Designing tech stacks to fit all the cybersecurity needs of a business has grown in complexity over the years. There are increased security demands as cyberattacks rise in frequency and sophistication. To meet these increased demands the number of tools available has also grown. So many tools exist that it can be hard to know where to start when looking to build or restructure your tech stack. There can also be a temptation to get too many tools. Businesses need to find the right balance in their tech stacks that allows them to increase their security posture within their budget constraints. In this article, we will give a rundown of 6 things businesses should consider to ensure their tech stack is working for them in the most optimized way.

#1 Understand what a security tech stack is and why it is important to SMBs

A business’s security tech stack is the collection of tools, software, vendors, and platforms that they use to manage their security needs. More cyber risks are threatening SMBs than ever before. Our article on why SMBs need to worry about security has many statistics on the damages cyberattacks are causing small businesses. Here are two of those worrying stats. In 2021 61% of all small businesses experienced a data breach. And 60% of small businesses that are victims of a cyberattack go out of business within 6 months.

When used correctly, tech stacks allow businesses to have a strong security posture in a cost-effective way. A SMB’s tech stack should also allow them to save time through automation. SMBs generally do not have a large in-house security team, if they have any in-house security employees at all. Tools can help IT teams manage security. This is particularly important considering security is just one of the many responsibilities of IT teams. Tools can also help SMBs who have a small security team by automating important tasks. This allows the security members to focus on other tasks such as evaluating network architecture, improving security in a remote work environment, and incident response. 

#2 Know what has changed with tech stacks over the years

You want a tech stack that is not going to get outdated and that won’t need to be restructured frequently. In the past, companies could rely on having a minimal number of tools. They could have a firewall, antivirus software, and intrusion detection software, and feel relatively secure. Nowadays the landscape has changed. There is a greater need for cloud providers, incident detection and response, endpoint detection and response, zero-trust networking, forensics, authentication tools such as MFA, and more.

Buzzwords you’ll hear such as AI, machine learning, and cross-layered detection and response may make you think that you need the next best tool. While newer tools can certainly provide the most advanced technologies, it is important to ask yourself one fundamental question – is this tool going to lower risk? If you can answer with certainty that a tool will lower risk and understand why then it is likely a good option for your tech stack. Ultimately, tech stacks should be consolidated into those tools that solve fundamental security vulnerabilities.

#3 Determine the risk profile of your business

There are several things to do to consider the risk profile of your business. To read more in-depth discussions on these topics we have articles on risk assessment and analysis for SMBs, as well as risk management strategies. A risk assessment is where you evaluate your security and look for any vulnerabilities that pose potential risks. These risks are then analyzed by getting assigned quantifiable values based on their expected costs to your business.

These are vulnerabilities that will be specific to your network architecture and will shed light on whether the tools you are using are offering adequate protection – as well as if you are investing in tools that will show a high ROI or not.

Your SMB’s industry will also play a role in the amount of risk you take on. Certain industries are more likely to be hit by certain attacks.

Sourced from Cloudflare

Here you can see that if you are in the manufacturing, gaming, or business services industries you are much more likely to be hit by a DDoS attack. If you are looking at the costs of attacks, some industries pay much more on average for a data breach than others.

Sourced from IBM

Both the frequency you can expect to see attacks as well as the expected costs of attacks will impact your risk profile. Other factors that will dictate your risk profiles are your online presence, how much customer information you store, and whether you have a remote workforce. Companies with an online presence have to worry more about DDoS attacks (and likely API security). Those who hold customers’ personally identifiable information (PII) are at a greater risk of being targeted by hackers. Remote workforces introduce many risks that need to be addressed by adequate security measures.

In order to effectively plan a risk management strategy executives have to set expectations of what their risk appetite is (how much risk they find acceptable). Board members and executive leadership also need to have a mutual understanding of their organizational objectives and how security plays a part in that.

#4 Know each aspect of security that your tech stack needs to address and tools to use to do this

Cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) framework provide a guideline of five security functions. These five functions of security are: identify, protect, detect, respond, and recover. Each tool in your tech stack should help with at least one of these functions. We will take a brief look at these five functions as stated in the NIST framework.

Identify – Develop an organizational understanding to manage cybersecurity risk to

systems, people, assets, data, and capabilities.

Protect – Develop and implement appropriate safeguards to ensure delivery of critical

services.

Detect – Develop and implement appropriate activities to identify the occurrence of a

cybersecurity event

Respond – Develop and implement appropriate activities to take action regarding a

detected cybersecurity incident.

Recover – Develop and implement appropriate activities to maintain plans for resilience

and to restore any capabilities or services that were impaired due to a cybersecurity

incident.

Keeping these five functions in mind we can now look at some critical areas of security and how they pertain to each of these functions. A complete tech stack should address all of these areas.

