It's not just a security problem but we often add to our arsenal without fully (or even mostly) utilizing the tools that we do have.
Problems associated with this are:
Have more complexity in your environment
Needing more staff or requiring current staff to stretch themselves thin to support differing tools
Increased cost (capital, operational, support)
Information overload - even with a SIEM more data requires more analysis
- Increased chance of missing key events
- Increased false positives
What am I missing?
How do we work through this when you're not the decision maker?
- "Operational Excellence" - Martin's story
How do we work with our vendors to ensure that we are leveraging their tools without over dependence on one tool or vendor?
Advantages of security debt
- All eggs not in one basket
- Ability to leverage different technology sets to catch more bad stuff
- In a larger environment what works in one area of the network may not work well in another
- Necessity of increased staff that has experience in other areas that can be leveraged by team