Presenter:
Transcript:
Zero zero. Good morning everyone. It's my pleasure to welcome you today to his second 2025 and talk we have today, Jim. Sorry. Taming the hydra, managing security tool sprawl through strategic governance. And we have today Jim Netter, our senior director of information security at Gray Log overseeing i.t services, security and compliance, 25 plus years of experience and ethical hacking Pentesting information security leadership, CISSP and CISO, Cism Certification.
Frequent speaker and trainer at major conferences including Defcon, RSA. Besides Derby Con and his on active in the infosec community through besides Las Vegas staff iten wired planning and co-founding multiple ventures. Please give me our and giving a warm welcome to our speaker today, Jim.
Good morning. How's everybody doing this morning? All right. Now, now I have to do my first security chore. I got to get back into my laptop. Sorry, they don't have speaker notes up here, so I have to click that and follow my notes up here as well. Once I get.
Looby keys or beautiful things, I don't ever know what my passwords are. I just know my Pin and my key and we're ready to go. So if you don't have Ruby keys in your business, get them yesterday that the best thing ever. All right. Good morning. My name is Jim. That are our. This is the first session Hugh Scone everybody glad to be here this morning liking the weather.
It's a little bit cooler this morning. So I'm the senior director of information security at Gray Log. And the talk today is titled Taming the Hydra. Managing security. Tool sprawl through Strategic Governance. And I got to do two of these at once. Here. I gotta juggle before we dig in. A word from our friends in the legal department, presentations are intended for educational purposes only and do not replace independent professional judgment.
Statements of fact and opinions expressed are not those of the presenters and are those of the presenters individually, and not necessarily those of Gray Log or other co-sponsors, including this conference, and Gray Log does not endorse or approve and assumes no responsibility for the content of this talk. All right. So what we're going to talk about today, we're going to look at the problem.
Uncontrolled security tool sprawl within your organization with limited results. We're going to look at one possible solution. And that's going to be a roadmap based on the Nist's HDFs pillars. We're going to first understand what is security tool sprawl. How does it impact the organization. We're going to look at the CSF and its mappings to the five areas.
We're going to look to see. So road map and then we're going to have a little bit of an open discussion. So be prepared to be thinking about how this impacts your organization and how maybe it can change or modify or improve your decision making processes within your organization. So I keep making sure my slides are saying, let's dig a bit deeper here.
According to Kaspersky, 74% of UK companies rely on multi-vendor ecosystems, leading to operational complexity and risk. Over one third, 36% report their security stacks are overly complex and time consuming, with 43% citing integration issues and 36% noting poor threat visibility. Over two thirds 70% of the respondents told IDC that switching between different tools reduces their efficiency within the organization, so an international research study from Barracuda in July 2025 shows that 65% of organizations believe they have too many security tools, with over half saying their tools can't be integrated.
This lack of integration significantly weakens defenses, with 77% saying it hinders detection and 78% citing challenges in threat mitigation. We have switched on a large scale. Am I on the right slide here?
I am one slide ahead. I think.
Yep. We're on that. Sorry. Okay. Sorry I'm trying to do two slides here. They're not saying they don't give us a confidence monitor. So I'll make sure I'm on the right slide.
All right. So now we're on the right side. A large scale health provider also deployed 47 separate security tools. Imagine 47 security tools across its environment during a simulated ransomware attack. Five tools generated alerts, but not one of the tools stopped the threat. This highlights the severe integration and ownership issues with visibility between silos not there with misconfigurations and remediation.
Paralysis rendered the infrastructure's defenses ineffective.
All right, so.
Another last one we want to look at. Last case study here is a, mssp in Ontario. They were doing it. They were there charged with monitoring vulnerabilities within their customers environments. They had several disjointed tools that weren't working for them, which was, directed towards patching and identifying vulnerabilities across all their customers. They ended up switching to a different solution, eliminating about 5 or 6 different tools, and reduced their, window of scanning from monthly down to weekly, with the goal of doing it in real time, which we can do now with different options that are out there.
So what's today's objective is to empower CISOs and people on the CSO team to tame the security tool sprawl, using this cybersecurity framework as a lens to clarify the value of those tools. So where do we begin? Well, start looking at the definition of what is security tool sprawl, what drives that. And then how can we look at the symptoms and what's happened within our organization.
