure to identify which security applications you have deployed can cooperate with others by sharing threat information. Then, make sure any new applications possess unified architecture capabilities. This certainly would be easier using a single-vendor approach, but it's not an absolute necessity. Most data security providers are warming up to the fact that cross-vendor interoperation and unification is becoming a necessity. Therefore, vendors are shipping their tools and services with API hooks to connect to complementary tools.

Reducing the overall number of security applications to a more manageable number isn't only beneficial from a threat protection and prevention standpoint. It can also be great on your budget. That's because of the large number of security applications most enterprises deploy. They find it difficult to gauge whether their infrastructures have any security gaps, so they wind up installing too many security tools.

But by using a unified security management architecture, IT security administrators can see an end-to-end security framework, as opposed to a whole lot of individual tools. And that visibility allows them to stop throwing tools at security gaps that may or may not exist.

Next Steps

Demystifying security management

Reducing the deluge of alerts

Creating a security portfolio

This was last published in April 2017

Dig Deeper on Network Security Monitoring and Analysis