Small-to-medium-sized businesses (SMBs) frequently face three cybersecurity “givens.” The first is that you are not too insignificant to be targeted by cybercriminals. To avoid detection, even large ransomware gangs are refocusing their efforts on mid-sized victims. The second is that your attack surface is growing – especially with cloud adoption, SaaS adoption, and Work-From-Home (WFH) – while threat actors continue to evolve new, more sophisticated approaches. The third point to consider is that you most likely have too many cybersecurity tools and vendors to be effective. According to a Ponemon study, businesses use an average of 47 different cybersecurity solutions and technologies. This is due to the fact that new security measures are typically implemented one at a time. It’s either a new technology or a point solution to emerging cybersecurity threats and vulnerabilities. When you don’t have the expertise and resources to manage all of the tools, or the people and time to interpret and act on the analytics they generate, the resulting sprawl in security operations can actually reduce cybersecurity effectiveness.

The Antidote for Sprawl is Consolidation

Consolidating cybersecurity tools and vendors to simplify your security operations is the cure for this technology and vendor sprawl. Look for instances where different vendors’ capabilities overlap, for example. Choose a partner with the breadth of cybersecurity technology and the depth of cybersecurity expertise to handle multiple functions to consolidate.

SMBs frequently face a shortage of resources to monitor and evaluate the flow of data from their security infrastructure. Consider aggregating log data and sending it to a provider of SOC-as-a-Service. These security vendors can use their expertise, as well as advanced tools like artificial intelligence, to monitor log data 24 hours a day, seven days a week and alert you to events that require your attention. This frees up your staff to concentrate on the tasks that are most important to safeguarding your assets and providing round-the-clock coverage.

Defense-in-Depth: A Method for Uncovering Consolidation Opportunities

You must consider your entire cybersecurity infrastructure and vendor network before making fully informed decisions about consolidation. One strategy is to organize your research around the defense-in-depth threat cycle, which offers a comprehensive approach to security management both before and after the “boom” (a security incident). In a multi-layered approach to cybersecurity, you can identify overlaps as well as gaps using this method.

Left of Boom: Predict and Prevent

While you can’t eliminate risk entirely, you can reduce it or proactively manage it pre-breach by minimizing the likelihood of a cyber attack.

Predict: The predict phase of defense-in-depth focuses on gaining a better understanding of your attack surface and managing vulnerabilities effectively. Is your vulnerability management solution equipped with remediation recommendations in addition to scanning and reporting, allowing you to act quickly when vulnerabilities are discovered? How are new devices and resources, such as cloud and containers, being incorporated? Is it possible for your vulnerability management provider to provide actionable threat intelligence based on threat data feeds from partners and open-source providers?

Vulnerability management and patching are essential left-of-boom capabilities for any security program. The value of scanning is in obtaining actionable mitigation steps that you can carry out effectively and efficiently. Internally, however, vulnerability management is frequently overlooked because limited resources are focused higher up the tech stack, and disrupting the business to perform the necessary scanning is inconvenient. A reputable provider can take care of this for you, ensuring that scanning occurs on a regular basis and at your convenience to minimize interruptions.

Prevent: How comprehensive is your endpoint security? Do you have multiple vendors in this space to cover all physical endpoints (including all commonly used endpoint operating systems and file types) as well as virtual desktop solutions like Amazon Workspaces and Citrix, VMware, and Microsoft virtual desktops? Is it possible for a single vendor to cover all endpoints with a single solution if this is the case?

Is that one vendor also able to conduct threat hunting in your environment in order to protect you from the most evasive known and unknown threats? Many of these threats, such as ransomware and advanced persistent threats, remain undetected in a victim’s environment for days or weeks before launching their payload. Threat hunting, especially solutions that combine human and artificial intelligence, can help prevent the explosion.

Right of Boom: Detect and Respond

Take steps post-breach to reduce the impact of a successful cyber attack.

Detect: The acronym XDR, which stands for Extended Detection and Response, is gaining popularity. Consolidation is the focus of XDR. Under the “X” moniker, it combines multiple capabilities such as NDR (network) and EDR (endpoint). If you currently use multiple vendors for a variety of detect and respond solutions, you can greatly simplify your security operations by partnering with a single vendor that can truly provide consolidated visibility and management.

Make sure a provider’s solution includes a SIEM (Security Information and Event Management) component to aggregate log data from across your environment (network, endpoints, cloud) for real-time analysis for the detect component of XDR. SOC-as-a-Service should be included in managed solutions to provide expert review of SIEM rule-based alerts.

In the minutes following the explosion, an Intrusion Detection System (IDS) can help by detecting unusual patterns or anomalies in your network and systems. To be effective, an IDS must be fine-tuned on a regular basis to keep up with new threat intelligence. The Security Operations Center (SOC) of the provider provides actionable information about malicious activity. To help guard against insider threats, SOC behavioral analysts examine anomalies in human activity detected within the network, such as accessing sensitive data or initiating downloads.

Respond: The “R” in XDR stands for respond. Part of your response capability should be automated, so that suspicious activity can be blocked in real time before it causes any harm. One way to stop suspicious activity is to use response automation like Application Control. Consolidation service providers should ideally include Incident Response support, which includes customizing playbooks to your environment. Look for a provider who will work with you and provide timely support while you maintain control of the mitigation process with your hands on the keyboard. Look for a Managed Security Service Provider (MSSP) with a 24/7 Security Operations Center (SOC) that can supplement your team if you have other strategic priorities to manage or don’t have the staff or skills.

The Final Note: Platform Versus Conglomeration

Examine how your candidates came to offer more than a single-point solution when you’re considering consolidating vendors. In the security market, it’s not uncommon for companies to expand through acquisitions, with many of them offering a jumble of disjointed point products or services under the guise of a consolidated solution.

CYB3R-X uses a managed platform approach, which has the advantage of bringing together capabilities at the core and allowing them to be accessed from a single, centrally managed console. Across your organization, our defense-in-depth capabilities work together to predict, prevent, detect, and respond to threats. Learn more about CYB3R-X Managed Threat Protection and defense-in-depth.