And we'll look at some metrics of how we can, detect that. So first what is security tool sprawl. It's the uncontrolled growth and proliferation of cybersecurity tools within an organization. It happens when multiple overlapping products are purchased or deployed across teams. And functions without a cohesive strategy. And I'm going to call this program I use strategy as programing the same words or an integration plan.
Instead of strengthening security, this patchwork of tools can create inefficiencies, visibility gaps, and management challenges. So I want to read a little. I ended up meeting this fellow, Kurt Mender at Defcon and bought his book. It's called Cyber Recon. I would recommend it as a read, but I want to read a little excerpt from this.
Excuse my voice here.
So he's talking here about he's asking a CSO. So I consulted for a chief information security officer in the retail space. He had informed me of his investment in a software as a service cyber intelligence vendor. So it can be any vendor. But he's buying cyber intelligence. I inquired if he could ask a few questions about his program, even though it was clear the word program confused the CSO.
So here's Kurt. Okay, so you have some very specific use cases for this intelligence. Is that why you licensed our platform? Not really more general. Okay. But you know, that specific data your company needs to turn into intelligence. And from who and for whom within the organization, right? Oh, I think so. Okay. So you're hiring a full time intelligence professional, sit in front of this thing and monitor the data.
No. Oh, so you're taking one of your existing staff, training them on intelligence processing and production and putting them in front of this full time, no, you are taking the person that reads your EDR endpoint detection response events all day and letting them query this platform. No, Curtis, why are you asking me these questions? So that's the point.
But let's let's say all this works. Well, it won't, but hypothetically let's say it does. And your EDI per ADR person runs a query one day and finds a bad actor on the dark web talking about a back door into your online system where you can change your prices, etc. they are willing they are selling the price change as a service to anyone who wants to purchase it from from you.
Is that some? Is that someone that pays a small amount of money in Bitcoin, and then they change the price of very expensive product to a dollar? Yes, yes, that's exactly the kind of balances I'm looking for. But that's not intelligence. What do you do next, CSO? I don't know. You see, there are many bad actors on the dark web.
Most of them are full of, you know what? How do you validate this before you start ringing alarm bells? My guess is you have a lot of APIs. Which one is it? What's the vulnerability that was exploited? What's a bad actor? Can you see if they have already received payments? Can you talk to them? Well I don't I don't know how to go about doing that.
Then what good is the platform. So that's kind of the the dog and pony show we all go through with a lot of the stuff. We get hyped by sales and marketing, think we need this thing, and then suddenly we're like, what the hell good is this thing? We just spent all this money and time on? So let's move forward and look how we can focus that a little bit better on the Csrf.
All right. So first to understand how did we get into this predicament we probably made sorry. We probably made all of our purchases with the best intentions. Hopefully in order to solve a problem, automate a process or ideally reduce some risk. Unfortunately, without a solid program and a standard by which to measure the impact or value of this program to the organization, we end up in a place we don't want to be.
These purchases were likely made for tactical reasons. Vendor over promises. You got hyped into buying something that the vendor couldn't deliver on. Maybe it's part of an acquisition. Either your company was acquired or you acquired another company who had all of these tools. You have a a poor procurement process. There's no communication between entities within the organization.
And maybe the internal recommendations were there. I you'll see the CEO's friend is running this other company. Why don't we buy from them? It doesn't matter how good they're you know what is we've got to buy from them because we're buddy buddy right. Or team isolation teams just don't communicate. They don't talk to each other and they don't, interact.
All right, so what are the symptoms? Come on. Here. There we go. So what do we end up with? We end up with duplicated capabilities. The failure to implement some of these features, we end up with poor user adoption. We find it difficult to implement and maintain the platform because we didn't count the cost of maintenance and ongoing infrastructure or cloud costs.
We have poor cross-platform integration that doesn't integrate with any of our other tools. We have limited access control options. How many of you have bought a level of service from somebody and said, I want SSL enabled on this platform, and they come back and say, oh, well, you have to buy the enterprise version of that to have SSL.
I'll say out loud, that's a bunch of bullshit. If a company does that, I walk away from say, no, I'm not doing it. Making you pay for security extra is not something vendors need to be doing. And then there's a lack of awareness across the organization. The organization doesn't know that you have these tools. All right. So once we see the drivers on the symptoms how do we begin to sort out this mess.