Doing a risk assessment and analysis, and having executives set risk appetite and organizational goals in risk management will all help to identify threats. Tools can be used to help with analyzing and quantifying risks. Vulnerability scanners search for vulnerabilities in your systems.

Tools used to protect should include safety measures such as perimeter security and authentication protocols. Perimeter security include tools such as antivirus software and web application firewalls (WAFs). Authentication protocols include solutions such as Multi-factor Authentication (MFA).

Security information and event management (SIEM) tools can be used to detect abnormal behavior in your network. SIEMs monitor and act as an event management solution. They can detect things like suspicious logins and when someone has too many failed login attempts. Endpoint detection and response (EDR) tools monitor endpoints and detect when there is a possible threat.

EDR tools also work to automatically contain these threats where possible making them a part of your response security. Some SIEMs also have action triggers which allow them to respond to threats. Other response tools include cloud DDoS protection providers that can respond when a DDoS attack hits your systems. Companies should always have a cyber incident response plan (CIRP) in place to know exactly how they are going to respond to attacks. 

The final function of security is recovery. Backup and disaster recovery tools help with this function. Making backups of your data is important, and if done before an attack takes place makes recovering from that attack much less costly. Forensic tools can also aid in the recovery process and allows security teams to learn from attacks by taking forensic images of your networks as an incident is underway. Many providers offer disaster recovery solutions including IBM and Microsoft Azure.

#5 Understand the options available to you and make sure each element in your stack is working together effectively

We just mentioned aspects of security that your tech stacks should cover. Now you may be ready to pick your tools. Finding them will not be an issue. Instead, the hard part will be deciding which of the many solutions out there are right for you.

Sourced from Momentum Cyber

Small businesses have an average of 15-20 cybersecurity tools in their tech stacks. Medium businesses have an average of 50-60 security tools. While tools can help, too many tools can create issues. For one, the more tools you have the more you are spending. If you can make 5 tools do the same job as the 10 tools you are using now, you will be spending unnecessarily. Other issues that come from having too many tools in your stack are that it creates more areas where you need to worry about access control and more areas where misconfigurations can occur.

It is important to make sure all of your tools integrate and compliment each other well. In a recent interview we had with Dallas Haselhorst, a consultant at TreeTop Security, he described a situation where one of TreeTop’s clients were investing in tools which were not needed. He says, “We had a discussion with a customer here in the last few weeks that wanted to upgrade their disaster recovery setup. Okay, sure, we have these discussions all the time. But my first question wasn’t to get into the technical aspect and start talking about all of those things. It was, why do you need a better DR Setup?

They started explaining it, and I said I thought you moved these systems out to the cloud? The cloud kind of brings up this whole new discussion as to why you really need to understand the business. What it amounts to, or what that conversation came down to, is they didn’t need to upgrade their DR Infrastructure whatsoever because they were actually scaling back what they had on premise at this point. So it actually made more sense to do less DR because they’re now offloading a lot of those functionalities to the cloud. “

The client was not aware that their cloud provider was already offering disaster recovery protection. Really understanding the tools and planning out exactly which areas of security each are covering is important to save unnecessary redundancies. Sometimes redundancies are a good thing, as we will introduce as we talk about layered security, but these decisions should be made purposefully and be planned instead of accidental.

#6 Take a multilayer approach

Layered security is considered a security best practice. Having layered security means that no one single tool is your only line of defense against an attack. If a tool fails others are there to respond. Hackers can get through a single line of defense much more easily than getting through several security measures at the same time.

We can use a DDoS attack as an example. As described in our article on defending against DDoS attacks certain kinds of DDoS attacks like TCP floods can quickly overwhelm a firewall. If this is your only tool to defend from DDoS attacks, your networks are likely to be greatly impacted from the attack. Further, you have to be prepared for hackers using multiple attack vectors. Sometimes the DDoS attack will be used to exhaust a firewall which then lets another attack penetrate your networks.

A “Defense in Depth” approach emphasizes the use of multiple layers of security and assumes that no system is ever completely secure. Using a Defense in Depth approach means to consider physical, technical, and administrative controls.

Physical controls refer to physical on premises security such as security guards and locked doors. This protects from threats such as malicious insiders. Technical controls are hardware, software, and network level protections. In short- this is your tech stack. Administrative controls are policies in place regarding employees. This includes access controls such as the principle of least privilege. This principle states that employees should only be given the privileges needed for them to complete their tasks, and for as short of a time as possible.

The takeaways here are that you should be getting multiple layers of protection from your tools in case hackers are able to get through one layer. The other takeaway is that other security measures should be in place in addition to your tech stack to help protect your networks. 

Moving forward

By signing up to PeerWise you will get access to future articles where we will get insights on the security tech stacks real SMBs are currently utilizing. These can help gauge your security standings to other companies and help shed light on whether your tech stack is securing all areas that it needs to.