When it comes to IT security, how do you roll? Many tools exist, but the fact is that in most cases, to do it right— you have to roll your own. This is especially true in today’s environments, where infrastructures can vary widely in composition from organization to organization. The truth is that factors such as degree of DevOps and Agile adoption, skill set of IT staff, corporate culture, and even line of business come into play when crafting a security solution for an organization. How well these tools align with the organization ultimately dictate the success and failure of a company’s security architecture. And when existing tools don’t fit or don’t work well, sometimes the only option is to build them yourself.
This is increasingly the case in large organizations with unique security requirements and ample engineering expertise. More often, it makes more sense to solve these problems with tools developed organically, in-house. These tools often fit into a broader security framework or toolchain, with each chosen for its specific strengths and integration capabilities. And in many instances these homegrown tools are implemented as critical control mechanisms for validating that security mechanisms in place are working as expected.
Take Netflix, for instance. With its commercial streaming media services consumed by over 60 million subscribers globally, the company needed a specialized framework of tools to secure the volume of payments and customer data being processed. Instead of setting all hopes on a monolithic, off-the-shelf solution to support its highly-specialized infrastructure, the firm instead opted to develop a customized framework of tools. For example, Security Monkey is a tool they developed and open sourced that analyzes configuration security, while Scumblr is an automated intelligence search tool that scours websites for compromised/leaked Netflix account information. Finally, its Fully Integrated Defense Operation (FIDO) automatically analyzes and prioritizes security events based on security, and can remediate security gaps likes disabling a compromised employee account.
The effectiveness of a security framework is also in large part dictated by the people in the organization. For example, unwitting employees are the main cause of malware outbreaks on internal, corporate networks— this is true in virtually all high-profile data breach cases occurring in the last few years. A security framework must therefore take the human element into account when bolstering a firm’s security posture. For example, Walmart created the Security Maven program internally to engage engineering and product teams in taking a collaborative approach to proactively and continuously improve security best practices within Walmart. In short, no solution should be regarded as a one-stop-security-shop, even if large vendors try to market their security suites or ecosystem of products as such. Many of these leading offerings have their roots in solutions developed in-house to address internal challenges. And as many of these tools have been commercialized and/or released to the public as open source, keep in mind that most have their genesis in solving specific problems for organizations at a given point in time. In designing a retail computing infrastructure to completely standardize and automate its bookselling and shopping empire back in 2003, Amazon laid the foundation for its future commercial AWS offering and cloud computing empire.
It may not be necessary to write your own security tools by hand, but don’t expect a single, turnkey solution to fully secure your environment either (especially if it is complex). A sustainable and scalable continuous security toolchain will combine the optimal tools— homegrown or otherwise— into a framework that responds to each organization’s unique needs. To this end, UpGuard provides continuous security monitoring and vulnerability assessment capabilities that dovetail with other security tools, enabling complete visibility and validation critical for end-to-end security.