How do we understand what are the metrics that we can look for to see whether the tools are actually presenting value to us. What are the functions per tool? Do we have a tool that's giving us one function or ten functions across the organization? And what I mean by that, for example, how many of you use defender for endpoint from Microsoft part of their Intune and endpoint management?
Right. Well, that also includes vulnerability management for an add on license. So you can kill two birds with one stone. But many companies are paying for Microsoft not knowing that they do the vulnerability management and then paying for something like tenable or qualified to do the vulnerability management on the other side and the scanning. So you're getting you're not taking advantage of that added function.
For an analyst or an engineer, how many tools are those analysts using? How many do they have access to? Are there are a lot of alerts from these tools, if it's a SIM or if it's some sort of platform that's giving you security information, is it alerting too much? Is it giving you usable information? What's the cost of the risk benefit?
I mean, ultimately, if I'm a CEO of a company, I don't care about security in a company. I care about the mitigation of risk at an effective cost. Right? Question is what's what? How much security? How much security should you have in an organization? The right amount just enough. Right. And every organization is different. So you cannot go and say, oh, well, I'll get on a side here.
There's a mindset of hackers and their mindset of business people. Hackers think every thing should be binary secure door closed, door open. The business leader doesn't care about that. The business leader cares about taking risk to make money. Taking risk that he can generate enough profit for the shareholders in the company such that they can lower the risk to keep moving the business forward.
So there's a big difference in how people approach security from that perspective. So let's look at the impact of sprawl on our organization. You'll have to look at the memes here. I threw in some memes to kind of distract you from the topics as we go here. But does your organization have security compliance blind spots? Maybe they don't have a good asset inventory.
Maybe you don't have complete telemetry and all the assets within your organization. Maybe the data is siloed by teams. Different teams have different pieces of information, but they're not sharing it across the organization. Maybe they don't have the ability to show the impact on risk. CEO comes you bought this tool. Show me how it reduces our risk. So I can report that to the board of directors.
Maybe the coverage is incomplete. The scope of where you deployed this product is too narrow. And how many people have done a compliance audit right? Soc2 audit. You have a scope of that audit and you look at that scope or PCI audit and everything inside that environment, everything inside that key. Environment's pristine, nice, secure, tight. Then you go step outside that door and look at something else.
And none of it follows any of your compliance stuff, right? Because we're only setting the scope so that the world only sees a part of it. And that's not the way to reduce risk across the organization.
So another impact is operational inefficiencies. More tools you have, the more training it takes, the more engineers it takes to deploy it, the more cloud engineers it takes to keep it up and running. Take longer implementation times, longer mean time to recover a resolution in the case of an incident, because you can't gather all the information quickly enough to be able to come to a conclusion about what happened and how to resolve that issue, you end up diluting your resources.
Nobody becomes an expert on anything. They become a generalist on many things, and they're not using all of the features within a given platform. And then there's overlooked alerts. People just get tired of seeing all the alerts, and they don't act on them in a positive, productive manner. So is there financial waste probably under utilized licenses, right.
Duplicated investments, buying two tools to do the same thing unimplemented features and functions, overlapping functionality with existing spend and really no significant risk reduction. So it all comes down to to that risk reduction piece.
I want there we go. Now on the right one. Is your organization prone to talent attrition risks? Are the people burned out? Are they tired of poor user experience. Are they tired of having to learn multiple platforms? Right. Are they are they? Is their workflow too complex for them to keep up with? Are there gaps and things where they're dropping the ball on significantly important processes?
Is there training overload? Is there ownership in-house? Who owns these systems? Who owns these relationships? So I'm not trying to be a doomsayer, but by now, I hope we start to think about how we're beginning to see the impact of the results from inconsistent non standardized processes of implementing security tools across the organization. So how do we solve this?
Anybody read Dilbert there.
All right. Well one possibility is to turn to the next CSF. So it's the National Institute of Standards and Technology and their security, cybersecurity framework. So what is it, as I said, a voluntary best practices, standards and guidelines designed to help organizations across all industries and sizes manage and reduce cybersecurity risk in a structured and repeatable way.
