Showing results for 
Search instead for 
Did you mean: 

Ending the Tyranny of Expensive Security Tools

Security tools: sometimes it seems that we never have enough to keep up with the task of protecting the enterprise. Or, at least it seems that way when walking the exhibit floor at most technology conferences. There’s a veritable smorgasbord of tools available, and you could easily spend your entire day looking for the perfect solution for every problem.

But, the truth is, IT teams at most organizations simply don’t have the budget or resources to implement dedicated security tools to meet every need and technical requirement. They’re too busy struggling with Cloud migrations, SaaS deployments, network upgrades, and essentially “keeping the lights on.”

Have you ever actually counted all the security tools your organization already owns? In addition to the licensing and support costs, every new product requires something most IT environments are in short supply of these days—time.

Optimism fades quickly when you’re confronted by the amount of time and effort required to implement and maintain a security tool in most organizations. As a result, these products end up either barely functional or as shelfware, leaving you to wonder if it’s possible to own too many tools.

There has to be a better way.

Maybe it’s time to stop the buying spree and consider whether you really need to implement another security tool. The fear, uncertainty, and doubt (FUD) that drives the need to increase the budget for improving IT security works for only so long. At some point, the enterprise will demand tangible results for the money spent.

Try a little experiment. Pretend that you don’t have any budget for security tools.  You might discover that your organization already owns plenty of products with functionality that can be used for security purposes.

What about open source? It isn’t just for academic environments. Plenty of large, for-profit organizations such as Google® and Apple® rely on open source software to build and support their own products. Open source can be reliable and even complement the commercial software in your existing portfolio. Additionally, many vendors originally started as open source and continue to maintain free community edition versions.

A recent trend in security is anomaly detection. If you can’t afford a dedicated tool, why not leverage existing monitoring systems for this purpose? Many of these tools track performance to create baselines and alert on unacceptable thresholds. While an alarm could be caused by hardware or software failures, alerts can also be the sign of an attack.

For incident response, data from a monitoring system can be correlated with information from security tools to help determine the scope of a breach. Many monitoring products even provide canned reports for compliance initiatives such as PCI DSS and HIPAA.

Your enterprise wireless management system (WMS) is a great example of a multifunctional monitoring system. It’s loaded with features such as threshold monitoring, rogue detection, alerting, pre-built security reports, and even some basic firewall features. It’s enough to make your auditors weep for joy.

Netflow is more than just a network tool. The data from your collector is another helpful resource for identifying anomalous traffic, which could be a sign of a breached system and data exfiltration by an attacker. In general, network analysis tools can be very useful during security investigations as they can reveal much about malware behavior and attack scope.

How about your configuration management systems? In addition to limiting access by centralizing changes, these tools can also automate patching and provide audit trails. Some asset management systems can even be used for file integrity monitoring (FIM) or application whitelisting. There are also open source host intrusion detection systems (HIDS) such as OSSEC, which also provide FIM functionality.

Think you can’t block traffic without a firewall? Think again. Every managed layer-3 device has the ability to implement access control lists (ACL).  While you won’t get some of the advanced or NextGen features vendors love to brag about, in many cases, an ACL will meet your needs, and, without the performance impact your network might experience when turning on all the features of a firewall.

If you own load-balancers, a.k.a. application delivery controllers (ADC), you also have some excellent built-in security controls. These devices do more than add high-availability to critical applications. Load-balancers provide application and network denial of service (DoS) protection through mechanisms such as SYN cookies, protocol checks, and connection throttling.

With the right add-ons, most Web browsers can be turned into tools for application analysis, testing, and reconnaissance. Most of these extensions are free; all you need to do is spend the time to find the ones that work for you. But in a pinch, the Google Hacking technique popularized by Johnny Long is still a viable option for determining your organization’s weak spots. You can even use no-cost online malware analysis and sandbox sites such as Wepawet and Virustotal for crude incident response.

DNS sinkholes, used for blocking access to malicious domains, have matured into the more easily manageable BIND Response Policy Zones. By adding an automatically updated reputation feed, your DNS server becomes a practical security control that can block access or redirect traffic to an internal remediation site.

White hat, black hat, grey hat; they all use the same tools for security testing. And you can use them, too. Whether you choose Kali®, Security Onion®, or Pentoo Linux®, you’ll find enough security tools inside these open source security distros to keep you busy assessing your own organization. Many of the tools even have commercial support contracts available.

Threat intelligence services can be expensive. However, there are inexpensive or even free versions from information sharing and analysis centers (ISAC) and organizations such as Team Cymru and Shadowserver™.

Social media is also a handy tool for monitoring the latest threats and vulnerabilities. Most security researchers and hacktivists maintain Twitter accounts and love to post information about breaches and zero-days, providing even faster updates than Reddit®.

Good security is about managing risk, not tools. Resisting the siren song of the latest product sales pitch doesn’t make you a cheapskate; it makes you a discerning buyer who understands that there is no quick fix to building a more secure enterprise. Most often, it’s not about having the best tool, but having the one that does the job. Moreover, the more tools you have, the more you have to manage, which can increase your liability, cost, and organizational risks.

For more information, you can view a webinar on this topic here.

Level 12

try free tools first then purchase.

Level 14

Very well written!  There are an abundance of tools built in our systems.  We leverage these as much as possible, before looking at anything else.


SEC is a opensource log file event correlation tool that is perl based.

It was designed to process ASA firewall logs butworks for many other things as well....

