You’ve heard the old saying, “Don’t bring a knife to a gunfight.” Of course, that can apply to so many situations, but it’s incredibly poignant for cyber security professionals. The criminals you’re up against have advanced weaponry. You need to have the same level of tools or ones that are even better if you want to defend and proactively protect your company.
In this post, I’ll help you prepare for the never-ending uphill battle every security leader faces by giving you an overview of the types of security tools on the market and how to decide which are best for your needs. I’ll also discuss how to verify and validate the value and claims of tools before you bring them into your IT environment.
What Kinds of Security Tools Can You Put In Your Arsenal?
Sometimes you might need a weapon like an arrow so you can hit a bullseye; other times, you might need the power of a tank to roll over the enemy and get them out of your system. With thousands of security tools available on the market, you need to decide between singular or multi-purpose tools. Keep in mind that many vendors claim their tool is ‘all-purpose,’ but often those tend to take a jack-of-all, master-of-none approach, so be cautious as no vendor has the full attention to create tools that fulfill all needs.
In general, tools are categorized by purpose, vector, or type, with each having unique subcategories.
Tools by Purpose
Preventative tools include antivirus solutions, secure web gateways, and firewalls, all of which work well for monitoring and preventing commoditized threats. Detection tools monitor networks for policy violations or malicious activities, including malware, DoS attacks, or port scans, sending alerts when suspicious patterns in incoming packets are identified. Hardening tools reduce vulnerabilities across apps, infrastructure, systems, and more to eliminate potential attack vectors and condense attack surfaces.
Patches are released by software of firmware developers, and once installed, they fix identified flaws that could otherwise be exploited. Security auditing tools make it easier to run, standardize and communicate audit strategies, see potential vulnerabilities, and track historical performance. Simulation tools allow you to safely simulate a real attack to see how systems and teams respond so you can optimize policies and procedures.
Tools by Vector
Attackers can gain access to or penetrate your systems through any number of different attack vectors or exploitable paths. Security pros need to ensure their toolset protects their entire attack surface. That includes devices, applications, endpoints, databases, internal and external networks, cloud infrastructure and storage, SaaS programs, and more, plus breach points such as weak passwords, phishing emails, social engineering methods, misconfigurations, unpatched software, and so on.
Tools by Types
Finally, security tools can be qualified by type, such as firewalls (FWs), web application firewalls (WAFs), or identity and access management (IAMs). Most security teams also consider advanced solutions, including endpoint protection platforms (EPPs) or endpoint threat detection and response (EDR).
How To Choose the Best (Security) Weapons
Selecting the right tool for the right job is no easy feat but, by asking yourself a few key questions, you can frame the fight and your enemy in the right light, which will lead you to the optimal choice. Let me bring some clarity to this with a few examples.
Ask yourself: What is my goal?
This question will help you choose a tool with a specific purpose. Suppose you answer that you need to pass a security audit. In that case, you will want to find a reliable and reputable tool from a company that specializes in auditing tools. It will check most, if not all, of the boxes for your audit. The same solution may also offer other types of defenses; you should consider using that with the caveat of knowing they might not be up to best-of-breed standards.
Ask yourself: What are my assets?
Your answer to that question will point you to the tool by type category. If your company is like many others and has implemented work from home (WFH) and bring your own device (BYOD) policies, consider investing in an EPP rather than network protection.
Remember that while these questions are great starting points for prioritizing security tool selection, defining a single goal or asset will not offer comprehensive security. You need to utilize multiple security tools and keep in mind that your enemy is ever-present and ever-evolving. A one-and-done approach will not suffice. Security is on a spectrum that needs to be checked and monitored continually.
Consider different methodologies, tools, and utilities to better understand the breadth and scope of which tools you need to defend your entire IT environment. Here are a few resources to get you on the right path:
- National Institute of Standards and Technology
- VECTR – an open-source tool for purple team assessments
- MITRE ATT&CK – a global knowledge base of adversary TTPs based on real-world observations
- COBIT and CIS Controls
The Try Before You Buy Approach
Sometimes, from the outside, a tool looks like it will solve all your problems. However, when you dig deeper, the supposedly well-built weapon begins to fall apart, or at the very least, not work as expected. Don’t fall for website hype. It’s critical to take extra steps to validate that the security tool will do what you need, perform as expected, and work in unison with all your other tools, technologies, and systems.
Here are my tips for ensuring that you make the right decisions:
- See how it ranks among industry experts: Check out Gartner’s Magic Quadrant
- Read reviews: search discussion threads on Reddit and user reviews on Gartner
- Check to see if it fits your organizational policies
- Make sure it doesn’t conflict with current defense tools
- Use an expert for testing purposes. ie: to test an EDR a hacker or penetration tester that specializes in endpoint hacking should be consulted and tested in the experts environment
- Confirm the vendor uses industry standards and complies with regulations and security measures
- Check the SLA agreement and ensure the vendor can safeguard your data and respond to incidents
- See that the vendor has a strong user community
- Verify you can make necessary changes or that it at least has an API or plugin capabilities
- Make sure it has visibility for incident response (IR) and monitoring
- Ensure you can work with the tool or hire an expert to assist or manage it
- Verify it fits company needs in regards to pricing and scaling
There you have it. If you follow my advice, you will be well on your way to picking the security tools that will lead you into battle and give you the best chance of winning every fight.
I’ll leave you with one final thought: all too often, I see companies shelling out huge payments for tools they don’t really need, tools they don’t know how to operate, and tools that don’t fit into their environment. The said tool was usually purchased because of industry hype, but just because it’s the perfect weapon for one company doesn’t mean it is for yours.
Think about your needs and buy the tools that will make you a champion.