That's key. Stephen. Oh, there we go. I do I think if I do this behind the computer, the air is not picking up my change. Thank you. I know I brought you here for a reason, Stephen.
Let's switch again to switch that time to. There we go. Come on. All right, so let's look at the five core functions of the core. CSF, it's built around five core functions identify, protect, detect respond and recover it. To understand let's look at each one of those components. Understanding your environment as they identify part. Right. What are the assets.
What are the risks. What are the inventories. What are we protecting. If we don't know what we're protecting, the other four don't matter, right? You're wasting your time until you know what your inventory is. And that just doesn't include physical assets. Include software assets. How many of you track, browser plugins that people are using within your organization?
Right. Third party software that people install without you knowing. I just give you a quick aside. We in, Microsoft Defender portal, you can go and look how people are using, oid logins for third party applications. And it will track all of those for you. And you want to have an eye opening experience. Go look in there and see how many people are using their corporate email address and credentials, either Google or Microsoft, to log in to third party applications that you have no idea exist in your environment, right?
So they exist, they're using those applications, and data is leaking into those applications that you don't know about because you haven't identified that that's happening or you've ignored the fact that the data is there and you're not using it in an actionable way. The second second is protect.
And protect is safeguarding critical services and limiting the impact of incidents. So basically containing the blight, either preventing them or containing the blast radius when they occur. So this is access controls awareness training data protection. So what protective controls are we implementing in our environment. Detect is the developing process to quickly discover cybersecurity events. So these would be where where our where our our detective controls our Sims our all of those sorts of things.
Right. EDR can perform two functions it can detect and then it can also protect when it alerts. No, my mouse is going crazy here. Sorry. And then we have, respond. Respond is what action do we take when we do find a cybersecurity event? What kind of planning have we prepared for what kind of communications? What's our response when the water falls on the floor and then there's recover.
What are our restoration capabilities for services after an incident? What's our mean time to recovery if it's a major disaster, what's our plan for that? What's the process to return the broken thing to normal? Okay.
All right, so it all starts with hey, this did not flip again. There we go. We're on the right one. Yes.
Sorry. My mouse is driving me nuts here.
There we are. Okay, so it all starts with this thing is not advancing. There it goes. Okay, so it all starts with governance, right? Governance is a policy and process that the organization, not just the team the entire organization uses to determine the applicability and value of a tool, manages lifecycle and continuously evaluate the value of that tool brings to the business.
Continuously evaluate. So once we have a policy, this is a governance policy and a plan a process. How do we start aligning the tool purchasing process within this CSF. And I say it's got to be simple right? Very simple. I'm pretty simple minded when it comes to a lot of things. And I like things to be easy. So what I say here is we go and we develop a format, a process for evaluating all of our vendors.
We integrate this into our vendor risk management program, but enter into our procurement process as well. So we develop something that just basically gives us what's the tool we're using. What's the vendor. Which of those five areas does it meet. What are our notes and what's our risk. That's mitigated. If you can't fill those five those areas in you're done with that vendor.
You don't even need to be thinking about that tool. That tool doesn't fit in your organization. All right. This is an elimination process. And it doesn't matter if CEO says you have to have this thing, you go back to him and say, look, it doesn't match our governance policy and it doesn't show us the things that we need to do to make the organization more secure.
You're making this based on an emotional decision, rather than a logical decision that reduces risk within the organization.
Okay. So once we do that, then we start to add some constraints to that. If we pass the first pass, if you will, we start digging a little deeper. We gather the minimum requirements. What is the long term fit to the organization. What are the what's the security posture of that vendor? What's the estimated time to implement or hours?
What's the cost involved with that? What existing functions are duplicated within the organization? Do we have other tools that duplicate that same thing. And then we look at how much training is involved in that. And we start to build this process out. And you can add the fields that you need into that process. You could do this through an AI, developed process where people that have, AI tools, ChatGPT or one of the others, you could create a process where they simply fill that out during that or through a form based process, and then have the AI spit out an answer, says, this is on a scale of 1 to 10 or however you
want to rate that it is or it isn't worth us proceeding forward, but other areas that we need to consider, as well as what's the vendor's track record? What's the security posture and what where's our data flow with that vendor? Is the data held closes the data shared somewhere else? All those things are important.
