Stuck in Vendorland – Are you Managing Security or Managing Vendors?

This is a guest blog post from Steve Bomberger, Head of SEI IT Services at SEI

Escaping from “Vendorland” propelled our business to greater heights of cybersecurity.

What is Vendorland? In cybersecurity, it is where a business — typically small to medium sized — has deployed a collection of security tools through various vendors, but is then constrained by the limitations of each individual tool and/or vendor.

Each vendor tool has a valuable capability to keep the business safe, but in Vendorland it’s quite difficult to pinpoint one’s true security risks.

What does this look like and how can appropriate risk evaluation take place in this vendor-limited state? Here’s a common situation:

A fictitious business, JustinCo, adds a good product from a reliable company to its existing network protection layer for firewall monitoring and management. Additionally, the company has protections in the other two pillars (email and endpoint) for defense in depth.

The JustinCo IT team, engaged in security, notices suspicious activity. The team identifies some unique characteristics of a threat group but does not have the internal experts to implement a block. They reach out to their security vendors with frustratingly little success in addressing the situation quickly.

The IT team looks to the security-sharing community for help alleviating the anxiety. An analyst from this community graciously provides a control script that others have used for this kind of attack. However, JustinCo’s tools and solutions aren’t compatible — they cannot implement the control as written. They have to call in a favor from a peer, who helps them translate the control to fit JustinCo’s network protection tools.

Pinpointing true risk

After a moment of relief, the JustinCo IT team asks themselves, “What about our email and endpoint protections? Do they have controls for this threat as well?”

This is getting to the heart of what defense in depth really looks like. Do we have defense in depth if only one vendor tool has a control for this threat? What about the other threats we’ll face? Realistically, going back through this process for each tool, vendor, or pillar and trying to pinpoint each active threat would be exhausting.

For JustinCo, getting out of Vendorland while creating true defense in depth involves plugging those gaps by taking intelligence from their infrastructure and turning it into protections. Augmenting one’s vendor tools to the business environment is tricky, but is key to strong security and getting out of Vendorland.

Having multiple tools doesn’t inherently mean multiple layers of defense. It could really mean a series of single points of failure.

Now, if a threat is attempting to deliver on JustinCo’s network, the IT team can be confident that there is coverage. If that coverage were to fail (and it sometimes will), they will have assurance that email and endpoint will be prepared with subsequent controls. This is how the tools should serve the business — taking the best parts of what they do, feeding it into the security program, and manually integrating them to work together. JustinCo previously assumed that for a given threat, Vendor A, B and C all had relevant protections. This is a false sense of security. Now they know, for threats they are actually facing:

  • The level of security and protection of each pillar
  • The effectiveness of each vendor tool
  • If there is an overlap of coverage for that threat throughout the infrastructure

Tools from multiple vendors can be valuable features but having multiple tools doesn’t inherently mean multiple layers of defense. It could really mean a series of single points of failure. Adding more vendors is not the solution to getting out of Vendorland.

This was originally posted on the SEI Website