Blog post

A Rant on Single Function Security Tools

By Anton Chuvakin | August 24, 2018 | 5 Comments


As you may guess, I was raised on Unix and in Unixland single-function tools rule the seas. From “ls” to “ping”, Unix is full of commands that are in reality tools that do one thing well. And it is wonderful!

However, I am not so sure our [“our” here applies to all shades of defensive security professionals, the People of Cyber…] collective fascination with narrowly-focused tools is that healthy.

But maybe it is OK? Let’s debate.

Here is a recent example [I am usually a bottom-up thinker, hence examples]:

  1. With some luck, you can perhaps orchestrate security operations using a general IT platform (chef, puppet, ansible, etc) – VERY general.
  2. Or, you can buy a SOAR, an orchestration platform for security – STILL general.
  3. Or, some vendors can sell you a SOAR module/tool that only helps with specific threats – NOT general.

As a result of this trend, we now have “SOAR for email threats”, “UEBA for web proxy logs”, “DLP for data discovery”, “vulnerability scanner for databases”, “SIEM can only match logs to threat intel” etc. Or, as my former colleague pointed out, a Cambrian explosion of tools.

What is driving this?

IMHO, this is driven by “boxes are cheap, people [labor] are expensive.” So, the above list becomes this:

  1. General platform + 1K hours of labor = result you want now [but, really, not now, but in 1K hours]
  2. More focused platform + 100 hours of labor = result you want now [still not now, but in 100 hours]
  3. A point solution tool (not a platform) + NO labor = result you want now [and actually now!]

Naturally, an asture reader will immediately point out that a general platform will give you more than one useful outcome over time, while a single function tool will only ever deliver one outcome. The same reader will also point out, wisely, that some “boxes” (like say SIEM or UEBA) don’t do anything useful unless accomplanied by people.

However, my impression is that many security leaders facing this choice will consiously decide to buy yet another single purpose tool. Following the above example, we’ve seen cases where somebody buys a SOAR, tries to operationalize it, realizes the amount of work (often months) – and then goes and buys “SOAR for email” and then perhaps “SOAR for clearing SIEM alerts.” And then eventually “SOAR for SOAR” 🙂

It seems that time to value for an immediate problem seems to beat higher value over time. Or, perhaps “no labor box” approach wins over the “labor + platform” approach.


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • John Dasher says:

    I’m not sure I buy the argument that a point solution tool has no associated labor costs attached to it. There are very real personnel training and time costs for each and every tool, not to mention costs associated with switching between tools, trying to share data, etc.

    • Sure, I agree that it is not truly ZERO labor (for some tools like DLP and UEBA, definitely not zero). However, there is usually much lower dev and customization labor costs.

  • LonerVamp says:

    I imagine some of the decisions get made based on “single pane of glass” desires versus complete picture desires, i.e. “no box left behind,” where you know you’re not leaving blind spots and holes? For me, the larger the box/solution, the more it generalizes (especially outside of its core functions), and comes in weaker and with less completeness.

    There may also be something to do with audience. Are you still on the security team if you’re spending that many hours on stand-up and feeding, or are you really an infrastructure/admin?

  • Øyvind Juell-Mathiesen says:

    I think you highlight something important, a symptom visible across all industries and sectors. The one cause to the symptom is “our” inability to describe the long term value of option 1 and 2, and how it will support current business needs or risks. On the other hand “we” are extremely good at specifying, and talk about, all the recent high profiled threats, their attack vector, and how to protect against them.

    I believe the solution is to think more about what the proposed solution means to the business not only the technical capabilities or how it handles potential threats.

    A bottom-up approach is a good way to be concrete and spot on. And that is what the point solutions are, bottom-up and spot on. But with no clear relation to the business risk or its strategic strength to the long term goals.

    Make it a strategic solution, not only a tactical one.

    So, to make the more generic solutions a long term value proposition, we (the cyber security something) need to go all the way up to the top, understand the business requirements and justify the long term solution based on the business requirements, security drivers and risk. Bottom-up identifies and justifies the usability and the technical applicability, top-down make sure it supports and aligns with the business needs. It is safe to assume that in this process a lot of learning will be made, on all levels.

    • Thanks a lot for a super insight comment. Indeed, I suspect the “real” answer is somewhere in the area of “go all the way up to the top, understand the business requirements”

      Same advice that was true 30 years ago – STILL true today 🙂