All right, there we go. All right. So let's look at a few misalignment examples here. So how do we say something is misaligned with the CSF. Well let's say you have an on integrated vulnerability scanner. It runs scans on things within your network. But you don't compare that to your known asset inventory. You've installed a username tenable agent on a subset of all of your workstations.
But you've got servers, you've got cloud services, everything else that's totally ignored. So you don't have a good integration of good coverage. So it's not really, providing you the best solution to identify where the risks are. Another example might be a point in time compliance checklist tool, that actually focuses on regulatory or compliance snapshots like we talked about rather than actually ongoing continuous compliance monitoring.
And then maybe an unmanaged discovery tool. We know what's out there. We see this discovery tool scanning our network. But then somebody gets the alerts that, hey this new device showed up. We don't do anything with it. Nobody owns it. We don't know what to do with it. We don't know who owns it and who can manage that device.
So these are things to think about with, these examples. All right. So here's one for protect. We might have multiple endpoint protection agents. Right. You have EDR and DLP from different vendors. Maybe they overlap. Maybe the configurations conflict, maybe they don't, do the things the right way. So you're kind of hamstringing the best features of each of them by having those multiple tools, maybe having an encryption, tool that encrypts state at rest, but it's not integrated with any kind of key management.
So God forbid the keys get lost and you have encrypted data that you can't on encrypt if something happens, or you may maybe you have a security awareness training, but you're not using that security awareness training to build feedback loops to figure out whether it's actually beneficial to your organization. I'm a big fan of phishing simulations, but I am a fan of telling people we're doing a phishing simulation and awarding prizes for people that report the fish right, not penalizing them, but making it more of a proactive game type thing.
But you, Stephen, they're all not connected those dots because there are requirements that might drive some of these choices. There are. Remember what I said before? Audits are scoped right. What's the first thing you say to an author when they bring something up outside that's maybe doesn't align with the audit? That's not in scope for this audit, right.
Not it's not. Oh, sorry. Mr. auditor will go fix that problem right away and make that section of our business more secure. It's like, no, don't look over there. Don't open that door. Don't go down that hallway. So what you're saying is true, but it all depends on the organization I think it and what their focus is and and my my take is if you do compliance correctly, security as a result of doing that, compliance is not the result of doing security properly.
The two aren't the same. So anyway.
So that one did not advance. Come on. Down down advance twice. Where are we? Sorry. Did that one come on. Okay. It changed slow. All right. So this one we're looking at. So examples of detect maybe we have an Untuned SIM. We were gathering all these logs right. Because we have to gather them for PCI compliance. Or we have to do this for other reasons.
But what's happening to the logs. What's happening to the alerts as a correlated across all the devices within your network? You know, this is one thing that I'm very familiar with because that's what Gray Log does, is we're a log aggregation platform. So we look at this all the time and say, step back to a 10,000ft view of your organization and figure out what's important and where the risks are within that, and log through that.
Now, how many of you have implemented, intrusion detection devices? Well, what what good do they do if nobody acts on the alerts, right? I mean, really, you want an IPS where the alerts are acted on, but people go, oh, I don't want that because it's going to break something. It's going to stop something. Somebody can't get to our website, email won't get out.
Whatever. Right. So it's we got this and it looks good on paper, but it doesn't do squat to make our organization more secure. And then we might have overlapping monitoring tools. They monitor a lot of different things, but they have fragmented visibility into our entire inventory. And there's blind spots and what they can detect.
All right. This thing is sorry about this. Come on. It's like when you need to change the batteries in the water. Yeah, yeah, you have to. You have to shake it and turn the batteries around and get that last little bit of voltage out of them. All right. So another misalignment here for, respond. Right. If we have an in threat Intel feeds.
Right. We've purchased all these threat feeds. We know what's out there. We know who the bad guys are any given time. But what are we doing with them? Are we putting them into our DNS monitoring and blocking DNS requests from internal to anything on that? Are we using them to action, data from our our SIM? Right. We have to be looking at how we're integrating our different tools and making use of these things that we're buying.
Maybe we have an isolated case management system or ticketing system for incidents. Maybe our team uses it, but it's not linked with our SoC. Or maybe it's not linked with the help desk. Maybe the different roles within the organization don't have access to that to see what's going on. Or we have you know, a SIM and we don't have any kind of playbook automation.
