If IT tools are deployed in the digital forest and nobody sees or uses them, do they really exist?
Most chief information security officers (CISOs) know better than to answer this Zenlike question. Whether software has been detected or not, the unfettered sprawl of authorized and unauthorized tools can open a real and potentially devastating backdoor for hackers.
Bradley Schaufenbuel understands this well. The CISO of Paychex, a provider of payroll services for small businesses, says “tool sprawl” has become a major concern for security teams. His own team finds new vulnerabilities from rogue software every day. If that software is not regularly updated, the attack surface grows exponentially.
“Unless the tools are sanctioned and inventoried, security teams are often unaware of their existence,” says Schaufenbuel. “And a security team cannot secure what it does not know exists.”
A sprawling problem
Many unsanctioned tools get haphazardly installed across an enterprise without IT’s knowledge and remain that way—forgotten, unpatched, and vulnerable—until a hacker finds and uses them to breach a company’s network.
According to a 2020 global Tanium survey, 91% of IT decision-makers acknowledged they have too little visibility or control over IT assets. Indeed, nearly a third said shadow IT projects and the profusion of authorized and unauthorized tools were causing huge problems.
Today’s distributed workforces have only made things worse. Three in five remote workers are now using rogue tools outside of official IT policy, according to a survey by network security company NetMotion. This profusion of unvetted software presents headaches for businesses as they seek to return to some semblance of a “normal” workplace post-pandemic. The problem is further compounded as global IT environments have grown in size and complexity over the years, and hybrid and multicloud environments have become commonplace.
Security tools can breed insecurity
The great irony of all of this complexity and rogue software is that the very tools designed to protect the security of an organization may present the greatest cybersecurity threat, as the recent SolarWinds hack highlighted.
In one survey, 55% of IT decision-makers reported using 20 or more tools between security and operations, with 70% saying these tools lack full integration. While some IT security professionals may think that multiple security tools allow teams to flexibly cover more ground, an IBM study suggests the opposite is true. These loosely coupled point solutions create added cost and complexity that end up hindering an organization’s ability to detect and respond to breaches.
But Josh Schofield, a senior director of product management at Tanium, says problems with security tool sprawl do not necessarily begin with IT departments. Most such tools, he maintains, are one-time freeware installs by employees self-servicing their machines. Problems arise, he says, when licenses requiring corporations to pay for those applications kick in and block use of the programs. Few users go the extra mile to actually remove them, creating potential cybersecurity vulnerabilities, Schofield says.
If a tool is legitimately useful, insist that it go through a vetting process to become sanctioned.
Chris Hughes, a cybersecurity consultant and university lecturer on the topic, says every cybersecurity tool needs to be paired with someone who knows how to deploy, install, and manage it. When IT organizations have support staff to monitor tool sprawl, they tend to be more resilient against attack. But few security teams are capable of doing this well right now because of a critical security talent shortage. Investing in multiple cybersecurity tools therefore makes little security sense, Hughes says.
“Most security teams with dozens of tools will admit they don’t really know how well they are working,” he says. “They are spending a lot on these tools but can’t tell you if they are getting value out of them. And that’s money they could have shifted to other resources, like bolstering their teams.”
Mark Settle, a former CIO for Okta and BMC Software, sees another side to the issue. In principle, companies invest in multiple tools because they have complementary capabilities, and the benefits they produce when assembled are greater than the sum of their parts. “That’s the theory,” says Settle, who recently wrote a book on IT management. “In practice, tools may have overlapping capabilities, be difficult to administer, and come with underlying security vulnerabilities.”
How to rein in tool sprawl
In theory, organizations looking to counter tool sprawl could simply deploy a single sanctioned platform to handle multiple functions. This would streamline operations and security while all but eliminating the need for shadow IT solutions. However, experts recommend a few basic steps for immediately improving IT hygiene and security:
Inventory endpoints and software. Schaufenbuel’s team at Paychex did this as part of a larger effort to rationalize tool spending and consolidate its vendors. Some organizations will already have workflow or comprehensive endpoint management platforms deployed to help accomplish this. Those that do not should consider such solutions for greater visibility and control of digital tools and applications.
Schofield also recommends looking for anomalies as part of this process, not just knowing everything that’s installed on a network but also what seems to be installed in more limited fashion—and why.
“It’s great to know you have a tool installed on 50,000 devices, but it’s even more interesting when you can flip that on its head and find situations where you have this one thing that’s only installed on five machines,” Schofield says. “That’s the kind of thing you really want to be looking for because it could represent a major attack vector.”
Strengthen access. It is incredibly difficult to accurately assess what’s on a network if devices are not registered to it. Schaufenbuel recommends giving users an amnesty period to register tools so they can be continually hardened and updated, and if that doesn’t work, aggressively blocking or removing unsanctioned tools from company systems. “If a tool is legitimately useful, insist that it go through a vetting process to become sanctioned,” Schaufenbuel suggests.
He cautions that this is not a one-size-fits-all approach. Software developers, in particular, may need more flexibility to install unsanctioned tools to do their jobs. “One of the biggest mistakes I have made is locking down developer workstations too tightly,” he says, “which can hamper productivity, inhibit innovation, and foster resentment toward the security team.” For developers, he says, it is better to use an endpoint management solution that permits them to install tools in a more controlled way.
Scrutinize tool spending. Once an organization has a handle on tools, it needs to evaluate the investment in them. Technologists can become so obsessed with buying the latest and greatest tools that they overlook the other tools they’ve already invested in. “Some of the CISOs I know challenge their teams to identify an existing tool that they’re willing to give up before approving the purchase of a new product or service,” says Settle. “That can be a highly effective way of limiting the sprawl.”
Patch. Patch. Patch. Once IT can see every tree in its digital forest, it can then update and secure them. IT should prioritize software patches that head off vulnerabilities most likely to impact the business. It is important to pay particular attention to desktops, laptops, and printers running dormant or outdated software. A recent HP Bromium report found that an old, unpatched memory corruption vulnerability in Microsoft Office caused almost 75% of all exploits caught by its HP Sure Click cybersecurity feature.
Move beyond passwords. Every CISO knows passwords by themselves are an ineffective method of controlling network access. It’s important, therefore, to implement mechanisms to help users not only create strong, long, and unique credentials—but also remember them. Identity and access management tools, such as OneLogin, can help with this. Security experts say organizations should also implement multifactor authentication (MFA) to reduce the risk of phishing and brute force attacks. This is especially important because of the growing number of remote desktop protocol (RDP) endpoints attacked during the COVID pandemic.