Where to cut corners when the security budget gets tight

Whenever creating a budget, there is always the rainy day fund or the contingency account in case of unexpected circumstances. But what if those circumstances are a data breach that is bigger than you could have ever imagined? And you don’t have cyberinsurance?

Sure you might be up the proverbial creek without a paddle but fear not as some security pros are willing to throw out a lifeline to help you at least get your head above the water with some sage advice.

The common theme when asked about where to cut corners was to make sure your policies and procedures are sewn up tight. There are really no corners to cut but more about having solid policies in place.

Rick Howard, CSO at Palo Alto Networks, said the best thing CISOs can do to bolster their Information Security Program in times of budget shortages is make sure the prevention controls they already have in place are working the way they thought they were going to work when they originally bought and installed them.

“A great truism to our industry is that many of us Network Defenders like to spend money on all kinds of shiny new playthings to defend our networks but fail to make time to get them fully deployed,” he said. “These prevention controls are complicated systems. You can’t simply hook them to your network, turn them on and walk away. Somebody has to maintain them. Somebody has to analyze the data coming out of them. Somebody has to ensure that all the features that the CISOs thought they were buying are actually turned on and working correctly.”

When you are strapped for cash but still want to improve your Information Security Program, spend some time getting to know the already deployed prevention systems.

Stan Black, CSO at Citrix, said organizations short on budget can perform simple but effective security checks like making sure admin logins and passwords aren’t in use, network and access policies are up-to-date and compliance regulations are being met. Performing employee trainings on how to uphold security best practices for their own safety, as well as the company’s, can enormously help reduce risk and only costs time. 

In other words Black is saying by keeping things secure inside the network, it can help in preventing any matters that are worse outside from getting in.

“Any recipe for reducing security spend starts with three common areas to reduce operational expense and frankly slow your business down to reduce overall risk. The first area is application security testing, a decade or so ago we used to build our own capabilities with huge OpEx and CapEx requirements. Third party application testing provided the cumulative knowledge of many customers in a single pane of glass. If you want to reduce remediation cost, tie testing tools to CBTs and a comprehensive knowledge base to teach developers to develop secure code,” Black said.

Another area to drastically lower OpEx is threat management. The number of threat actors grows every day, there are several firms that have tuned their offerings to enumerate threat actor activity relevant to your company. On the other hand, there are many providers that offer threat information regarding the universe of risk; that’s nice but we focus on our company and our customers. Careful assessment of customization to your supply chain will reduce the noise and enable your team to focus on remediation, not identification. Effective threat intelligence also enables remediation and fortification of real threats, not the millions of unauthorized “pings” enterprises are subject to every minute of every day, he said.

A third topic that can be lost in the new product security market is traffic enumeration. If you don’t create, trust, or can’t validate network traffic, you are at risk. Quantification of the known good, untrusted, and unknown traffic costs nothing except time, but for some reason industries want to buy more tech to tell them they have another network threat, he said.

It is like building a beautiful dam but not putting it in the right place in the river to build the lake you need. I think most organizations struggle with a secure architecture and cyber terrain that can be defended. Jeff Schilling, CSO, Armor

Gareth O’Sullivan, director of solutions architect – EMEA at WhiteHat Security, said maintaining a secure environment is not simply about adding more security products. It can be argued that no single solution can be a silver bullet to achieving security, certainly not in isolation. If a company, security executive or manager finds themselves in a position where they are questioning their existing security posture or policy, this should be cause for concern or taken as an opportunity to reappraise existing policies or programs. Expenditure on security products needs to be conducted in the context of an overall risk management policy which in turn needs to support an organization’s core business activities.

Reduce duplication

Ravi Devireddy, co-founder and CTO at E8 Security, said, regardless if budget constraints are a factor, a good practice for all organizations is to eliminate operational redundancies in their security practice. Most organizations spend too much time, and money, investigating low-level alerts that are scattered across multiple management systems, which increases their investigative costs per incident.

The best way to reduce unnecessary spend is to ensure all security relevant data – generated by network systems, applications, and endpoints – are being captured in one centralized system that can automatically prioritize alerts based on risk. Also, by providing security analysts the ability to visualize the relationships between targets will allow for a more streamlined security practice, eliminating redundant investigative tasks and making sure security teams capture the right information in one location, he said.

“Evaluate all existing programs and policies. Prioritize those strategies that focus on identifying an attackers’ presence based on behaviors and movements that are not considered normal for your organization, and containing that activity as quickly as possible,” he said.

There is a proliferation of enterprise cybersecurity products in the market that often have overlapping and confusing value. It is possible that even if organizations add and deploy additional products, they still may not be more secure today than they were yesterday — or may in fact be less secure and reliable given the additional complexity. Organizations should develop and very critically maintain an enterprise security architecture that is intended to meet corporate requirements, and can be used to understand risks and position potential solutions. If this architecture isn’t in place or isn’t current, now is the time to start, said Andrew Wertkin, CTO at BlueCat Networks.

Organizations may find that they have deployed duplicative capabilities across multiple product sets, and they almost certainly will find that they aren’t leveraging their existing investments. This has led to new product capabilities to leverage the power of DNS, a mission critical service for the enterprise, to create immediate visibility to compute, and add to the security posture of the organization without introducing new infrastructure or change the physical architecture.

O’Sullivan adds that while acquiring new software or solutions requires budget due to a defined cost, reviewing and updating policy will have also have an implicit cost. Efficiencies can be made by regularly updating policy and ensuring it is inline with company goals. For example in the context of building secure software, adopting a security framework which enables ‘building security in, rather than bolting it on’ can help drive costs down and improve efficiencies by enabling the organization to learn how to build secure software or find and fix vulnerabilities early.

Look to open source

Security doesn’t really have to cost a ton of money. There are a variety of tools and technologies that are open source that can be modified to be really secure and benefit an organization, said Chase Cunningham, director cyber threat research at Armor. Anything from an open source IDS to using free and accessible threat intelligence feeds are all possibilities.

The requirement of course is to use those tools and technologies safely and effectively.

“I don’t ever see a reason to pay for something first no matter how ‘whizbang’ or sexy a UI may be. Organizations can and should try free tools and open source assets when they can and modify them to their needs; that’s the whole purpose of those initiatives. Once that’s been tested out, then they can make the choice of using that technology safely and securely or paying a vendor to fix their problem,” he said.

Contrary to the notion of finding products for next to no cost, Jeff Schilling, CSO at Armor, said there is no magic bullet that allows a security team to have great security without investment. “However, what I have observed is that most security teams have purchased technologies and don’t have the architecture to support the full use of that security technology. It is like building a beautiful dam but not putting it in the right place in the river to build the lake you need. I think most organizations struggle with a secure architecture and cyber terrain that can be defended. A lot of that work is not expensive, in fact, it might allow you to save money, e.g. reducing the number of data centers you use for you environment.”

Ryan O’Leary, vice president of Threat Research Center at WhiteHat Security, added: One of the best ways to improve security without having to pay a single cent is to implement a security centric development program. Often times, development and security are siloed groups that send tickets over the fence to each other. The developers often don’t understand what the threats are and therefore don’t understand that their code is causing issues. Bringing down the barrier between the two groups and educating the developers on the common threats leads to code that has drastically reduced issues since they will never have been coded in the first place. This training can often be done by the in-house security folks, or if outside training is needed this could come at the expense of the development team.