We know when alerts happening, we know when it's getting detected. Remember the example I gave you that the company with all those tools, five different tools alerted none of them did anything to stop the ransomware attack. Right? Because again, we're not going through the whole process to the very end. Okay, I forgot to change that slide. Sorry about the, color there.
This is, examples of recover misalignments. Right. So maybe we have partial cloud backups and we cover our servers, but we don't cover other applications that are critical business functions within the organization. Maybe we have a, unverified Docker tool or automation tool, right, where we can recover a particular cloud service. For example. Might I make a good one?
Think about it. Maybe a code push goes out and it breaks something. How do we revert that? Right. So that's really Docker plan in action right. You're reverting your code back to a previously known good state. But we may not have them tested right. We may never roll out bad code and roll it back. We don't know if it works.
Right. And then we might have, not a way to capture what goes on during these incidents. How do we get that information and how do we get it out to the right people within the organization so they can modify policy and change procedures to make things better the next time around? All right. So key insights tool sprawl creates friction across all the domains.
All right so here come on switch. There we go. All right so I wanted to get to this key roadmap for CISOs. So how do we get this under control. And this is not I don't have all the answers. I'm just one that thinks about this stuff all the time because I hate the sales process. I hate the procurement process that's not in place.
I just want to get results in my organization right? And do it in a simple way that keeps everybody in the right mindset about security. First and foremost is you've got to establish governance and accountability. And this governance and accountability has to be organization wide.
It cannot be team wide. Teams can't isolate themselves and buy tools in and of themselves. There has to be a standard across the organization. We can't have one team using Google Workspace, another team using Microsoft, another team using Linux, and it just doesn't work in the organization. It just multiplies the complexity. The same thing with these tools. We need to have a vetting process.
We need to have a procurement process, and there has to be ownership of those tools. Somebody has to be responsible for the spend on those tools and making sure that those tools are implemented. We have to audit and assess current tools and coverage, review our spend and look at our risk alignment. We need to prioritize based on our, risk and value, and only focus on the tools that bring value to the organization.
Just because the world says you need to have X, y, z tool out there because there's one hackers doing this nefarious thing in some corner of the world, and everybody's running around with their hair on fire, saying they need this tool. Tune that out. Just don't listen to it. Listen to what you know about your organization and reduce that risk.
Get the biggest bang for your buck and your time invested. Invest in convergence and integration. Right? Things that integrate together. Again, going back to the single sign on thing of applications that you're using, third party vendors don't support single sign on. Don't screw off. I mean, I'll just be blunt, all right? You don't need to be managing 50, 60, 100 different log ins and auditing all of that stuff for users.
You need to have a single sign on solution that works across your environment. Measure and communicate the outcomes, right? Let the people on your team know what works. Let the people in your organization know it works. Let the CFO know what works, right? How many times do you hear? Well, you know, security is a cost center in our business, right?
It's it is. Well, but so is buying a computer. So buying software, they're all cost center, right. Having an employee in your company is going to have a fixed cost per employee across the whole organization, including security, it all of those things. But how many business leaders really know what that cost per employee is? They'll tell you right upfront, oh, well, if I hire this employee at 50 grand a year, I know my cost for them is going to be another 25,000 for insurance, another this and that.
They'll know those numbers, but they won't know the numbers on the other side for all the tooling that that employee needs. So understand that and be able to report that back to the CFO or the CEO. And, I think the last thing is you just got to continue to celebrate within the organization, right? When you save money, when you reduce overhead, celebrate noises.
We didn't buy this tool. So we can keep you focused on being an expert on this tool in this tool is providing value. And I'm going to give a quick example. And then we're going to have a kind of an open discussion. I want to hear what your thoughts are out there. I can stand up here and talk forever, but I'm not going to.
So one of the things that we look at very heavily in gray log is our Microsoft security score. How many know where that is in the defender portal.
I'm sorry.
Ours is typically never less than 98%. Right. And if you look at the average security score for businesses of the same size is about 45%, that tool alone, if you focus on that tool and doing its recommendations with your organization, you will cut your need for other security tools, probably by about 85%, I would say. And I would stand by that, because usually you're buying other tools to fix people's laziness from not configuring things the way they're meant to be configured.
