Gartner Blog Network

A Rant on Single Function Security Tools

by Anton Chuvakin  |  August 24, 2018  |  5 Comments

As you may guess, I was raised on Unix and in Unixland single-function tools rule the seas. From “ls” to “ping”, Unix is full of commands that are in reality tools that do one thing well. And it is wonderful!

However, I am not so sure our [“our” here applies to all shades of defensive security professionals, the People of Cyber…] collective fascination with narrowly-focused tools is that healthy.

But maybe it is OK? Let’s debate.

Here is a recent example [I am usually a bottom-up thinker, hence examples]:

  1. With some luck, you can perhaps orchestrate security operations using a general IT platform (chef, puppet, ansible, etc) – VERY general.
  2. Or, you can buy a SOAR, an orchestration platform for security – STILL general.
  3. Or, some vendors can sell you a SOAR module/tool that only helps with specific threats – NOT general.

As a result of this trend, we now have “SOAR for email threats”, “UEBA for web proxy logs”, “DLP for data discovery”, “vulnerability scanner for databases”, “SIEM can only match logs to threat intel” etc. Or, as my former colleague pointed out, a Cambrian explosion of tools.

What is driving this?

IMHO, this is driven by “boxes are cheap, people [labor] are expensive.” So, the above list becomes this:

  1. General platform + 1K hours of labor = result you want now [but, really, not now, but in 1K hours]
  2. More focused platform + 100 hours of labor = result you want now [still not now, but in 100 hours]
  3. A point solution tool (not a platform) + NO labor = result you want now [and actually now!]

Naturally, an asture reader will immediately point out that a general platform will give you more than one useful outcome over time, while a single function tool will only ever deliver one outcome. The same reader will also point out, wisely, that some “boxes” (like say SIEM or UEBA) don’t do anything useful unless accomplanied by people.

However, my impression is that many security leaders facing this choice will consiously decide to buy yet another single purpose tool. Following the above example, we’ve seen cases where somebody buys a SOAR, tries to operationalize it, realizes the amount of work (often months) – and then goes and buys “SOAR for email” and then perhaps “SOAR for clearing SIEM alerts.” And then eventually “SOAR for SOAR” 🙂

It seems that time to value for an immediate problem seems to beat higher value over time. Or, perhaps “no labor box” approach wins over the “labor + platform” approach.


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: philosophy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on A Rant on Single Function Security Tools

  1. John Dasher says:

    I’m not sure I buy the argument that a point solution tool has no associated labor costs attached to it. There are very real personnel training and time costs for each and every tool, not to mention costs associated with switching between tools, trying to share data, etc.

    • Sure, I agree that it is not truly ZERO labor (for some tools like DLP and UEBA, definitely not zero). However, there is usually much lower dev and customization labor costs.

  2. LonerVamp says:

    I imagine some of the decisions get made based on “single pane of glass” desires versus complete picture desires, i.e. “no box left behind,” where you know you’re not leaving blind spots and holes? For me, the larger the box/solution, the more it generalizes (especially outside of its core functions), and comes in weaker and with less completeness.

    There may also be something to do with audience. Are you still on the security team if you’re spending that many hours on stand-up and feeding, or are you really an infrastructure/admin?

  3. Øyvind Juell-Mathiesen says:

    I think you highlight something important, a symptom visible across all industries and sectors. The one cause to the symptom is “our” inability to describe the long term value of option 1 and 2, and how it will support current business needs or risks. On the other hand “we” are extremely good at specifying, and talk about, all the recent high profiled threats, their attack vector, and how to protect against them.

    I believe the solution is to think more about what the proposed solution means to the business not only the technical capabilities or how it handles potential threats.

    A bottom-up approach is a good way to be concrete and spot on. And that is what the point solutions are, bottom-up and spot on. But with no clear relation to the business risk or its strategic strength to the long term goals.

    Make it a strategic solution, not only a tactical one.

    So, to make the more generic solutions a long term value proposition, we (the cyber security something) need to go all the way up to the top, understand the business requirements and justify the long term solution based on the business requirements, security drivers and risk. Bottom-up identifies and justifies the usability and the technical applicability, top-down make sure it supports and aligns with the business needs. It is safe to assume that in this process a lot of learning will be made, on all levels.

    • Thanks a lot for a super insight comment. Indeed, I suspect the “real” answer is somewhere in the area of “go all the way up to the top, understand the business requirements”

      Same advice that was true 30 years ago – STILL true today 🙂

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.