Connecting the Dots: A Security Team’s Guide to Reducing Cyber Fatigue

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Avkash Kathiriya of Cyware connects the dots to see the big picture in reducing cyber fatigue amongst security teams.

Layers of security. New applications, new tools, new tech. With seemingly nonstop advancements, you’d think cybersecurity defense would have gotten easier. The reality is security teams are overwhelmed, overstretched, and burning out. Large enterprises often manage more than 100 security tools. A robust tech stack can help, but in an attempt to bolster our security architecture, we have created a data labyrinth that exacerbates the problems we are trying to solve. As useful as these tools are on their own, they are often incompatible with each other. To get ourselves out of the complexity, we must get better at connecting the dots.

Connecting the Dots: A Security Team’s Guide to Reducing Cyber Fatigue

The Challenge of Security Sprawl

With dozens of security tools, teams are inundated with alerts, even with automation tools that help boost the signal. But the signal-to-noise ratio isn’t the only issue. Managing disparate tools across multiple teams is difficult. Security operations, threat intelligence, IT, incident response, DevOps– these teams use different tools. With natural silos that develop around each team, it’s challenging to get consistent visibility or to collaborate across a function and an organization.

If you can’t pull all that information together consistently, you can’t take consistent action. We must find ways to orchestrate and collaborate across these teams to find threats that touch multiple points. That requires breaking down silos among people, technology, and data, each of which presents unique challenges.

Let’s look at each of these so we can start to understand how we can connect the dots.

People silos lead to a lack of collaboration between teams in and outside of the organization. Large teams specialize and often go deep but ignore elements outside of their domain. Collaboration tools aren’t designed for security, which adds a serious barrier. Knowledge transfers can be difficult between even one team with different shifts; it’s exponentially more difficult to hand off the right information to the right people when additional functions and teams are added to the equation.

How can we ensure every team has situational awareness to adopt and execute the right defenses at the right times?

Technology silos hinder orchestration between cloud and on-prem technologies. Security must evolve from its defense-in-depth origins. We’re deploying technologies for endpoint, email, network events, web traffic, etc., and while the intent is good, the outcome is not. Adding security layer after layer (or tool after tool) leads to overlap and, often, diminishing returns. As more layers pile on, security teams experience more alert noise and fatigue. Cyber-criminals attack across an organization’s horizon, making it critical for these technologies to communicate effectively.

How can we move to orchestrate between the layers we have instead of adding new layers?

Data silos prevent correlation and contextualization between tools. Different tools create different types of data, and translating them in a way that operators get the context needed is difficult. Even if teams are collaborating over chat tools, the data gets lost through unstructured communication. APIs can connect tools, but it’s typically a complex, DIY – and quite frankly, a painful – process.

How do we store, analyze, and contextualize the data in a consistent way that enables security teams to get ahead of threats?

Connecting the Dots

The crux of the matter is that simply adding more tools to our security arsenal isn’t the solution. Think of it as a symphony orchestra. Adding more instruments doesn’t necessarily make the performance better; what’s needed is a conductor to harmonize the ensemble. Similarly, in the cybersecurity realm, we need a system that can efficiently integrate and connect these diverse tools, ensuring that they not only detect threats but also correlate them.

We need to get the right information to the right people at the right time. Imagine you have a new threat coming to your SOC team. First, you want to inform your threat intelligence team to see if they’ve seen anything related. You also want to let your incident response team know. Your IT Ops team needs to investigate their data. Vulnerability management and threat-hunting teams must also be informed quickly. Some organizations are doing this, but it takes hours, if not days, to manually coordinate this information.

Speed and accuracy are critical. It requires automated integration and collaboration. It requires a conductor. A conductor creates good music by coordinating specialized musicians to play together, in rhythm. A sprawling cybersecurity program needs its own kind of conductor – one that coordinates between teams to defend against threats.

Final Thoughts on Reducing Cyber Fatigue

We still need people, technology, and data. We just have to break down the barriers that prevent effective collaboration. Enterprises must enable regular and crisis team collaboration; any-to-any orchestration is necessary for technologies to benefit a security team’s various functions; and good systems must be in place to store, connect, translate, and maintain data so that context isn’t lost along the way. Some — including us — call this cyber fusion: bringing together dissimilar tools and teams with relevant information and situational awareness in-tact.

By connecting the dots, security teams can accomplish so much. With the right visibility, you can start to take a proactive approach to security. When you can correlate across technologies, you can see the bigger picture to defend against threats faster and with more confidence. Threats are dynamic. To make critical decisions, we must be too.