And Microsoft gives you the tools to do that. So why not do that? You're already paying for it. You're paying for the for the ability to you're paying for them to monitor it. Right. And they give you exact recommendations and exact steps to raise that security score and lower your risk profile profoundly. All right. So that's one example of going to a tool and using it to the extreme.
It's already there. Rather than going to a third party and buying vendor or vulnerability management and scanning, buying all these other things. Software inventory, it's all built into that if you just take advantage of it. So that's all I'm going to talk about here this morning. I hope that gets you thinking about some things. So.
In the defender portal for Microsoft to if you get a security at Microsoft.com and log in, you'll see all of those tools in there. If you have defender for endpoint enabled within your licensing, I think that comes with an E5 license or an E3 plus and even have security license. One of those two.
Have a. If you turn it on, you have it deploy through Intune. Then you'll see all the results in that portal. But there's a plethora of information in there. You'll see all of the software on every device, all the third party ID logins that people are using, the security state when the machines checked in, and then it'll give you very clear steps on how to improve your security score so that you lower the risk for very well known types of exploits.
So so my question to you would be how many have had problems in their organization. Share some of those problems. Now we're here is we're not here to just listen to speaker speak. We're here to learn from each other, to gather information and to make our businesses better. Right? We're all in the same, same world. So if anybody has a story, a comment, question, he'll come around with the microphone and we've got about, what, five minutes, ten minutes left.
So nobody wants to be the first to speak up, Stephen or speak up. No comedy Steve. Now. Thank you. Oh, Jim, you know that life itself is comedy. So the stories and the jokes write themselves as they do so in terms of a perfect example, in terms of do you see it as an architecture challenge? Where does the integration decluttering need to take place?
Because in this discussion of engaging CSF, it's wonderful to say, okay, I'm going to start mapping out how these things get near each other or maybe even overlap. Where do you begin to de conflict or start that? Forgive me. The does it bring me joy? Yeah. The the lady who puts out the bins and tells people to put stuff in them is there what has to happen in an organization to begin that conversation?
I think it starts with the governance. Your organization has to make a commitment to standardizing your processes across all the teams in the organization. Right. And I came from a previous organization that got acquired and then got acquired again. And each of those departments were very siloed. They all had their own tools that, you know, we had six different, change management tools with four different development management tools, all of those kinds of things.
Right. And there was no mandate. There was no leadership from the top that said, wait, we cannot continue this way. We have to start consolidating and working off of a platform that's our standard for doing the work right. So that's the governance part of it. And then the next would be the identify what what are we protecting. Go and identify what we're protecting.
And look at the tools that give us that information and build on those tools first, because again, you're wasting your time if you don't know what you're protecting. Right? It's not just assets, it's people. It's buildings. It's laptops. It's it's software. It's intellectual property. It's data. How many people have, you know, data masking policy in their organization, but how many enforce it, right?
Nobody, hardly anybody does. Microsoft gives you the tools to do it 100%. The purview platform is perfect for doing and it's stupid simple to do it. The problem is people get all upset because now you're you're imposing limits on where they can share that information, right? So you have to get buy in from the executives and the leadership in the company to say, we are going to do this thing.
And I will say that from a regulatory perspective, if your data classification policy doesn't show that you're enforcing it, there's going to be legal trouble within the next couple of years for companies that do not enforce their data classification policies. Right. It's getting it's getting pretty bad. So that that's a good point, Stephen. I know again, start with the governance, the leadership start within the assets.
What are you protecting right. But the point is to start to start. Yes. You have to start. You can't just keep doing the I mean that's definition of insanity. Keep doing things the way you've already been doing. You're always going to get same results right? So make it simple. Keep it simple. Life is too complicated. Other questions comments I got to back here.
Again, first of all thank you for your talk. You're welcome. It's very good. This is my first time here. But I've been around and it and working in corporations for a long time. And governance is a really hard subject. Hard to sell. I mean, you'll get leadership buy in, but then putting it into place is difficult. And the biggest problem are the people, because there's oftentimes a lot of resistance, and you're not the boss of me and leave me alone.
And and then I noticed in your checklist of vetting applications, you left off a box and there is one that is or a tick box. Is it emotionally, attached to the users? Yeah, I left that off on purpose because I don't care about your feelings, I really don't, but I can remember that I care about being a good person.
