Legacy security tools: peace of mind at what price?
For years we’ve been hearing stories from the field about security teams that buy the latest web app and API protection solutions but still fall victim to successful attacks. They do the research, go through the RFP process, check up on the vendor, feel like this is the tool that’s going to work — and then that peace of mind is diminished when attacks still get through.
If you’ve experienced this too, you’re not alone. In fact, “Reaching the Tipping Point of Web Application and API Security,” a report we produced in partnership with Enterprise Strategy Group (ESG) Research, reveals that companies use an average of 11 tools, yet 82% of respondents said they’ve experienced a successful attack in the past 12 months.
What gives? How are attacks still getting through a whopping 11 tools on average? After surveying engineering, security, IT, and DevOps leaders across 500 organizations in North America, Europe, and Asia-Pacific, and Japan, we’ve uncovered a few of the issues, and they may not be unfamiliar to you.
Too little correlation, too many manual processes
The most common challenge survey respondents reported was correlating data across multiple tools, cited by 32% of respondents. With so many tools from so many vendors, differing log formats to parse, lack of integrations, and under-staffed teams, it’s no wonder many companies struggle with this.
Additionally, 30% of respondents indicated that manual processes hindered their ability to keep up. Many legacy tools require ruleset customization and testing. In fact, 68% of respondents said their organization developed new rules for deployed controls at least monthly, with efficacy testing typically lasting at least a week.
With that much time devoted to customizing and testing tools, then trying to parse out data from potentially thousands of datasets, security and engineering teams are left with little time for much else. More efficient tools integrate into your existing toolset and workflows and don’t require a lot of customization in order for them to work.
False positives are common and time consuming
If the different web application and API security tools deployed by organizations worked effectively, perhaps the inefficiency of the workflow could be tolerated. You probably know from experience though, that’s not the case.
Respondents reported an average of 53 alerts per day from their web application and API security tools, with 45% of these ultimately determined to be false positives. The problem here is that you don’t know it’s a false positive until after you’ve done the work to investigate it.
When a real attack does get through, 46% of our respondents said their systems were offline for an average of a few days. However, the same percentage of people said false positives caused just as much downtime. The ultimate result is that 75% of respondents said their organization spends equal or more time on false positives as actual attacks.
This is a disappointing finding as every minute spent on false positives is one not spent on application security strategy, process improvement, and skill up-leveling. Under-staffed or under-skilled security organizations are left fighting an uphill battle to protect their applications on a daily basis. It’s both a waste of time and resources. We need modern security tools to look at intent, not just action.
Tools that aren’t turned on don’t work
With tools that are too hard to use and that waste time and resources, it’s no wonder that the users of these tools feel jaded. Our research says that 53% chose to shift to operating in log or monitor mode vs. full blocking mode, 12% report turning their tools off, and 26% report doing both.
In other words, more than a third of respondents felt that completely shutting down their security tools was a less disruptive course of action than continuing to manage false positives. Even more disturbing is that these tools are turned off very shortly after they are deployed — 82% of respondents indicated their organization turned off web application and API protection tools less than one month after deploying.
A new approach is needed
With data like this, it’s no surprise that companies say they’re ready for a new way. We need integrated, consolidated tooling that works across teams — but it looks like we already know that: 93% of respondents said they are interested in or planning to deploy a consolidated web application and API security solution to improve security efficacy, provide consistent protection across disparate application architectures and environments, and reduce costs.
There’s no time like the present to start updating and consolidating your processes and security stacks. For more information on this pressing topic, download the complete report.