Picking a Security Tool in Today’s World

Today’s cybersecurity market is overcrowded, and full of marketing teams who write claims that fall flat on their faces simply in the way they’re written. In this overcrowded market, how is an MSP to choose?

Let’s be Honest: The Market is Annoying

I’m a huge fan of competition. Without competition, we don’t have innovation. I’m also a big fan of consumer-driven innovation. However, over-hyped competition can create toxic marketplaces, and I feel we’re dangerously close to that status-quo in cybersecurity. Many cyber sales teams have been overtaken by CRO’s that have little interest in driving positive business outcomes or in the efficacy of their product. They focus on pushing marketing teams to drive material that generates revenue, at any cost.

In fact, it’s gotten so bad that we have security companies tossing around “100% prevention” and “cyber-immunity” (both of which are impossible and illogical statements). The truth is, nobody has solved cybersecurity, because it cannot be solved. Cybersecurity is a never ending game that we all play. We win some, and we lose some. The best we can hope for is a higher win to loss ratio and contained losses.

The other downside of competition is choice. Human beings are notoriously bad at making decisions, which is what these marketing teams pray on. CISO’s and MSP’s alike find themselves staring down 5-10 different tools to solve a single problem, and it leads to huge amounts of wasted time looking a meaningless statistics to make a choice in a never-ending cycle.

Let’s Break That Cycle: How to choose in 2023 (as an MSP)

Can’t forget my standard disclaimer: Practitioners are responsible for making choices, I only aim to provide some ideas here. I’m not vouching for any one thing or strategy, and nobody (including me) can make a choice for you.

First thing’s first: trim the fat. For me, most companies that have had people relentlessly pinging me on LinkedIn are automatically out. They’ve no interest in my outcomes, they are disqualified. Finally, from a technical standpoint, I tend to research the top five or so products in the segment. We can use VirusTotal, AVLabs results, Gartner, or a combination of all of that. Point being, you’ll find that the top five products in any segment have negligible technical differences, and are often ragging on each other over tenths of percentage points. The top five options are all great options.

Change your lens!

If the top five or so products are nearly indiscernible technically, what do we do? Well, we look at it from a new angle: operations. You see, tools make up a small fraction of our overall cybersecurity operations. If we’re following a framework, we have policies and procedures, incident response plans, and a bunch of other things to deal with. Your tools need to enable your operations, not the other way around. With that in mind, let’s recap and then I’ll give you my advice for picking a tool:

1. Trim the fat. As mentioned above, cut out the long tail of the market and the companies you know you don’t want to deal with.
2. Evaluate the data, pick the top 5 or so players.
3. Get trials. Evaluate all of your front-runners, and look at the following:
   1. Claimed efficacy. Hit them with a couple of attacks, just to validate. This will help you build confidence if nothing else.
   2. Ease of implementation. Figure out what it takes to implement the product across your customer base. Doing this will help you understand the amount of effort it will take, definitely something to keep in mind as this is definitely the most expensive part of changing/adding a tool.
   3. Operations
      1. Can it dispatch alerts to my team the way I need it to? This may be your PSA, pushing to your SOC vendor’s SIEM, or something else.
      2. Does it present a clear picture of it’s current status and operational well-being. That is, can I easily highlight missing agents, users, updates etc.? Basically, how hard do I have to work to make sure this new tool is in all the places it needs to be?
      3. Does it provide a clear picture of an incident? This one is big. If you and your team aren’t well versed in MITRE ATT&CK, why would you use a tool that produces incident reports only in that fashion???
      4. Does it integrate? A lot of modern tools will give you a clear picture across endpoints, email, and other vulnerable surface areas. If you’re wanting to streamline operations, you should strongly consider tightly integrating all of your layers.

Of course, this is just a small example. Add questions, take some out, change ’em, whatever. My whole point is you should prioritize operational efficiency when considering the net tool you’re going to scale out across your customer base.

Other Key Consideration

As food for thought, before you start any of this. Ask yourself, “why am I looking at a new tool.” If the answer is “because the SDR of so and so told me to,” consider aborting! Shiny tool syndrome is a real thing for us nerds and it can really distract us from running our businesses. Only change tools when you are solving a new or different challenge, lest you find yourself wasting your time and your teams time on playing with shiny new things too much 🙂.