But in the work environment, I'm dealing with this now with a, with a with somebody at our company in the IT room. We got them tools, all the tools that he wanted. But he said you put any restrictions on the tools? I said, you're like a homeless person that can't eat. I'm feeding them. And you're complaining about the food.
I mean, exactly, but it's it's how do you break down the walls? With people like that? And, you know, my experience is I did it with metrics and cost and effort and displayed. This is one, one user application. It crashes machines. It's extremely expensive. And it's a high maintenance application. And I convinced, you know, people that were over that user that it was okay.
And we were going to take it off and be prepared. She's going to start screaming. So the track I mean literally track the hours that you're using to manage, troubleshoot all of that, all of the downtime that people aren't able to go to the CFO or CEO and say, look, here's the last month of what this thing costs us to do.
Exactly. Do you like this? Is this good for the business? And he says, yeah, then it's not up to you, right? But he says, no, it's an awareness thing, right? They probably they're thinking about things that are so far above that. And you're in this little box here that's driving you nuts. And you have to get that. I team manager to go over across, you know, the little bridge to the next silo to that person's boss and say, this is the problem.
Now, you don't I mean, you just go straight to the CEO and say, look, here's, here's what I'm seeing. I've been trying to go to my manager to do this. They're not listening to me. Go around them, go around, go around the roadblocks. Too many companies have this. And I know, I know a lot about doing that. But it became the problem was subscriptions.
And who ordered them. And then they were delivered by the third party. And that got interesting. Again, the procurement process and all boils down to money. I think somebody else back there had a question and a black jacket in the back. Blue jacket. Oh another one. Okay. Got just pivot a little bit off of that idea. One of the issues that we often see is, you know, the, you know, the, the infighting, political decisions about who owns a tool and who's responsible for, you know, paying for it.
And if I'm paying for it, then I get decide what what I get and, you know, and, and all of that, but not to get into into that so much, but from a security standpoint, a lot of your conversation is about, you know, finding a more efficient solution to, you know, to this holistically. Right. But one of the questions that often comes up is, you know, the decision, do we go for something that's a unified, you know, a platform to ease, you know, single pane of glass, simplicity of management?
Or do we go with something that's best of breed? And oftentimes those are not the same thing. Where do you, you know, fall on the decision making, you know, paradigm of, you know, what is more important, in that discussion for you? You know, I think there's never going to be single pane of glass for you to look at, to run your business and see everything about it.
Right? So that's kind of a foolish wish, but, I think what you have to do is prioritize the level of when you're looking at different tools and how you're monitoring what's going on in your organization. Which tools are going to give you the most actionable, most critical alerts. And that's the thing you spend your most time on, and you feed data from other tools into a subset of data from other tools into that let me give you an example.
And I'm I'm not trying to sell gray light, but in gray log you can actually pull in data from the defender for end point API or other APIs. Doesn't matter. Right. So yeah, I could easily go to the Microsoft portal and look at all the alerts and everything else in there. But what I want to do is I want to filter out all that big bulk of information that's in that defender portal, down to a few key things, right.
So, for example, I want to make sure that no new user accounts are getting created that I don't know about, or that there's no, global admin roles provisioned to anybody within your. Because those are actionable things that I want to look at immediately. So that kind of data I would filter to more of my main single pane of glass that I'm looking at, right.
And let the rest be out there kind of as a backup data kind of the way with a SIM. I think a lot of people just dump everything into a SIM. Right now, the and I don't wanna get off on topic here because we're about out of time. But now the way to do it is to bring your data into a SIM, only filter out the logs that you need and push the rest to a data lake somewhere.
And that way when you have an incident or an event, you can go back to the data lake, pull in that data, and not only pay for the integration into your SIM at that point in time, right? Most vendors won't tell you that can happen, but that can happen. So that's kind of why I look at it like tier it to the most critical, most informational stuff, the most the worst thing that could happen to your organization needs to be in front of your SoC analysts all the time.
The rest, they just need to have a way to get to it and understand what that path is, right? What are the tools? Here's the tool list that we have approved. Here's how you get to that tool when this happens. So it goes back to that whole life cycle of an event. So I think we're out of time.
But I appreciate everybody's time today. Thanks for coming out.
I'll be around afterwards. If you have questions, I want to chat.