Level 14

Just got done watching the YouTube version of Ending the Tyranny of Experience Security Tools.  Awesomeness!!

Ending the Tyranny of Expensive Security Tools - YouTube

Level 8

security tools are very impotent for any organization. 

Level 12

Good, Cheap, or Fast ... you can only pick 2. 

No matter which two you pick, you're usually going to have to sacrifice the third.  In the case of good, cheap tools, I find that the sacrifice is usually Fast.

Sure, I can run snort, splunk, rsyslog, nmap, nagios, mrtg, etc.   These are all great tools.  However, I find that myself, and most other "normal" users - don't have the expertise to do these fast.  I would estimate, that most businesses in the US at least, run Microsoft - either across the desktops, the servers, or both.  The free tools, are frequently primarily developed for Linux (because it's also open source (free)) - but requires Linux expertise which may not be as available.  Some of the tools are ported to Windows - but some times poorly, or sometimes with less features.  Therefore, in my experience, most of the good, free tools would take me more time - so not fast.

Of course, there are exceptions .... such as SolarWinds - which is good, cheap(er) (Inexpensive comparatively), and fairly fast/easy to deploy (with most of us having some basic level of Windows knowledge).

Level 14

When I got into the cyber security field, the first thing I did was take a UNIX class at the local community college.  I followed that up with RedHat classes at the same school.  Most security nerds I know have virtual labs at home so they can become proficient with these tools.  Working cyber almost requires this level of commitment to remain current.

It's true that you may not need to turn to the checkbook to find new security and monitoring capabilities.  To paraphrase what might be seen in any newspaper any day, use the tools already in place rather than buy new ones.

Few folks I've met have had the time and luxury to thoroughly understand any of their products' options to the fullest extent.  I most often see people doing only what's necessary to get something running, then being forced to turn to another fire to put it out.  Keeping the plates spinning on the poles doesn't create an environment in which efficient and complete use of many tools can be accomplished.

Level 12

I always caution against all in one tools and possibly no tools, and rather like to go for best in breed for what fits the organization. I understand that some tools can be costly, and it is always going to be hard to explain to those not charged with defending the network the need to purchase additional security tools. The key here is to measure your business risks and find out what are the biggest risks, and tackle those first. As what the article suggests sometimes that mean leveraging the tools you may already have.

Some of the basic tools for any network defender (keep in mind you may already have a device that offers these security controls at some basic level such as a nextgen UTM firewall):

- firewall (there are some good ones out there, you don't have the break the bank unless you are looking for higher performance. many include built in clustering and load balancing as well)

- Web Filtering is not just for productivity and legal, it can also help protect against malicious URLs

- Email Filtering and encryption has become a key part of every environment.

- Vulnerability scanner (there are some cheap ones out there)

- Anti-Virus (while it may not catch everything it is a basic security control, if you have a MS EA you may have one included already)

- APT control (this one is hard to explain but there are multiple angles to attack this threat, from white listing to predictive algorithms, this can also be inexpensive so shop around to find the one that fits best with the least impact to your budget and environment)

- SIEM (now this one can cost some money but does not have to break the bank, again shop around. Pick the one that will be the easiest to intigrate)

- Threat Intel (FS-ISAC sponsor a product called Sultra Edge that can plug into some SIEMs, and ISACs as well as open source threat intel from sources such as hail a taxii) Some SIEMs and security tools already support integration.

- Security Awareness Training - I prefer a good training content provider that updates their content. Some even provide monthly or on-demand Phishing simulations so you can give your employees real world experience and measure the effectiveness of your training.

- Intrusion Detection Systems, now this does not have to be super expensive, but may already be a module in one of your other controls such as your firewall, or even your web filter. Snort is always a good option.

- Web Application Firewall - can be an important service if you have a public web presence. This can be very effective and hosted services may be included with your provider.

- 24/7 Alerting and Monitoring - Some outsource this as a service, but not alerting the right people at the right time (even if you have all the right controls in place) can mean your defenders may not know what hit them. Especially if their SIEM is not well tuned.

After all of this, you can quickly see how the unacquainted can spin at the number of tools it takes to protect and harden your network.

Level 21

I think this is an absolutely fantastic article and certainly got me thinking about how to leverage existing tools as part of my InfoSec strategy!

One thing I would caution against is looking to OpenSource tools because they are "free".  Unfortunately this could not be further from the truth, there is a cost associated with these tools in the time it takes you to deploy, learn and manage these tools.  If you do the proper research often you will find that these tools are just as costly if not more than a paid-for commercial package.

We've had outside white hats, hired to evaluate our environment, ding us for using  free tools likeTeraTerm Secure Shell and Putty and other open source tools, because you can't rely on any company contracted support for immediate resolution of newly discovered vulnerabilities and problems on the free tools.  It seems to me they have a point, but I do believe open source solutions have value and a place.

For example, look at  How many times have there been quicker satisfactory answers from the Thwack community than those that SW Support provided?  It'd be an interesting statistic to see.

Any security company that would ding you for using open source tools doesn't understand security. Open source is the FOUNDATION of most commercial products. Qualys, Tenable and Rapid7=NMAP. Infoblox is built on ISC's BIND and DHCP. You can BUY support contracts for lots of open source, including; Sendmail, BIND, Security Onion, and even Metasploit. Additionally, I've found it much easier to upgrade an open source tool when there's a security vulnerability than a commercial product built on one.

About the Author
Mrs. Y is a recovering Unix engineer currently working as a security architect. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop.