Diversification is often encouraged in investing in order to manage risk. The rationale: if your investments fail, you will have fallbacks since it’s highly unlikely for all of them to fail at the same time. Does this logic also apply to cybersecurity? The answer is no.
However, many still resort to using several cybersecurity solutions from different providers. Enterprises can still fail to realize the misconception of superiority in diversity in the context of security.
Complexity and inefficiency
Imagine running a separate software for antivirus protection, another for email scanning, one more for spyware removal, and so on. For enterprises, separate solutions for endpoint detection and response (EDR), user behavioral analysis (UBA), and network traffic analysis (NTA) may also be employed.
While some may think that the combination of solutions from various vendors brings the best of the best for the protection of the enterprise, the reality is that it results in a less than formidable setup.
For one, it is highly probable to have a redundancy of functions. Most antiviruses, for instance, come with a multitude of features including email scanning, password management, and even link scanning. It will not be easy to reconcile conflicting functions.
Which ones should be deactivated (if they can be deactivated at all)? Which ones to be allowed to continue operating? Can similar functions be allowed to run at the same time?
Add to these the deluge of security alerts. It is already overwhelming to have a seemingly endless stream of notifications from current security solutions such as EDR. Instead of achieving better threat detection and prevention, running similar security functions may result in system conflicts and loads of unnecessary information.
It can create inefficiencies and a false sense of security because of the misconception that if one layer of similar protection fails, another one might be able to detect and deal with it.
This situation is referred to as “defense with inadequate depth,” one of the three network security practices CISOs should avoid according to an insightful post on Gartner.
“This approach is often misconstrued to mean ‘use more vendors’ or to prefer a best-of-breed approach for all solutions. This approach can foster under-engineering if there is a mentality that ‘other layers will protect us’,” Gartner’s guide suggests.
Aside from being operationally inefficient, multi-vendor security can also be pricier because a company is forced to buy entire protection packages with possible redundant functions. It also adds more system administration burden and information siloing when it is not possible to integrate the different security solutions.
No study supports the idea that it is cost-efficient to use several security solutions from multiple vendors. However, most security analysts agree that there are no compelling reasons to prefer using multiple security products from different vendors.
Neil MacDonald, a member of Gartner’s information security and privacy research team, has this to say:
“DID (Defense-in-Depth) does not mean having to buy lots of point solutions from lots of different vendors to address each new threat. Security vendors may want this. We don’t. We can’t Not in this year of tight budgets.”
What to do?
Much has changed in the field of cybersecurity after decades of evolving. Before, having an antivirus was considered adequate. Then came the need for next-generation antivirus. Subsequently, as endpoints became favorite targets, Endpoint Detection and Response (EDR) solutions emerged along with UBA, NTA, as well as deception analysis and prevention.
As EDR started to become less than adequate, XDR (Extended Detection and Response) was introduced. Also known as Cross Detection and Response, XDR is a security solution that unifies detection, investigation, remediation, and prevention aspects of cyber threat response. It provides a single platform for handling an extensive variety of threats or attacks.
Additionally, XDR integrates automation and artificial intelligence to contextualize security logs. This feature makes it easier to identify important security events that require an urgent response. Some XDR platforms also feature pre-built remediation and incident response tools to facilitate the faster resolution of detected problems.
As demonstrated by a SolarWinds whitepaper [PDF] on security log generation, it is easy to have a security alert overload problem. An organization with a thousand employees can have more than 20,000 security events per second or millions per day, which entails a similar number of security notifications. Going through all of these is not only tedious. It also creates opportunities for serious threats to be undetected.
Enterprises should thus consider an XDR platform provided by a single vendor instead of relying on security solutions from multiple providers. XDR enables continuous monitoring and management of incoming alerts while reducing false positives and increasing threat detection accuracy. It also facilitates threat investigation by supplying updated indicators of compromise (IOCs) and supporting on-demand file analysis.
A presentation [PDF] by Eric Skinner at the RSA Conference 2020 highlights the advantages of XDR especially when it comes to attaining better network visibility. “XDR becomes the logical home of any decisions re: automated threat response because XDR has the best amount of information at hand,” Skinner explains.
Preference for a unified security system
In the absence of seamless integration, the best way to address the complexities and inefficiencies of using multi-vendor security systems is to switch to a unified system that enables full visibility across endpoints, networks, and users.
Dealing with evolving cyber threats is challenging enough. There is no reason to make things even more complicated and difficult to manage by working with solutions from different vendors.