For every problem, there is a solution. In the world of cyber security, however, if each and every problem is solved by a different solution, solution fatigue can quickly become a new problem. Recent attendance at any major security conference is an excellent barometer of the state of the cybersecurity market. As Gartner analyst Anton Chuvakin noted in his post-RSA Security Conference blog, “A lot of the tools firmly target the security one percenters, not the mainstream. These tools can only be utilized by people with large and experienced teams.”
Solution fatigue is caused by the use of numerous disparate systems fielded to reduce risk to an organization, including standards like firewalls and anti-virus software to niche solutions like ransomware prevention, social media threat monitoring or deception. Indeed, as an industry, the cybersecurity field has a penchant for best-of-breed solutions. Unfortunately, for each solution deployed, there is an inherent cost of deployment and maintenance. In addition, each solution requires a specific expertise or knowledge to make the most effective and efficient use of that solution moving forward. Combined, these factors can lead to solution fatigue as more problems parlay into an overwhelming amount of solutions.
In striving to achieve ‘defense in depth’—a multi-layered and redundant approach to cybersecurity in which the failure of one system does not mean the failure of the whole—companies easily succumb to the impulse to deploy a new solution for every new problem. More tools, however, does not necessarily equal better security. There is an economy of scale relative to the amount of risk mitigated versus the total number of systems deployed to reduce that risk. When too many point solutions are deployed, solution/dashboard/alert fatigue renders users numb to the useful information that would prevent or detect a breach.
The Age Old Game of Cat and Mouse
There has always been the issue of deploying best-of-breed solutions for any problem set—and cybersecurity is no different.
With innumerable paths to attack or penetrate an organization and with each new defense technique, the adversary quickly adapts and identifies another attack path. Cybersecurity solutions, like many other technology platforms, can only adapt so quickly and may not be able to fortify or defend against the latest attack path or TTPs (tactics, techniques and procedures) of an adversary.
Depending on the exposure and velocity of such attacks and the shift in TTPs, it might be considered worthwhile to deploy another solution to solve the latest threat. In response, the industry again advances another solution to address niche TTPs and attack paths—a shiny new tool to fix the latest problem. This is also illustrated with the various solutions introduced in response to ransomware’s increased employment and notoriety. The problem here? Yet another solution to learn, manage and monitor.
A Better Mouse Trap?
While new tools are developed constantly, their addition to your arsenal may cause more harm than good. Adding new solutions to your toolset should be done with careful consideration.
Here are the top five areas to examine when contemplating the addition of a new solution:
- Underutilization of existing solutions — This is oftentimes the case. When a new solution is deployed the team, through no fault of their own, works hard to show a win to leadership based on this solution. They want to show ROI to the team and/or the board. All of the employees want to use the new solution, thereby stagnating the skills required on other solutions.
Ensure your staff has access to, and is properly trained on existing solutions to maximize their full benefits. If you have a solution that rarely gets used but still requires care and feeding, consider reducing your technology debt and ending that solution.
- Over-reliance of the new solution — Will attention be diverted to the new solution while monitoring and management of existing solutions lag? Will folks ask too much of the new solution to solve problems for which is wasn’t designed?
Avoid shiny object syndrome at all costs. Many point solutions are really just features that should be included in another solution or used by very mature organizations with specific use cases and the appropriate bandwidth.
- Expertise required of the solution — This is key. Does your organization have the expertise to use the solution? Is this an extension of existing skillsets or will the team require additional training to make the most effective use of the solution?
The higher the level of expertise required to efficiently and effectively use a solution, the greater the risk for solution fatigue. Expertise is gained through time and effort, which inherently means that other solutions will be neglected in the meantime.
- Ability to integrate the solution — Will this be a standalone solution, or will it integrate into your existing technology stack? Will it introduce additional steps into your workflow?
Make sure to review all of your existing toolsets and capabilities to determine if there is enough overlap of existing solutions to address the issue. If you identify a gap in your existing risk management program, quickly escalate this to your existing solution providers to ensure you are using their solution correctly—maybe they have a way of detecting or defending against this latest threat—or see if it is on their roadmap.
- Operational costs of solutions — Organizations must not only consider the additional layer of ‘defense in depth’ added by another solution, or perceived risk reduction, but the operational costs of the solution. Do I need to add additional staff to design, deploy and manage the solution?
Don’t be fooled into thinking best of breed solutions for each and every potential problem are the correct approach. While fear may drive cyber security teams to seek these niche solutions, multi-point solutions still exist that will address the latest attacks without spreading attention and resources thin. If you acquire solutions that solve multiple problems and they perform respectably, the reduction in operational and expertise costs can significantly outweigh the increased costs of another solution.
As evidenced by the Target breach, having solutions in place may not equal successfully defending against a breach. Target did indeed have the technology, and did indeed identify the breach to their organization; however, they failed to respond to the alerts in a timely fashion. Whether this was an issue of solution fatigue (too many solutions to monitor), or alert fatigue (too many alerts to respond to) is ambiguous, but it is certain that they had numerous solutions in place.
Did they have the expertise and/or staff to investigate the threat across all of their disparate platforms? Did they have eyes on this specific solution? These are the sorts of questions that need to be asked when evaluating whether or not new solutions will help solve problems or simply add to solution fatigue.