By: Colin Murray, ITMG Insider Threat Analyst
Use it or lose it. This is the phrase many say when they are buying a new application with the remainder of the budget left over for a year or quarter. There is something that a new application can do that the others don’t quite do as well. And if you have the budget, why shouldn’t you go and buy it?
It is this thought process that often leads to security environments having a smorgasbord of applications over the years. An analyst will go to one application for email activity, another application for network uploads, then there is printing, and USB, and even a separate one for case management. This leads to confusion, inefficiency, repetition, and very difficult onboarding training for new hires. When there are numerous sources of information that must be accessed it leads to opportunity for mistakes. A hand-off or escalation of an incident often necessitates rewriting information into a separate case management system. Then the next analyst or investigator receives that escalation and will likely require an explanation of where information was found. Each of these steps is an opportunity for information to be missed, transcribed incorrectly, or misunderstood. But what can be done about it?
Integrating new applications into existing applications is a must. Whenever possible new applications should use APIs to integrate with existing applications so that a single pane-of-glass is used to access information. This is obviously easier said than done, but it is required to prevent analysts from needing to have thirty tabs open just to investigate a single incident.
Having a process to properly decide if a new application is necessary is also essential. “Death by toolset” really exists and there is a negative return on investment eventually. When looking at a new tool, ensure that you are not already using an application that has that tool or something similar. I have seen it before where a team is about to buy something for a relatively hefty chunk of change, and they realize at the eleventh hour that they already have the functionality that they are about to pay for.
That assessment should be done over time as well. A proper inventory should be conducted from time to time to determine if a team has redundant applications or tools. Just as nobody wants a home to become cluttered over the years, so too should a security team’s list of tools be cleaned up regularly. Nobody can say how many tools or applications a team really needs to accomplish their mission, but an honest review done by that team should be the best way to determine that.
None of this is to say that teams should not go out and acquire new applications when the need arises. What is essential is integrating new tools into existing tools and eliminating redundancy.
Contact ITMG to Develop Strategies and Protocols Designed to Help Your Company Mitigate Your Insider Risk
ITMG is an industry leader in helping organizations throughout the United States strengthen their insider risk management programs and secure sensitive data and intellectual property. Our team of bona fide experts has the real-world experience necessary to plan out and create holistic security solutions tailored to the needs and risks in your industry. Contact ITMG today to learn more about how we can help! You can also visit our Facebook, Twitter, and LinkedIn pages for more updates and insights into the world of insider risk management.